The security cookbook

for small and medium

enterprises
— Part 1
Acknowledgement
This security cookbook has been created by
Microsoft Belgium in cooperation with the Security Factory.

The Security Factory

www.thesecurityfactory.be
Raphael Cox
Stijn Jans

Microsoft Belgium
www.microsoft.com
Karel Dekyvere
Bruno Schroder
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Introduction
Many small or medium sized organizations have only a small IT staff, whose primary focus is keeping things
running, installing new soft- and hardware and fixing small issues every day.
Even though they do understand that IT Security is important, it’s not always easy to get the
proper attention for it in the organization.

Moving applications to the cloud can be an element of the answer, particularly on the security side, to benefit
from the advanced security build in the cloud infrastructure. However, the security of internal computer
systems remains critical and is often the weak point.

This “cookbook” is intended to provide small and medium enterprises detailed guidelines on how to
improve their internal security. It should help with the integration of some basic security principles for your
organization, starting from a number of recipes that can be adapted to your own taste.

Every recipe is rated as followed:

Cost: Complexity: Value:

This is an indication of how How complex is the solution and How valuable is the solution in
expensive is the solution to how much skills does it require to terms of security? What’s the
implement and maintain. This takes implement? positive effect of the solution
cost of technical components, on the security posture of your
implementation cost and impact organization?
on the organization into account.

The recipes are built up as followed:

Area What security area do we cover with this solution?

Background Why is this important?
Required components What do you need to build the solution?
How-to How to create the solution?
Delivery Tips How to deliver the solution? How to integrate in the organization?
How to support?
For the expert Additional information for experts who want to take it
a step further.

4
 THE SECURITY FACTORY

Overview of the recipes

1. Train your users how to manage passwords 6

2. Enforce a strong password policy 10
3. Separate accounts for system administrators 14
4. Restrict internet access for administrators 18
5. Implement “jump”-systems for secure administration  22
6. Multi-factor authentication in Office 365 and Azure 28
7. Auditing and logging on Office 365 34

5
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Train your users

how to manage
passwords

Background How-to

Passwords are still the cornerstone for the security Users need to be trained on the topics below to resolve
of many IT-environments. Many users however fail to this situation:
choose a good password. Often they choose the same • How-to choose a good, strong password
password for every environment or even give away • Why not to re-use passwords across different
their password without thinking about it. environments
• Why to change passwords regularly (and don’t
People don’t like change! just add a number)
This well-known problem affects the overall security
of these companies. Many people re-use the same Choosing a good strong password turns out to be
password over and over since years. When asking a very complex task for many people. Good tips will
them to choose a new password, different from definitely help your users to choose better passwords
anything they’ve ever used before, it seems like an and how to manage the multitude of passwords they
impossible task to many. have across many websites.

Danger of reusing passwords across sites How-to choose a good, strong password
People have to manage a lot of passwords nowadays. Choosing a good password turns out not to be trivial.
Every online shop, subscription, social-network, photo- Especially passwords that can easily be remembered.
website, etc. will ask for a user ID and password. You There are however a number of easy tricks that every
can’t blame users that they re-use the same passwords user can learn to choose and remember good
on most sites. They don’t realize that if one of these passwords:
sites gets hacked – the user’s password becomes
public and also his accounts on other (more sensitive)
websites might/will get hacked… or even a corporate
account!

6
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

COMPLIANCE

REQUIRED COMPONENTS
— Communications team tasked to work on security awareness
— Management support

1. Abbreviate sentences & replace letters with numbers or symbols:

— Abbreviate a sentence that you can easily remember. Example:

• “Hello, how are you?” would become “Hllo,hwRU?”
• “I’m always hungry!” “Imawhg!”
— Replacing letters with numbers or other characters:
• “John Smith” “J0hn 5m1th” (users should not use their own name though,
otherwise it might be predictable too)
— Combination of the above:
• “See? I have a good password” “C?Ihav3ag00dpsswd!”

2. Drawing on keyboard:

— Fb on keyboard, starting on “4” on azerty keyboard

‘rfv’(-fgèuj,jk,;k;
• Can be combined alternatingly using
shift key for each stroke; this ensures also
that the password complies with common
password-complexity requirements (see
further) 4RFV’(-FG7UJ?jk?.k;
• Alternate directions; e.g. for the F vfr’456gf
— Users can use different letters for different sites, but
do NOT recommend to everybody to use Fb for Facebook, Li for linked-in, etc. (since then multiple people would
end up with the same password).
— You could also shift characters (e.g. Fb becomes EA which is then “drawn” on the keyboard).

