Microsoft Security Best Practices
Microsoft Security Best Practices
Microsoft Security Best Practices (formerly known as the Azure Security Compass or Microsoft Security
Compass) is a collection of best practices that provide clear actionable guidance for security related decisions.
This is designed to help you increase your security posture and reduce risk whether your environment is cloud-
only, or a hybrid enterprise spanning cloud(s) and on-premises data centers. This guidance was formerly
referred to as Azure Security Compass and is now increasing in scope to encompass all Microsoft security
guidance and capabilities, including Microsoft 365.
In this guidance:
Introduction
Governance, risk, and compliance
Security operations
Identity and access management
Network security and containment
Information protection and storage
Applications and services
This guidance is presented in a series of videos. To download the PowerPoint slides associated with these videos,
click download presentation slides.
Related topics
Security design principles for cloud architecture
Security reference architectures and design
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
What's inside Microsoft Security Best Practices?
12/13/2021 • 2 minutes to read • Edit Online
Microsoft Security Best Practices is a collection of best practices that provide clear actionable guidance for
security related decisions. This is designed to help you increase your security posture and reduce risk whether
your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers.
To download the PowerPoint slides associated with these videos, click download presentation slides.
PowerPoint | PDF
NOTE
Azure Security Compass or Microsoft Security Compass is now renamed as Microsoft Security Best Practices.
PowerPoint | PDF
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Progress and role tracking worksheets
12/13/2021 • 2 minutes to read • Edit Online
This topic includes tracking worksheets that assist you with tracking the status of decisions and roles.
These can be used by an organization to track status for Microsoft’s recommendations.
Tracking worksheet
The tracking worksheet assists with tracking status of decisions, policy, and implementation.
Excel
PDF | PowerPoint
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Microsoft Security Best Practices module:
Governance, risk, and compliance
12/13/2021 • 2 minutes to read • Edit Online
Governance, Risk, and Compliance (GRC) activities help reduce organizational risk by ensuring policy and best
practices are followed consistently over time. This section also addresses key roles and responsibilities we have
found important for successfully managing cloud security.
See the Governance, risk, and compliance and Capabilities topics for more information.
The following videos provide guidance on governance, risk, and compliance. You can also download the
PowerPoint slides associated with these videos.
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Governance, risk, and compliance
12/13/2021 • 20 minutes to read • Edit Online
Organizations of all sizes are constrained by their available resources; financial, people, and time. To achieve an
effective return on investment (ROI) organizations must prioritize where they will invest. Implementation of
security across the organization is also constrained by this, so to achieve an appropriate ROI on security the
organization needs to first understand and define its security priorities.
Governance – How is the organization’s security going to be monitored, audited, and reported? Design and
implementation of security controls within an organization is only the beginning of the story. How does the
organization know that things are actually working? Are they improving? Are there new requirements? Is there
mandatory reporting? Similar to compliance there may be external industry, government or regulatory
standards that need to be considered.
Risk – What types of risks does the organization face while trying to protect identifiable information, Intellectual
Property (IP), financial information? Who may be interested or could leverage this information if stolen,
including external and internal threats as well as unintentional or malicious? A commonly forgotten but
extremely important consideration within risk is addressing Disaster Recovery and Business Continuity.
Compliance – Are there specific industry, government, or regulatory requirements that dictate or provide
recommendation on criteria that your organization’s security controls must meet? Examples of such standards,
organizations, controls, and legislation are ISO27001, NIST, PCI-DSS.
The collective role of organization(s) is to manage the security standards of the organization through their
lifecycle:
Define - Set organizational standards and policies for practices, technologies, and configurations based
on internal factors (organizational culture, risk appetite, asset valuation, business initiatives, etc.) and
external factors (benchmarks, regulatory standards, threat environment, and more)
Improve – Continually push these standards incrementally forward towards the ideal state to ensure
continual risk reduction.
Sustain – Ensure the security posture doesn’t degrade naturally over time by instituting auditing and
monitoring compliance with organizational standards.
Ser ver Endpoint Security Typically IT operations, security, or jointly. Monitor and
remediate server security (patching, configuration, endpoint
security, etc.).
Incident Monitoring and Response Typically security operations team. Investigate and remediate
security incidents in Security Information and Event
Management (SIEM) or source console.
Policy Management Typically GRC team + Architecture. Set Direction for use of
Role Based Access Control (RBAC), Microsoft Defender for
Cloud, Administrator protection strategy, and Azure Policy to
govern Azure resources.
