User Account Security Assessment Guide
Information below is in relation to the dashboard generated by running the Voleer User Account Security Assessment available at Voleer.com
Administrative Role Assignment
The graph
Graph showing the administrative roles and the number of accounts allocated per role.
Why is this important
Having full visibility into the number of accounts with administrative roles is important as these roles have access to sensitive data and files.
Recommendations
Administrative accounts
- Have 2 and no more than 4 accounts with global administrator privileges
- Accounts with administrative roles should be secured with MFA and/or use Azure AD Privileged Identity Management
- Create a separate administrative account rather than associate an administrative role with a standard user account
- Avoid using shared accounts as this will cause a problem with auditing
- Review and assign the least permissive role to get the job done
- Regularly audit accounts with administrative roles, including removing accounts that are no longer used and adjusting roles
Service accounts with administrative roles
- Restrict access by service accounts to known IP ranges and/or known access times
- Provide the least permissive role
- Ensure passwords are not hardcoded in application/script files
Compromised Account
The data
Accounts that have been identified as compromised means that either the username and/or password has been leaked on the internet and is available within the public domain.
Why is this a problem
It is reported* that over 65% of people use the same username and password for multiple or all accounts. As a result, it is highly likely that the same compromised account username/password combination has access to the Organization’s Office 365 account.
Remediation actions
Short term
Follow Microsoft’s instructions on ‘How to recover a hacked or compromised Microsoft account’
Long term
- Provide user education around passwords including
- Using strong, long passwords / passphrases
- Using different passwords for every account
- Using password managers
- Making users aware of phishing techniques
- Implement MFA throughout the organization
Accounts - Days since last login
The data
Identify accounts which may be no longer in use (inactive)
Why is this important
Inactive accounts
- Adds to the attack surface for people with malicious intent. This is especially risky if there is an administrative role assigned to it
- Be an unnecessary cost if there is a paid license associated with it
Remediation actions
Remove the account or block access
Additional actions
- Ensure appropriate offboarding processes (for employees) and deactivation processes (for applications/scripts) are in place
External Forwarding
The data
Identify the number of user accounts that have inbox rules forwarding emails outside of the organization.
Why is this important
- With an estimated 4% of users likely to click on any given phishing email, threat actors enable auto forwarding to an external account so they can
- Craft extremely convincing spear phishing messages to other users in the aim to compromise those accounts
- Spoof emails
- Get access to confidential information
Recommendations
- Review existing external forwarding rules to ensure legitimacy
- Audit external forwarding rules on a regular basis
Successful and Failed Logins
The data
Shows the number of successful and failed logins into an account by country.
Why is this important
Successful logins from locations not associated with where users reside may indicate a breached account.
Remediation
Short term
- If there was a successful login from an unknown country, review the account activity and follow Microsoft’s Responding to a Compromised Email Account in Office 365 if necessary.
- Potentially limit access to Office 365 by country using Conditional Access
Long term
- Implement MFA through the organization
Mailbox Full Access Permissions
The data
Identifies accounts that has full access to another account or has granted full access to another account.
Why is this important
Once an account has been breached, bad actors may seek to get access to other accounts with the aim to reach their target account, i.e. Executive or Admin accounts. Providing unnecessary full access between accounts may make it easier for bad actors to achieve this.
Also, a spike in the number of accounts given or granted full access permissions may also indicate activity from bad actors moving their way through the organization.
Recommendations
- Review full access permissions to ensure their legitimacy
- Scale back permissions to Send-As or Send-On-Behalf if possible
- Audit permissions on a regular basis
Comments
Please sign in to leave a comment.