3. Use long sentences, with numbers and other characters (e.g. add smiley). E.g.“This is 1 great  password!!”

7
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Important is to recommend a large number of tricks to How can users handle a multitude of passwords in a
your users, so everybody can choose what works best consistent and secure way?
for him. This way, you also avoid that multiple people • Select primary accounts: users should choose
end up with the same password. a number of primary accounts that they want
to protect best. This will include their company
Important note! Be aware that attackers can also use account, their primary personal email address
your security advisories against you! For example, and some high-value social-network accounts like
they could try a sample password (provided in your Facebook, Linked-in and/or Twitter. More attention
communications) against a large number of your for good, unique passwords should be given to
user-accounts. If it works for only one user, then they these accounts.
succeeded. But on the other hand, if you don’t give • Low value accounts: these are accounts that really
proper advice to your users, the same attack will don’t have any direct value for the users, such
definitely work too! as newsletter subscriptions, etc. Users might want
to decide to use the same password for each of
Why not to re-use passwords across different these
environments • Rarely-used accounts: sometimes, users have
Users should avoid re-using passwords across multiple accounts that they only use once per year. You
websites and definitely refrain from re-using their could recommend your users to choose a good
corporate credentials elsewhere. Many users however password and have the password reset in case
will argue that it is mere impossible to choose a they forgot; typically, the password-reset links will be
different password for each site, and they do have a sent to your personal email account, so make sure
valid point. that this one is very well protected.
• Other high-value accounts: many users tend to
leave their credit card information on shopping
sites, in order to order faster next time they
connect. However, this makes the accounts much
more critical and it might be a better idea not
to leave the credit card information, if possible.
Otherwise, good passwords are a must.

8
 THE SECURITY FACTORY

Train user to use 2-factor authentication For the expert

when possible
More and more sites are offering the ability to use Many websites such as Hotmail, Facebook, LinkedIn,
2-factor authentication. Microsoft’s Office 365 does Twitter and others support nowadays the concept
support 2 factor authentication out of the box, but of 2-factor authentication and will often encourage
also Hotmail and Facebook do support 2-factor you to confirm critical actions through a passcode,
authentication. generated by an app or send as SMS. You can extend
this 2-factor authentication to any authenticated
action.

For more information on how to setup 2-factor

authentication with Hotmail, see: http://windows.
microsoft.com/en-us/windows/two-step-verification-
faq

Delivery Tips
• Provide users multiple tips and tricks to choose a good password
• Include the aspect of good personal user-accounts in your communications
• Highlight the risks of not choosing good passwords
• Repeat often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort and participates

9
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Enforce a strong
password policy

Background How-to

Training users to choose good passwords and use Parameters of a good password policy
them securely, is a first step. But enforcement of a A strong password policy enforces not only the length
policy, along with user-awareness, is still the best. That and complexity of users’ passwords, but also following
way, users are always remembered and forced to stick parameters:
to the best-practices.
• Maximum password age: this defines how often the
You can of course not force users to choose good users should change their password. Best-practices
passwords for their personal accounts, but you can are to have users change their passwords every 90
enforce strong passwords policies for their company days. This should not exceed 180 days.
account. • Enforce password history: this defines how many old
passwords of the users are remembered to avoid that
people will reuse old password. Set this to a high value.
• Minimum password age: this setting is relate to the
password history. In order to avoid that people will
change their password multiple times on the same
day to work around the password history enforcement,
a minimum password age of 1 day is typically set. This
implies that users can change their password only
once per 24 hours.
• Minimum password length: this sets the minimum
number of characters for a password. Common best
practices dictate a minimum length of 8, although 10
is also often used.
• Passwords must meet complexity requirements: as
described earlier, good passwords should contain a
mix of upper and lower case characters, combined
with numbers and special characters.

10
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

TECHNICAL SECURITY MEASURES

REQUIRED COMPONENTS
— Microsoft Windows Active Directory
— Group policies

Creating a strong Active Directory password Policy • Select “Default Domain Policy” and press OK
In order to verify your current policy or create a strong
password policy on your active directory, please follow
these steps:

• Log on to a management workstation that has all

server management tools installed or to the domain
controller itself.
• Press Windows-key +R
• Type: gpme.msc

• Expand the computer-configuration tree to: Policies

Windows Settings Security Settings Account Policies
Password Policy
• Update the password policy parameters according to
your security policies:

11
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

What about password policies for cloud user The other default (non-changeable) password policy
accounts on Office 365? parameters are set as follows:
Given the online nature of Office 365, some strong • Enforce password history: enabled
password policy parameters are required by default (last password only)
and Office 365 doesn’t even give the option to choose • Minimum password age: 0 (users can change
password that are not sufficiently strong. Only 2 their password immediately)
parameters can be changed: • Minimum password length: 8 (maximum length:
• Maximum password age (“days before passwords 16)
expire”): default set to 90 days • Passwords must meet complexity requirements: yes
• Upfront user notification (“Days before a user is (3 out of 4 categories must be selected: lowercase,
notified that their password will expire”): default set uppercase, number and special character).
to 14 days
Note that if you decide to use DirSync to synchronize
These can be found under the “Office 365 Admin your internal Active Directory with the Azure Active
Center” Service Settings Passwords, as shown below: Directory, the password policy of your internal Active
Directory will apply.