GRO UP O R IN DIVIDUA L RO L E RESP O N SIB IL IT Y
Identity Security and Standards Typically Security Team + Identity Team jointly. Set direction
for Azure AD directories, PIM/PAM usage, MFA,
password/synchronization configuration, Application Identity
Standards.
Penetration testing
Use Penetration Testing to validate security defenses.
Real world validation of security defenses is critical to validate your defense strategy and implementation. This
can be accomplished by a penetration test (simulates a one time attack) or a red team program (simulates a
persistent threat actor targeting your environment).
Follow the guidance published by Microsoft for planning and executing simulated attacks.
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Governance, risk, and compliance capabilities
12/13/2021 • 2 minutes to read • Edit Online
This article lists capabilities that can help with governance, risk, and compliance. You can also learn more about
these capabilities at Azure governance documentation.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Microsoft 365 Defender portal Microsoft 365 Defender portal Microsoft 365 Defender portal
provides security administrators and
other risk management professionals
with a centralized hub and specialized
workspace that enables them to
manage and take full advantage of
Microsoft 365 intelligent security
solutions for identity and access
management, threat protection,
information protection, and security
management.
Microsoft 365 compliance center Microsoft 365 compliance center Microsoft 365 compliance center
provides easy access to the data and
tools you need to manage to your
organization's compliance needs.
Microsoft Defender for Cloud Microsoft Defender for Cloud is a Microsoft Defender for Cloud
unified infrastructure security documentation
management system that strengthens
the security posture of your data
centers, and provides advanced threat
protection across your hybrid
workloads in the cloud - whether
they're in Azure or not - as well as on
premises.
Management Groups If your organization has many Organize your resources with Azure
subscriptions, you may need a way to management groups
efficiently manage access, policies, and
compliance for those subscriptions.
Azure management groups provide a
level of scope above subscriptions. You
organize subscriptions into containers
called "management groups" and
apply your governance conditions to
the management groups.
Azure Policy Azure Policy is a service in Azure that Azure Policy documentation
you use to create, assign, and manage
policies. These policies enforce different
rules and effects over your resources,
so those resources stay compliant with
your corporate standards and service
level agreements.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Security operations
12/13/2021 • 2 minutes to read • Edit Online
Security operations monitor an enterprise environment to rapidly identify and remediate risk from active attack
operations, sharing insights and threat intelligence from these attacks to the rest of the organization.
The following videos provide guidance on security operations.
Next steps
See security operations best practices and capabilities for more information.
Review the PowerPoint slides for the Microsoft Azure Security Compass Workshop.
See also
Security operations functions from the Cloud Adoption Framework for Azure
SOC Process Framework Workbook for Microsoft Sentinel
Additional security guidance from Microsoft
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
RESO URC E DESC RIP T IO N
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
Security operations maintain and restore the security assurances of the system as live adversaries attack it. The
tasks of security operations are described well by the NIST Cybersecurity Framework functions of Detect,
Respond, and Recover.
Detect - Security operations must detect the presence of adversaries in the system, who are incentivized
to stay hidden in most cases as this allows them to achieve their objectives unimpeded. This can take the
form of reacting to an alert of suspicious activity or proactively hunting for anomalous events in the
enterprise activity logs.
Respond – Upon detection of potential adversary action or campaign, security operations must rapidly
investigate to identify whether it is an actual attack (true positive) or a false alarm (false positive) and
then enumerate the scope and goal of the adversary operation.
Recover – The ultimate goal of security operations is to preserve or restore the security assurances
(confidentiality, integrity, availability) of business services during and after an attack.
The most significant security risk most organizations face is from human attack operators (of varying skill
levels). This is because risk from automated/repeated attacks have been mitigated significantly for most
organizations by signature and machine learning based approaches built into anti-malware (though there are
notable exceptions like Wannacrypt and NotPetya, which moved faster than these defenses).
While human attack operators are challenging to face because of their adaptability (vs. automated/repeated
logic), they are operating at the same “human speed” as defenders, which help level the playing field.
Security Operations (sometimes referred to as a Security Operations Center (SOC)) has a critical role to play in
limiting the time and access an attacker can get to valuable systems and data. Each minute that an attacker has
in the environment allows them to continue to conduct attack operations and access sensitive or valuable
systems.
TO P IC RESO URC E
SecOps planning for incident response Incident response planning for preparing your organization
for an incident.
SecOps incident response process Incident response process for best practices on responding
to an incident.
