What's New - CIS Microsoft 365 Benchmark v4.0.0
— #Security#Microsoft 365#Intune
What is the CIS Microsoft 365 Benchmark?
CIS (Center for Internet Security) benchmarks are essential guidelines for establishing and maintaining security configurations. The recent update to the CIS Microsoft 365 Foundations Benchmark (v4.0.0), released on 31st October 2024, introduces several critical updates from the previous v3.1.0. These changes reflect evolving security practices, new Microsoft 365 features, and enhancements to streamline the benchmark's usability.
Version 4.0.0 now includes enhanced guidance for several Microsoft 365 services, like Power BI (Fabric), Microsoft Entra ID, and Defender for Cloud Apps. Below, we'll dive into the most significant updates and what they mean for your Microsoft 365 security.
What are the key changes in October 2024?
1. Licensed administrator accounts
A new control has been recommended to not license administrator accounts or to only use Microsoft Entra ID P1 or Microsoft Entra P2 licenses.
1.1.4 (L1) Ensure administrative accounts use licenses with a reduced application footprint
The impact to keep in mind is that by default alerts are sent to Tenant Admins, including Global Administrators. To ensure proper receipt, configure alerts to be sent to accounts with valid email addresses.
2. The Principal of Zero Trust with anti-spam policies in Defender
The anti-spam settings have had three additional controls added within the Defender portal.
2.1.12 (L1) Ensure the connection filter IP allow list is not used
Without additional verification the risk of attackers successfully delivering emails to an Inbox that would otherwise be filtered is significantly increased. Following the principal of zero trust, all messages should be scanned regardless of the origin.
2.1.13 (L1) Ensure the connection filter safe list is off
The safe list is managed dynamically by Microsoft, and administrators do not have visibility into which senders are included. Incoming messages from senders on the safe list bypass spam filtering.
2.1.14 (L1) Ensure inbound anti-spam policies do not contain allowed domains
Microsoft specifies that allowed domains should only be used for testing purposes.
3. Microsoft Entra
Microsoft Entra has seen the most changes with the new benchmark across all 3 subcategories: Identity, Protection and Identity governance.
5.1.6.2 (L1) Ensure that guest user access is restricted
Guests will only be able to access their own profiles and will not be allowed to see other users' profiles, groups or group memberships. This is the most restrictive setting and helps prevent reconnaissance from threat actors.
5.1.6.3 (L2) Ensure guest user invitations are limited to the Guest Inviter role
By default, all users can invite external users to B2B collaboration. Designated guest inviters should be assisted with a formal approval process.
5.2.2.9 (L2) Ensure 'sign-in risk' is blocked for medium and high-risk sign-ins
Sign-in risk is heavily dependent on detecting risk based on atypical behaviours. It is important to run this policy in report-only mode first to understand the impact before enabling via conditional access.
5.2.2.10 (L1) Ensure a managed device is required for authentication
Unmanaged devices should not be permitted as a valid authenticator. The following devices could be considered managed:
- Entra hybrid joined from Active Directory
- Entra joined and enrolled in Intune, with compliance policies
- Entra registered and enrolled in Intune, with compliance policies
5.2.2.11 (L1) Ensure a managed device is required for MFA registration
Requiring registration on a managed device significantly reduces the risk of bad actors using stolen credentials to register security information.
5.2.3.5 (L1) Ensure weak authentication methods are disabled
The SMS and Voice call methods are vulnerable to SIM swapping. The recommended state is to disable:
- SMS
- Voice Call
- Email OTP
5.3.4 (L1) Ensure approval is required for Global Administrator role activation
Requiring approval enhances visibility and accountability every time this high privileged role is used, reducing the risk of an attacker elevating a compromised account to the highest privilege level.
4. SMTP Auth in Exchange Online
6.5.4 (L1) Ensure SMTP AUTH is disabled
SMTP AUTH is a legacy protocol. Disabling it at the tenant level supports the principle of least functionality. A per-mailbox setting exists that overrides the tenant-wide setting for special cases.
5. Link sharing permissions in SharePoint
7.2.11 (L1) Ensure the SharePoint default sharing link permission is set
Ensure this is set to 'View'. This reduces the risk of unintentionally granting edit privileges to a resource that only requires read access.
6. Microsoft Teams
8.2.2 (L1) Ensure communication with unmanaged Teams users is disabled
8.2.3 (L1) Ensure external Teams users cannot initiate conversations
8.2.4 (L1) Ensure communication with Skype users is disabled
Skype was deprecated July 31, 2021. Disabling communication with Skype users reduces the attack surface.
8.5.9 (L2) Ensure meeting recording is off by default
Ensures that only authorised users — such as organisers, co-organisers, and leads — can initiate a recording.
7. Service principals in Microsoft Fabric
9.1.10 (L1) Ensure access to APIs by Service Principals is restricted
9.1.11 (L1) Ensure Service Principals cannot create and use profiles
Service Principals should be restricted to a security group. If your organisation doesn't actively use these features, keep them Disabled.
8. Amended controls
1.1.2 (L1) Ensure two emergency access accounts have been defined
An additional warning has been added around break glass accounts and new MFA requirements. It is recommended to update these accounts to use passkey (FIDO2) or configure certificate-based authentication.
5.3.3 (L1) Ensure 'Access reviews' for privileged roles are configured
The frequency has changed to Monthly from Weekly.
9. Profile level changes
The following controls have been moved from Level 1 to Level 2:
- 2.1.7 (L2) Ensure that an anti-phishing policy has been created
- 5.2.2.8 (L2) Ensure admin centre access is limited to administrative roles
- 8.2.1 (L2) Ensure external domains are restricted in the Teams admin centre
The following controls have been moved from Level 2 to Level 1:
- 5.2.2.6 (L1) Enable Identity Protection user risk policies
- 5.2.2.7 (L1) Enable Identity Protection sign-in risk policies
10. Removed controls
Several controls have been removed, including weekly reporting reviews that have been retired in favour of automated monitoring approaches.
In summary
Version 4.0.0 introduces significant changes in administrative identity protection, collaboration security, and data compliance. If you're currently operating on CIS Microsoft 365 v3.1.0, review these changes and begin updating your configurations to meet the new benchmarks.