Delivery Tips
• Combine a strong password policy with user training; otherwise, users will complain and try to work
around the password policy requirements
• Use Single-sign-on whenever possible, also for non-Windows operating systems. This can be achieved
by integrating Radius authentication for network devices or LDAP-authentication for non-Windows web-
applications.

12
 THE SECURITY FACTORY

Complete all fields according to the password policy

For the expert
that you want to set stricter for the specific target
group, such as minimum password length or password
Fine-grained password policies in Windows Server 2012
age. Next select the Active Directory Group that
contains all users to which this policy should apply.
Windows Server 2012 (and later) provide an option
to easily create multiple password policies that can
In the example above, a stricter password policy has
be enforced for different types of users. For example,
been defined for all users that belong to the “Domain
you might want to enforce a stricter password policies
Admins” group.
on users that perform critical tasks (e.g. system
administrators), while not bothering the rest of the
You can of course create multiple password policies.
employees with such a strict policy.
In case there multiple policies apply to the same user,
the “precedence” field will decide which policy takes
To create a fine-grained password policy, open the
precedence (lower number wins).
“Active Directory Administrative Center” management
console (that can be found under the administrative
It is also to set a less-strict policy for a specific group
tools on a management workstation or domain-
of users. This might be needed in case you have blue
controller) and navigate to: <domain-name> System
collar employees (who have only very limited access
Password Settings container.
to internal resources) and for whom a strong password
policy might be very inconvenient. Instead of lowering
On the right-hand, select New Password Settings. You
the password policy requirements for all users, you can
will see following screen:
do so only for this specific group.

13
 THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Separate accounts
for system
administrators

Background How-to

System administrators have a user account that has The solution is very simple and effective: make sure
access to most company data, including the most that system-administrators have a separate account
critical data. At the same time, these accounts also that is solely used for system-administration tasks.
have access to reconfigure the underlying operating
system, applications, user-accounts, etc. However, without any technical enforcement,
this requires a very strict discipline of the system-
Problem comes from the fact that these system administrators since they will have to do obvious tasks
administrators have 2 hats on: one of the sys-admin, with some extra steps. E.g. for a system administrator,
and one of a “normal” user. They need to read their he would have to switch to another account to read
emails, access applications as a normal user (e.g. something on the internet and then switch back to
time-sheets, HR applications, etc.), browse the internet, his administrator account. This can be a burden, e.g.
… Browsing the internet or opening potentially unsafe when creating documentation. On the other hand, this
email-attachments can however have a dramatic additional steps are absolutely necessary to keep the
impact on your IT environment, when this is done using environment secure.
a high-privileged account
How can you help your system administrators to stick to
the rules?
• Ensure at all times that any system-administrator

“With great power •

has 2 user accounts
Provide separate management workstations (next
to a normal end-user workstation) that are solely

comes great used for system administrator and can NOT be

used for normal end-user tasks (see below for

responsibility”
more details)
• Ensure that system-administrators cannot logon to
ANY end-user workstation. This can be achieved by
from “Amazing Fantasy #15, August 1962, the first Spider-Man story setting group-policies.

14
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

COMPLIANCE

REQUIRED COMPONENTS
— Security policy
— Management endorsement
— Good communications

Separate user account Segregate end-user and management environments

For each system administrator, create a normal user Management workstations and administrative user-
accounts (that has a mailbox, access to internal accounts should be isolated from the normal work
applications, etc.) and an administrative user account. To environment and where possible, should not have access
make a clear distinction, you could start add an “A-” in front to internet, email and/or standard business applications.
of every administrative account. So, a system administrator This can be achieved through group-policies, whereby
John Smith would for example have following 2 user access to management workstations is only granted to
accounts: administrative user-accounts and where the same user
• Jsmith: normal account accounts are denied access to the workstations of normal
• A-Jsmith: administrative user account users. (See the “expert” section for more information).
Management workstations should not have any office
You could also consider setting a stricter password policy software installed (especially outlook), nor any kind of
for all administrative user-accounts, as described in the business software.
“expert” section of the “Enforce a strong password policy” These management workstations should also be blocked
recipe. to access the Internet, or only allowed to a very limited list
of trusted websites.
Separate management workstation
A management workstation should be kept as secure as What about management of the cloud environment
the servers that will be managed from that management Cloud environments like Office 365 or Windows Azure are
workstation. This implies that on a management managed through the web-based portal and do not
workstation, you should refrain from any activity that is not directly provide a feature to force access only from specific
strictly related to systems management activity. IP addresses or over VPN. On the other hand, this web-
Therefore, system administrators should use a separate interface can be made only accessible through 2-factor
workstation that will only be used for system administration authentication (see xyz) and also for programmatic
tasks. access, management certificates can be used to restrict
access. Nevertheless, system administrators should have
the discipline to only administer the cloud environment
from the same management workstation and using the
same principles as for internal systems.