Incident response workflow Example incident response workflow for Microsoft 365
Defender
Periodic security operations Example periodic security operations for Microsoft 365
Defender
If you are an experienced security analyst, see these resources to quickly ramp up your SecOps team for
Microsoft security services.
TO P IC RESO URC E
Security operations establishment or modernization Azure Cloud Adoption Framework articles for SecOps and
SecOps functions
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
RESO URC E DESC RIP T IO N
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
Next step
Review security operations capabilities.
Security operations capabilities
12/13/2021 • 2 minutes to read • Edit Online
These are the capabilities that you can use for your security operations.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Microsoft Defender for Cloud A unified infrastructure security Microsoft Defender for Cloud
management system that strengthens documentation
the security posture of your data
centers, and provides advanced threat
protection across your hybrid
workloads in the cloud - whether
they're in Azure or not - as well as-on
premises.
Azure Active Directory (Azure AD) Azure AD Identity Protection enables What is Azure Active Directory Identity
Identity Protection you to detect potential vulnerabilities Protection?
affecting your organization's identities
and configure automated remediation
policy to low, medium, and high sign-
in risk and user risk.
Microsoft Defender for Identity A cloud-based security solution that Defender for Identity documentation
leverages your on-premises Active
Directory Domain Services signals to
identify, detect, and investigate
advanced threats, compromised
identities, and malicious insider actions
directed at your organization.
Defender for Identity empowers SecOp
analysts and security professionals to
detect advanced attacks in hybrid
environments.
Microsoft Defender for Office 365 Safeguards your organization against Defender for Office 365
malicious threats posed by email documentation
messages, links (URLs), and
collaboration tools.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Microsoft Defender for Endpoint An endpoint protection platform Defender for Endpoint documentation
designed to help enterprise networks
prevent, detect, investigate, and
respond to advanced threats.
Microsoft Defender for Cloud Apps A cloud access security broker (CASB) Microsoft Defender for Cloud Apps
that operates on multiple clouds. It documentation
provides rich visibility, control over
data travel, and sophisticated analytics
to identify and combat cyberthreats
across all your cloud services.
Microsoft 365 Defender portal Combines protection, detection, Microsoft 365 Defender portal
investigation, and response to email, documentation
collaboration, identity, and device
threats, in a central portal. It includes
information from Defender for Office
365, Defender for Endpoint, Defender
for Identity, and Microsoft Defender
for Cloud Apps for quick access to
information, simpler layouts, and
bringing related information together
for easier alert detection, threat
visibility, proactive hunting, and
incident response.
See also
Security operations functions from the Cloud Adoption Framework for Azure
SOC Process Framework Workbook for Microsoft Sentinel
Azure AD security operations guide
Microsoft 365 Defender security operations guide
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
RESO URC E DESC RIP T IO N
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
Incident response is the practice of investigating and remediating active attack campaigns on your organization.
This is part of the security operations discipline and is primarily reactive in nature.
Incident response has the largest direct influence on the overall mean time to acknowledge (MTTA) and mean
time to remediate (MTTR) that measure how well security operations are able to reduce organizational risk.
Incident response teams heavily rely on good working relationships between threat hunting, intelligence, and
incident management teams (if present) to actually reduce risk. See SecOps metrics for more information.
For more information on security operations roles and responsibilities, see Cloud SOC functions.
New-to-role resources
If you are new-to-role as a security analyst, see these resources to get you started.
TO P IC RESO URC E
SecOps planning for incident response Incident response planning for preparing your organization
for an incident.
SecOps incident response process Incident response process for best practices on responding
to an incident.
Incident response workflow Example incident response workflow for Microsoft 365
Defender
Periodic security operations Example periodic security operations for Microsoft 365
Defender
TO P IC RESO URC E
Security operations establishment or modernization Azure Cloud Adoption Framework articles for SecOps and
SecOps functions
TO P IC RESO URC E
Microsoft security best practices How to best use your SecOps center
Simuland
Simuland is an open-source initiative to deploy lab environments and end-to-end simulations that:
Reproduce well-known techniques used in real attack scenarios.
Actively test and verify the effectiveness of related Microsoft 365 Defender, Microsoft Defender for Cloud,
and Microsoft Sentinel detections.
Extend threat research using telemetry and forensic artifacts generated after each simulation exercise.
Simuland lab environments provide use cases from a variety of data sources including telemetry from Microsoft
365 Defender security products, Microsoft Defender for Cloud, and other integrated data sources through
Microsoft Sentinel data connectors.
