User Account Security Assessment Guide

Information below is in relation to the dashboard generated by running the Voleer User Account Security Assessment available at Voleer.com

Administrative Role Assignment

The graph

Graph showing the administrative roles and the number of accounts allocated per role.

Why is this important

Having full visibility into the number of accounts with administrative roles is important as these roles have access to sensitive data and files.

Recommendations

Administrative accounts

• Have 2 and no more than 4 accounts with global administrator privileges
• Accounts with administrative roles should be secured with MFA and/or use Azure AD Privileged Identity Management
• Create a separate administrative account rather than associate an administrative role with a standard user account
• Avoid using shared accounts as this will cause a problem with auditing
• Review and assign the least permissive role to get the job done
• Regularly audit accounts with administrative roles, including removing accounts that are no longer used and adjusting roles

Service accounts with administrative roles

• Restrict access by service accounts to known IP ranges and/or known access times
• Provide the least permissive role
• Ensure passwords are not hardcoded in application/script files

Compromised Account

The data

Accounts that have been identified as compromised means that either the username and/or password has been leaked on the internet and is available within the public domain.

Why is this a problem

It is reported* that over 65% of people use the same username and password for multiple or all accounts. As a result, it is highly likely that the same compromised account username/password combination has access to the Organization’s Office 365 account.

Remediation actions

Short term

Follow Microsoft’s instructions on ‘How to recover a hacked or compromised Microsoft account’

Long term

1. Provide user education around passwords including
   • Using strong, long passwords / passphrases
   • Using different passwords for every account
   • Using password managers
2. Making users aware of phishing techniques
3. Implement MFA throughout the organization

Accounts - Days since last login

The data

Identify accounts which may be no longer in use (inactive)

Why is this important

Inactive accounts

1. Adds to the attack surface for people with malicious intent. This is especially risky if there is an administrative role assigned to it
2. Be an unnecessary cost if there is a paid license associated with it

Remediation actions

Remove the account or block access

Additional actions

• Ensure appropriate offboarding processes (for employees) and deactivation processes (for applications/scripts) are in place 

External Forwarding

The data

Identify the number of user accounts that have inbox rules forwarding emails outside of the organization.

Why is this important

• With an estimated 4% of users likely to click on any given phishing email, threat actors enable auto forwarding to an external account so they can
• Craft extremely convincing spear phishing messages to other users in the aim to compromise those accounts
• Spoof emails
• Get access to confidential information

Recommendations

• Review existing external forwarding rules to ensure legitimacy
• Audit external forwarding rules on a regular basis

Successful and Failed Logins

The data

Shows the number of successful and failed logins into an account by country.

Why is this important

Successful logins from locations not associated with where users reside may indicate a breached account.

Remediation

Short term

1. If there was a successful login from an unknown country, review the account activity and follow Microsoft’s Responding to a Compromised Email Account in Office 365 if necessary.
2. Potentially limit access to Office 365 by country using Conditional Access

Long term

1. Implement MFA through the organization

 
Mailbox Full Access Permissions

The data

Identifies accounts that has full access to another account or has granted full access to another account.

Why is this important

Once an account has been breached, bad actors may seek to get access to other accounts with the aim to reach their target account, i.e. Executive or Admin accounts. Providing unnecessary full access between accounts may make it easier for bad actors to achieve this.

Also, a spike in the number of accounts given or granted full access permissions may also indicate activity from bad actors moving their way through the organization.

Recommendations

1. Review full access permissions to ensure their legitimacy
2. Scale back permissions to Send-As or Send-On-Behalf if possible
3. Audit permissions on a regular basis