15
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

For the expert

Using Group Policies in Active Directory, you can • On the end-user workstations OU, create a Group
control who has the right to “log on locally” on a Policy Object that:
computer. This gives you the ability to control on which • Adds this “workstation admins” group to
workstations users with an administrative account are the local “administrators” group on each
allowed to logon. workstation; this can easily be achieved
through group-policy “preferences”
Since normal user workstations might be infected with (computer configuration preferences
malware, it is a very bad idea that a highly privileged control panel settings local users and
system administrator logs on to these workstations, groups; right-click and select new local
since many more systems might get infected by doing group):
so.

Most secure way to avoid incidents by administrators

logging on to infected workstations, is to ensure that
both the administrative and end-user environments are
strictly separated.

To achieve this, take following actions:

• Ensure that normal end-user workstations and
administrative workstations are in separate
organizational Units (OUs) in the Active Directory.
• If not yet done, create a group “workstation
admins” that contains all personnel that
administers end-user workstations. (Note: these
users should not be domain admins!)

16
 THE SECURITY FACTORY

• Configures the “Deny log on locally” to include “Domain Admins”

• on the “administrative workstations” OU, create a Group Policy Object that ensures that only “administrators”
(which includes domain Admins) have the rights to log on locally

Important note: make sure that you are familiar with Active Directory and Group Policies concepts and test
the setup described above before implementing in your production environment, to avoid that you lock
yourself out of your own systems!

Delivery Tips
• Highlight the risks of working on untrusted workstation, using high-privileged accounts
• Repeat the message often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort

17
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Restrict internet
access for
administrators

Background How-to

It doesn’t need any clarification that today’s main Internet access policy for system administrators
security threats come from the Internet. The most important aspect is that system
administrators should understand the risks that come
Hackers will try to target the most valuable assets of along with their privileges. System administrators have
an organization and if they can successfully attack often privileges across many systems and should
somebody with high-privileges across many systems, understand that executing any untrusted program,
they gain immediate access to most data within that can infect all systems of the whole organization, even
organization. in the cloud.

System administrators should hence be very careful System administrators should therefore abide to
when accessing internet websites or reading emails. following rules:
• 2 accounts: system administrators should always
At the same time, organizations should also make sure have 2 accounts: one for normal computer usage
that administrative privileges are only be given to users (reading mail, surfing the internet, etc.) and one
that really need this. That implies that normal users only for administrative purposes
need standard privileges on their systems and should • Never go on the internet with a privileged account
not have administrative access on their workstations. • Only execute trusted and verified software when
using the administrative account.
• Only install or run software that is downloaded
directly from the vendor’s site itself.

18
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

COMPLIANCE

REQUIRED COMPONENTS
— Security policy
— Management endorsement
— Configuration changes on Internet proxy server

How can you enforce this policy in a simple way? Non-privileged accounts for end-users
1. Make a clear separation between normal and Normal end-users (that do not perform administrative
administrative user accounts. (see the “separate tasks) should not have an account that has any
accounts for system administrators recipe) privileged access to any system, even not their own
2. Only include administrative accounts (a- workstation or laptop.
accounts) in privileged windows groups, such as
the “Domain Admins” group. Some organizations choose however to enable users
3. In case the organization has a proxy server in to manage their own workstation/laptop, e.g. in case
place to access the internet, you can enforce this they need to install new software, configure a new
policy by not granting access to the Internet from printer, etc. It is important that users in this category
administrative workstations or by blocking access understand clearly the risk that comes along with this
for any user that has an administrative a-account privileged access and end-user training on “does”
(this requires that the proxy server authenticates and “don’ts” is essential in order to reduce the risk of
users based on their Windows credentials). compromised workstations and/or laptops.
4. Alternatively, you can set a group policy for all
administrative user accounts to use a proxy-server
with a very strict Internet-access policy (e.g. only
whitelisted websites, such as software vendors or
cloud-services used by the organization).

See our “Separate accounts for system administrators”

recipe for more information on the topics above.