In the safety of a trial or paid sandbox subscription, you can:
Understand the underlying behavior and functionality of adversary tradecraft.
Identify mitigations and attacker paths by documenting preconditions for each attacker action.
Expedite the design and deployment of threat research lab environments.
Stay up to date with the latest techniques and tools used by real threat actors.
Identify, document, and share relevant data sources to model and detect adversary actions.
Validate and tune detection capabilities.
The learnings from Simuland lab environment scenarios can then be implemented in your production
environment and security processes.
After reading an overview of Simuland, see the Simuland GitHub repository.
Incident response resources
Planning for your SOC
Process for incident response process recommendations and best practices
Playbooks for detailed guidance on responding to common attack methods
Microsoft 365 Defender incident response
Microsoft Sentinel incident response
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft security best practices for security operations How to best use your SecOps center to move faster than the
attackers targeting your organization.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
Use this table as a checklist to prepare your Security Operations Center (SOC) to respond to cybersecurity
incidents.
Table top exercises Conduct periodic table top Firmly establishes and
exercises of foreseeable illustrates cybersecurity as a
business-impacting cyber business issue. Develops
incidents that force your muscle memory and
organization's management surfaces difficult decisions
to contemplate difficult risk- and decisions rights issues
based decisions. across the organization.
Who/when/if to seek
assistance from law
enforcement?
Who/when/if to enlist
incident responders?
Who/when/if to pay
ransom?
Who/when/if to notify
external auditors?
Who/when/if to notify
privacy regulatory
authorities?
Who/when/if to notify
securities regulators?
Who/when/if to notify
board of directors or audit
committee?
Incident Recorder –
Removes the burden of
recording findings,
decisions, and actions from
an incident responder and
produces an accurate
accounting of the incident
from beginning to end.
Red Team / Blue Team / Conduct continuous or Red, Blue, and Purple team
Purple Team / Green Team periodic simulated attacks attack simulations, when
against business-critical done well, serve a multitude
systems, critical of purposes:
infrastructure, backups to Allows engineers
identify weaknesses in from across the IT
security posture. This is organization to
generally conducted by simulate attacks on
internal attack teams (Red their own
teams) who are focused on infrastructure
testing the effectiveness of disciplines.
detective controls and Surfaces gaps in
teams (Blue teams). visibility and
detection.
For example, you can use Raises the security
Attack simulation training engineering skills
for Microsoft 365 Defender across the board.
for Office 365 and Attack Serves as a more
tutorials & simulations for continuous and
Microsoft 365 Defender for expansive process.
Endpoint.
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft security best practices for security operations How to best use your SecOps center to move faster than the
attackers targeting your organization.
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
The first step is to have an incident response plan in place that encompasses both internal and external
processes for responding to cybersecurity incidents. The plan should include how to:
Address attacks that vary with the business risk and impact of the incident, which can vary from an isolated
web site that is no longer available to the compromise of administrator-level credentials.
Define the purpose of the response, such as a return to service or to handle legal or public relations aspects
of the attack.
Prioritize the work that needs to get done in terms of how many people should be working on the incident
and their tasks.
See the incident response planning article for a checklist of activities to consider including in your incident
response plan. Once your incident response plan is in place, test it regularly for the most serious types of
cyberattacks to ensure that your organization can respond quickly and efficiently.
Although each organization’s incident response process may be different based on organizational structure and
capabilities, consider the set of recommendations and best practices in this article for responding to security
incidents.
During an incident, it is critical to:
Keep calm
Incidents are extremely disruptive and can become emotionally charged. Stay calm and focus on
prioritizing your efforts on the most impactful actions first.
Do no harm
Confirm that your response is designed and executed in a way that avoids loss of data, loss of business-
critical functionality, and loss of evidence. Avoid decisions can damage your ability to create forensic
timelines, identify root cause, and learn critical lessons.
Involve your legal department
Determine whether they plan to involve law enforcement so you can plan your investigation and
recovery procedures appropriately.
Be careful when sharing information about the incident publicly
Confirm that anything you share with your customers and the public is based on the advice of your legal
department.
Get help when needed
Tap into deep expertise and experience when investigating and responding to attacks from sophisticated
attackers.
Like diagnosing and treating a medical disease, cybersecurity investigation and response for a major incident
requires defending a system that is both:
Critically important (can’t be shut down to work on it).
Complex (typically beyond the comprehension of any one person).
During an incident, you must strike these critical balances:
Speed
Balance the need to act quickly to satisfy stakeholders with the risk of rushed decisions.