19
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Some examples of advice to end-users: Always make sure that workstations are fully patched,
• Only install company-approved software that is protected by an up-to-date anti-virus and that you
downloaded from either the vendor’s website or have EMET (Microsoft Enhanced Mitigation Toolkit)
from an internally software repository installed. More information on EMET can be found here:
• Be vigilant when browsing the internet http://www.microsoft.com/en-us/download/details.
• Ensure that patches for the OS and applications aspx?id=43714
are installed when available and issue separate
communications on regular basis to ensure that For the expert
users don’t forget to install security updates
• In case of doubt, bring in the computer to have See “jump-system for administrative access” recipe
it reviewed for possible malware and cleaned further in this document.
up. Avoid punishing users for having an infected
computer, since they will be reluctant to bring
in their computer and try to solve the problem
themselves, thereby putting your infrastructure in
danger. (Possible signs of an infected computer
might be: anti-virus no longer active, unexpected
browser pop-ups for advertisements, programs
being started unexpectedly, etc.)

Delivery Tips
• Highlight the risks of working on untrusted workstation, using high-privileged accounts
• Repeat the message often!
• Use multiple channels to deliver your message: yearly security briefing, flyers, posters, internal website
• Ensure management does support this effort

20
THE SECURITY FACTORY

21
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Implement “jump”-
systems for secure
administration

Background How-to

Enforcing secure system-administration rules along with The purpose of a jump-system is to separate the Admin
end-user awareness and security policies will provide a environment from the normal user environment. Admin-
better and long-term end-result. environment needs to be highly secure and accessed
by as few people as possible, with the least privileges
Jump-systems are intermediate, secure servers that possible and for the shortest time possible.
administrators can use to administer the environment The concept of a jump system is depicted below:
and through which critical systems are isolated from
insecure workstations. In addition, it even provides
a secure method for remotely administering the
environment (e.g. from home or other location).

22
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

COMPLIANCE

REQUIRED COMPONENTS
— Active Directory (AD) & experience managing it
— Knowledge/experience on working with Group Policies in AD
— Remote Desktop Host & some experience managing it

The purpose of the jump-system is to separate the the RD-Host can be turned into a secure administrative
administrative network flows from normal user network jump-system:
flows. This implies that all network traffic related to 1. Ensure segregation of duties:
remote administration must pass via the jump system, a. Administrator of the jump-system has
while normal user-traffic must pass via the internal no administrative privileges on domain-level,
firewall. workstations or other servers; visa-versa, the
administrators of other systems don’t have
Making a separation between administrative network any privileges on the jump-system.
flows and normal end-user traffic is not always trivial, b. Only Administrative accounts can use
since some administration can be done over network the jump-system
protocols that are also used for normal user traffic c. Administrative accounts are not
to backend servers. On the other hand, most recent allowed access on end-user workstations
software has separate protocols or ports, such as 2. Restrict administrative network flows (RDP,
PowerShell related ports, Remote-desktop protocol PowerShell and other protocols) on the internal
or separate ports for web-administration of backend firewall, in order to force all administration to be
servers. done on the workstation
3. Configure Remote Desktop Gateway to enforce
A step-by-step guide to setup a remote desktop host policies and provide direct RDP access to backend
on Windows Server 2012 (R2) is a very trivial process servers.
and a quick-start guide can be found here: https:// 4. Enforce auditing on the jump-system
technet.microsoft.com/en-us/library/hh831754.aspx 5. Don’t allow internet access from the jump-system
(Note: ensure you select “Session-based desktop or any server to the internet, except maybe for well-
deployment” and not “virtual machine-based desktop defined vendor sites
deployment”).

Once the Remote-Desktop host (RD-Host) has been set

up, you should take following actions to ensure that

23
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Implement segregation of duties Restrict administrative network flows

Segregation of duties implies that you try to separate On your internal and internet-access firewalls, ensure
tasks that are conflicting in terms of security; a common that following flows are enforced:
example in the accounting world for segregation of • Do not allow RDP access (TCP/3389) from any
duties is that the one entering an order, cannot be the workstation to backend servers, except to the
same person as the one who approves it. Jump-system itself or other RD-Host servers that you
First step is to ensure that all system administrators might have in place
have a separate user-account for administrative • Do not allow PowerShell Remoting access
activities, as explained in the “Separate accounts for (TCP/5985 (http) and TCP/5986 (https)) from any
system administrators” recipe. workstation to backend servers
Furthermore, you will need to create and manage • Do not allow access to other management
(at least) 4 Active Directory groups with no common network ports that might be used by other
members: applications. For example, SharePoint will publish
1. “AdminJump_administrators”: this new group is the its administrative interface over a specific port
only group that has local administrative privileges (randomly selected during installation); you can
on the jump-system retrieve this port through the command: “STSADM
2. “Server_administrators”: this new group contains –o getadminport”.
all (and only) administrative accounts that must Of course, the better approach is to only allow known
manage backend servers. This group should not user-to-server traffic (whitelisting principle) and let all
contain system-administrators with other traffic be forced over the jump-system.
3. “Workstation_administrators”: this new group
contains administrative accounts that have Configure Remote Desktop Gateway
local administrative privileges on workstations. To configure Remote Desktop Gateway on the jump-
Preferably, this group has different members that system itself, open de Server Manager console (on the
the ones managing backend servers and should RD Host) and click “Remote Desktop Services” on the
never contain any personnel with domain admin left side; On the Overview page, click “RD Gateway”
privileges. + icon. Select the RD Host and add it to the “selected”
4. “Domain Admins”: this build-in group contains only group and complete the wizard (you will also have to
administrative accounts who really need these provide the name under which the server is accessed
privileges on day-to-day basis. Typically, this groups on the network; this name must be present in the SSL-
should contain only very few users. certificate for the RD Gateway server).
(note: the names of these groups can of course be
chosen according to your own naming conventions;
the “Domain Admins” is a build-in group)

Access rights for the first 3 groups can be set by

modifying the local “administrator” group-membership
on each target machine; this can also be set by
creating group-policies that set this group membership;
for example, for the jump system, the local group policy
should be updated as follows:

When using group policies, ensure that workstations,

servers, jump-system and domain-controllers are in
distinct Organizational Units (OUs). Domain Controllers
should always reside in the “Domain Controllers” OU.

24
 THE SECURITY FACTORY

To configure the Remote Desktop gateway, click on surface reduction

“tools” in the Server Manager Console and navigate • Optionally, the clipboard can be restricted
to “Terminal Services” “Remote Desktop Gateway too, but this might make life difficult of
Manager”. system administrators (e.g. when creating
documentation)
Expand the server-name and right-click “Policies” and • Set idle and session timeout to acceptable values
select “Create New authorization policies”. Next select for your organization
to “create a RD CAP and a RD RAP (recommended)” • On the Resource authorization policy, select the
policy. same groups as above in the first bullet point
• Choose “Select an active Directory Domain
• On the “Select requirements” page, add the Services network resource group”
groups “AdminJump_administrators”, “Server • This group must an existing or new group
Administrators” and “Domain Admins”. that has all backend-servers as members;
• You can optionally also restrict from if this group does not yet exist, ensure
which workstations system administrators that this group is created first in Active
are allowed to access the RDP server, Directory.
by selecting a group that has all these • Accept the default port 3389 on which backend
workstation as member. servers have RDP enabled
• On the “Enable or Disable device redirection • Finish the configuration of the policy.
page”, select “disable device redirection for the
following client device types” and select following:
• Drives: to avoid that malicious content
from the workstation is copied to backend
servers
• Ports: commonly not used, so this reduces
the attack surface
• Supported plug and play devices: attack

25
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Configure client access to the back-end servers and

RD Host
In order to access backend servers over the Remote
Desktop protocol, system-administrators will have to
pass through the RDP gateway server. To do this, they
must configure the RD Gateway on the RD Client,
through the “Advanced” tab and selecting “Settings…”

Fill in the correct RD Gateway host name in the “Server

name” field and configure as shown on the right.

Alternatively, administrators can use the RD Host

(installed on the same system as the RD Gateway)
to get a desktop which has unrestricted access to all
backend systems in the datacenter. From this RD Host,
the system-administrators can launch their favorite
administration tools or run scripts using PowerShell.

Restrict internet access

As described in our “restrict internet access for
administrators” recipe, system-administrators should
not access internet using their administrative account.
Jump-systems however facilitate this policy, since
system-administrators will logon with their normal user
account on their workstation, from where they will be
able to access internet, read emails, etc.
For administrative tasks, they will connect to the jump
system through Remote Desktop and authenticate
using their administrative account. Once on the RD
Host or on a backend system, system-administrators
should not be able to access the internet anymore
or eventually only a very limited set of vendor sites
(e.g. for support documentation, help-files, approved
software downloads, etc.).

Delivery Tips
• Since system-administrators, especially in smaller organizations, will manage backend-systems and jump-
systems, they must enforce this way of working upon themselves. It’s therefore very important that they fully
understand the value of this approach and actively support this
• Workstation administrators are a “dangerous” group, since they have administrative access to all
workstations. It’s very important for them to understand that they should not access internet with their
administrative account and understand the risks.

26
 THE SECURITY FACTORY

For the expert

To provide even stronger security on the Remote

Desktop Gateway, it is possible to enforce smart-
card authentication. Using Windows 8 or later on a
workstation or laptop that is equipped with TPM chip,
you don’t need an actual smartcard anymore. You
can use virtual smartcards in order to achieve strong
authentication.