Sharing information
Inform investigators, stakeholders, and customers based on the advice of your legal department to limit
liability and avoid setting unrealistic expectations.
This article is designed to lower the risk to your organization for a cybersecurity incident by identifying common
errors to avoid and providing guidance on what actions you can rapidly take that both reduce risk and meet
stakeholder needs.
NOTE
For additional guidance on preparing your organization for ransomware and other types of multi-stage attacks, see
Prepare your recovery plan.
NOTE
For additional detailed industry guidance, see the NIST Computer Security Incident Handling Guide.
Technical
For the technical aspects of incident response, here are some goals to consider:
Try to identify the scope of the attack operation.
Most adversaries use multiple persistence mechanisms.
Identify the objective of the attack, if possible.
Persistent attackers will frequently return for their objective (data/systems) in a future attack.
Here are some useful tips:
Don’t upload files to online scanners
Many adversaries monitor instance count on services like VirusTotal for discovery of targeted malware.
Carefully consider modifications
Unless you face an imminent threat of losing business-critical data—such as deletion, encryption, and
exfiltration—balance the risk of not making the modification with the projected business impact. For
example, temporarily shutting down your organization's internet access may be necessary to protect
business-critical assets during an active attack.
If changes are necessary where the risk of not doing an action is higher than the risk of doing it,
document the action in a change log. Changes made during incident response are focused on disrupting
the attacker and may impact the business adversely. You will need to roll these changes back after the
recovery process.
Don’t investigate forever
You must ruthlessly prioritize your investigation efforts. For example, only perform forensic analysis on
endpoints that attackers have actually used or modified. In a major incident where an attacker has
administrative privileges, it is practically impossible to investigate all potentially compromised resources
(which may include all organization resources).
Share information
Confirm that all investigation teams, including all internal teams and external investigators or insurance
providers, are sharing their data with each other, based on the advice of your legal department.
Access the right expertise
Confirm that you integrate people with deep knowledge of the systems into the investigation—such as
internal staff or external entities like vendors—not just security generalists.
Anticipate reduced response capability
Plan for 50% of your staff operating at 50% of normal capacity due to situational stress.
A key expectation to manage with stakeholders is that you may never be able to identify the initial attack
because the data required for this may have been deleted before the investigation starts, such as an attacker
covering their tracks by log rolling.
Operations
For security operations aspects of incident response, here are some goals to consider:
Staying focused
Confirm you keep the focus on business-critical data, customer impact, and getting ready for
remediation.
Providing coordination and role clarity
Establish distinct roles for operations in support of the crisis team and confirm that technical, legal, and
communications teams are keeping each other informed.
Keeping your business perspective
You should always consider the impact on business operations by both adversary actions and your own
response actions.
Here are some useful tips:
Consider the Incident Command System (ICS) for crisis management
If you don’t have a permanent organization that manages security incidents, we recommend using the
ICS as a temporary organizational structure to manage the crisis.
Keep ongoing daily operations intact
Ensure that normal security operations are not completely sidelined to support incident investigations.
This work still needs to be done.
Avoid wasteful spending
Many major incidents result in the purchase of expensive security tools under pressure that are never
deployed or used. If you can’t deploy and use a tool during the investigation—which can include hiring
and training for additional staff with the skill sets needed to operate the tool—defer acquisition until after
you finish the investigation.
Access deep expertise
Confirm you have the ability to escalate questions and issues to deep experts on critical platforms. This
may require access to the operating system and application vendor for business-critical systems and
enterprise-wide components such as desktops and servers.
Establish information flows
Set clear guidance and expectations for the flow of information between senior incident response leaders
and organization stakeholders. See incident response planning for more information.
2021 Microsoft Digital Defense Report A report that encompasses learnings from security experts,
practitioners, and defenders at Microsoft to empower people
everywhere to defend against cyberthreats.
Microsoft Cybersecurity Reference Architectures A set of visual architecture diagrams that show Microsoft’s
cybersecurity capabilities and their integration with Microsoft
cloud platforms such as Microsoft 365 and Microsoft Azure
and third-party cloud platforms and apps.
Minutes matter infographic download An overview of how Microsoft's SecOps team does incident
response to mitigate ongoing attacks.
Azure Cloud Adoption Framework security operations Strategic guidance for leaders establishing or modernizing a
security operation function.
Microsoft security best practices for security operations How to best use your SecOps center to move faster than the
attackers targeting your organization.