More information on setting up smart-card logon in

Windows can be found here:
https://technet.microsoft.com/en-us/library/
cc739063(v=ws.10).aspx

More information on virtual smartcards in Windows 8

and later, can be found here:
http://www.windowsecurity.com/articles-tutorials/
authentication_and_encryption/Using-Virtual-Smart-
Cards-Windows-8.html

27
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Multi-factor
authentication in
Office 365 and Azure

Background How-to

Password, even good passwords, remains the Achilles Multifactor authentication is a feature that can be
heel of many organizations. Passwords can be stolen easily setup and configured out-of-the-box with any
and unless you continuously pay attention on how to Office 365 or Windows Azure subscription. The steps
use passwords correctly, there remains a significant risk below highlight how to do this for an Office 365
that one day, a password of a critical account (such account.
as a system-administrator) might leak.
1. Go to the O365 admin center and select Users
Especially for cloud-environments, this impact Active Users
of a compromised or stolen password increases
dramatically, since cloud environments are accessible
from anywhere. A better protection mechanism,
especially for the critical accounts, is hence almost a
must-have.

28
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

TECHNICAL SECURITY MEASURES

REQUIRED COMPONENTS
— Personal (smart-)phone for each user
— Office 365 and/or Azure subscription including multifactor authentication

2. Click on “Set up” after “Set Multifactor 4. Click “enable multi-factor auth” and next on “close”
Authentication requirements”

5. The user can now go to following URL: http://

aka.ms/MFASetup to configure multi-factor
authentication to his own needs:

3. Select a the administrative user for which you want

to enable multifactor authentication and click
“Enable” under the “Quick Steps”

29
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

6. Next, the user should click on “Additional security 8. He will be prompted to validate the additional
verification”; he can now select his preferred verification option, by entering the verification
option for authentication, such as phone call, code he received through a text-message
text message or multi-factor authentication app
(see further in this recipe on how to configure).
He should also update and/or verify his phone
number(s) at this point.If he doesn’t complete the
above (point 5 & 6), the next time the user logs on
after this change, he will get a message to set up
the additional security verification:

9. Since applications such as Outlook, Lync and

others cannot currently deal with 2-factor
authentication, users can also create an
“application password” that allows them to
continue to use their applications; note that this
password cannot be used for web-authentication.

7. The user can then choose his preferred

authentication method:

30
 THE SECURITY FACTORY

10. Since applications such as Outlook, Lync and When clicking on “Configure”, the user is presented
others cannot currently deal with 2-factor a QR code that he can scan with his Multi-Factor
authentication, users can also create an authentication app (the user can install the following
“application password” that allows them to the instructions on the first line of the screen)
continue to use their applications; note that this
password cannot be used for web-authentication.

Next time he logs on, he can select to “use the

verification code from my mobile app”; using the
link above, he can also select this as his primary
Alternative authentication options: authentication method.
Besides multifactor authentication through SMS or
phone-call, users can also authenticate using the
multi-factor authentication App that is available on
Windows Phone, Android and iOS. Going back to the
URL in step 5 above, users can also choose the mobile
app to authenticate.

31
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Configuring other options for the multifactor

authentication
When going back to the screen on step 2 and
clicking on “service settings”, one can configure a few
parameters, such as:
• • Allow or disallow App-passwords (see also step
10 for more info)
• • Allow users to suspend multi-factor
authentication (per device) for a given number of
days

In addition, you can also perform following actions per

user or multiple users at once:
• Require selected users to provide contact methods
again: e.g. in case you think that the phone
number of users might have changed
• Delete all existing app passwords generated by
the selected users
• Restore Multi-Factor Authentication on all
suspended devices

32
 THE SECURITY FACTORY

For the expert

For organizations that have both Office 365 and

Windows Azure subscription, they can extend the
functionality of the multi-factor authentication with a
large number of new features, such as:
• Customized voice messages for call-verification in
multiple languages
• Granular security controls
• Choose to disable multifactor authentication when
working from specific locations (based on public
IP-address ranges)
• Extensive reporting on the use of multi-factor
authentication
• Block and unblock users
• Provide temporary one-time bypass
• Fraud alerts (e.g. in case a user suspects that
somebody else is trying to logon, in case he gets an
authentication SMS unexpectedly)
• Etc…

To enable these additional features, authenticate to the

Azure portal (portal.azure.com) and select to create a
new multi-factor authentication provider (fig. top right)

Ensure that this provider is linked to your existing

directory. The usage-model will define how you will pay
for this service: per user or per authentication. Note that
this can NOT be changed anymore later on.

Next, click on the newly created multi-factor

authentication provider and select “manage at the
bottom. You are provided with a web-interface that
allows you to configure all the new features, listed above.
(fig. bottom right)

Delivery Tips
• Start with most critical accounts first, such as system-administrators that manage your Office 365
environment or personnel that might store sensitive data
• Explain clearly to your end-users why you have chosen to implement this and provide training (e.g. video
available through the O365 website)
• Extend to more users after initial learning
• Ensure you have processes in place to deal swiftly with temporary exceptions (e.g. users lost or forgot his
phone) and ensure that helpdesk is trained on these procedures

33
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

Auditing and
logging on
Office 365

Background

Auditing is an endpoint in the security processes and “To measure is to know”

should be used to measure:
• which security policies are violated (compliancy) “When you can measure
• that security controls are correctly implemented
and executed (compliancy)
what you are speaking
• internal and external attacks on the information
about, and express it
systems (incident management)
in numbers, you know
something about it, when
you cannot express it in
numbers, your knowledge
is of a meager and
unsatisfactory kind; it may be
the beginning of knowledge,
but you have scarely, in your
thoughts advanced to the
stage of science.”
William Thomson, 1st Baron Kelvin

34
 THE SECURITY FACTORY

AREA COST COMPLEXITY VALUE

TECHNICAL SECURITY MEASURES

REQUIRED COMPONENTS
— Security policy
— Management endorsement and support
— Support and commitment of the organization to implement this

How-to

Generic approach to information security auditing: For example, if you want to validate that system-
administrators are not snooping into your personnel’s
emails (which is hard to enforce technically), you need
to take following steps:
• Ensure that you have a security policy defined that
clearly states this policy
• Define an audit-policy for the email-environment
• In this audit-policy, define that events must be
generated for all accesses by administrative
personnel on user’s inboxes & ensure that this
policies is technically implemented on the system
• Ensure you have a system in place to centrally
collect these events (SIEM)
• Define reporting on the central event-collection
system for these specific events
• Ensure personnel is tasked to review these reports
on regular basis and create a security incident for
Auditing is an important security process that allows each violation
an organization to measure the state of its security •
posture. As with any measurement, it is of course This simple example already shows that setting up
important that you have a clear idea of what you want and implementing good audit systems and processes,
to measure and what your Key-performance-indicators requires quite some investment and skills to do it
(KPI’s) are for this security process. properly.

Auditing in Office 365

Luckily, Office 365 has already quite some components

35
THE SECURITY COOKBOOK FOR SMALL AND MEDIUM ENTERPRISES: PART 1

in place to facilitate the setup of security audit The “site collection audit settings” link lets you what to
reporting and security reports for most common events audit, such as actions on documents and collection
are already pre-defined and configured. objects such as sites, libraries and lists (create, edit,
move, delete, permissions change, etc.).
Configuring audit policies and accessing reports on Several predefined reports are available through the
Office 365 can be achieved in following ways: “audit log reports” link or you can create your custom
• Exchange (mailbox) auditing: go to the report. All SharePoint audit reports are stored in Excel
admin-center and access “reports” on the left format on the SharePoint site itself.
side. Standard reports that are available are for
example Mailbox access by non-owners. More More information on Office 365 auditing can be found
information on how to configure mailbox-auditing here: https://technet.microsoft.com/en-us/library/
can be found here: https://technet.microsoft. dn790283.aspx
com/en-us/library/jj150497(v=exchg.150).aspx
• Account auditing: most audit reports are
accessible under Azure AD directly; you can get For the expert
to the reports through the admin-center reports
Azure AD Reports Microsoft’s Audit Collection System (part of Systems
Center Operations Manager) allows you to quickly set
up an event-collector and reporting system, giving you
the same kind of access to audit reports as available
in Office 365.

For more information, see: https://technet.microsoft.

com/en-us/library/hh212908.aspx
Several reports are available, such as “anomalous
activity” (failed authentication, etc.), “activity logs”
(user and group management) and many more.
• SharePoint auditing: auditing for SharePoint can
be configured on site-collections.

Delivery Tips
• Don’t rely on auditing as your only defense;
prevention is better than cure!
• Make sure that trained personnel is tasked to
review the logs on regular basis and to take
actions on identified incidents
• Ensure that management support the incident-
management plan, including corrective
actions
• Ensure that all personnel is aware that auditing
is in place. If people know that they are being
watched, the will be much more reluctant to do
something wrong.
• Ensure that any type of auditing is compliant
with legal privacy regulations

36
This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft
must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of
any information presented after the date of publication.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced,
stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any
purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly
provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with
any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

© 2015 Microsoft Corporation. All rights reserved.