RESO URC E DESC RIP T IO N
Microsoft cloud security for IT architects model Security across Microsoft cloud services and platforms for
identity and device access, threat protection, and
information protection.
You need to respond quickly to detected security attacks to contain and remediate its damage. As new
widespread cyberattacks happen, such as Nobellium and the Exchange Server vulnerability, Microsoft will
respond with detailed incident response guidance.
You also need detailed guidance for common attack methods that malicious users employ every day. To address
this need, use the incident response playbooks for these types of attacks:
Phishing
Password spray
App consent grant
Each playbook includes:
Prerequisites: The specific requirements you need to complete before starting the investigation. For
example, logging that should be turned on and roles and permissions that are required.
Workflow: The logical flow that you should follow to perform the investigation.
Checklist: A list of tasks for the steps in the flow chart. This checklist can be helpful in highly regulated
environments to verify what you have done.
Investigation steps: Detailed step-by-step guidance for the specific investigation.
Also see Microsoft’s DART ransomware approach and best practices for information on how the Detection and
Response Team (DART) at Microsoft deals with ransomware attacks.
This article provides guidance on identifying and investigating phishing attacks within your organization. The
step-by-step instructions will help you take the required remedial action to protect information and minimize
further risks.
This article contains the following sections:
Prerequisites: Covers the specific requirements you need to complete before starting the investigation. For
example, logging that should be turned on, roles and permissions required, among others.
Workflow: Shows the logical flow that you should follow to perform this investigation.
Checklist: Contains a list of tasks for each of the steps in the flow chart. This checklist can be helpful in
highly regulated environments to verify what you have done or simply as a quality gate for yourself.
Investigation steps: Includes a detailed step-by-step guidance for this specific investigation.
Prerequisites
Here are general settings and configurations you should complete before proceeding with the phishing
investigation.
Account details
Before proceeding with the investigation, it is recommended that you have the user name, user principal name
(UPN) or the email address of the account that you suspect is compromised.
Microsoft 365 base requirements
Verify auditing settings
Verify mailbox auditing on by default is turned on. To make sure that mailbox auditing is turned on for your
organization, run the following command in Microsoft Exchange Online PowerShell:
The value False indicates that mailbox auditing on by default is enabled for the organization. This on by default
organizational value overrides the mailbox auditing setting on specific mailboxes. For example, if mailbox
auditing is disabled for a mailbox (the AuditEnabled property is False on the mailbox), the default mailbox
actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the
organization.
NOTE
If the tenant was created BEFORE 2019, then you should enable the mailbox auditing and ALL auditing settings. See how
to enable mailbox auditing.
Message tracing
Message tracing logs are invaluable components to trace message of interest in order to understand the original
source of the message as well as the intended recipients. You can use the MessageTrace functionality through
the Microsoft Exchange Online portal or the Get-MessageTrace PowerShell cmdlet.
Several components of the MessageTrace functionality are self-explanatory but Message-ID is a unique identifier
for an email message and requires thorough understanding. To obtain the Message-ID for an email of interest
we need to examine the raw email headers.
Microsoft 365 security and compliance center
To check whether a user viewed a specific document or purged an item in their mailbox, you can use the Office
365 Security & Compliance Center and check the permissions and roles of users and administrators.
You can also search the unified audit log and view all the activities of the user and administrator in your Office
365 organization.
Are the sign-in logs and/or audit logs exported to an external system?
Since most of the Azure Active Directory (Azure AD) sign-in and audit data will get overwritten after 30 or 90
days, Microsoft recommends that you leverage Sentinel, Azure Monitor or an external SIEM.
NOTE
If a user has the View-Only Audit Logs or Audit Logs role on the Permissions page in the Security & Compliance
Center, they won't be able to search the Office 365 audit log. In this scenario, you must assign the permissions in
Exchange Online because an Exchange Online cmdlet is used to search the log.
If you have implemented the role-based access control (RBAC) in Exchange or if you are unsure which role you
need in Exchange, you can use PowerShell to get the roles required for an individual Exchange PowerShell
cmdlet:
For more information, see permissions required to run any Exchange cmdlet.
Microsoft Defender for Endpoint
If you have Microsoft Defender for Endpoint (MDE) enabled and rolled out already, you should leverage it for
this flow. See Tackling phishing with signal-sharing and machine learning.
System requirements
Hardware requirements
The system should be able to run PowerShell.
Software requirements
The following PowerShell modules are required for the investigation of the cloud environment:
Azure AD
Azure AD preview in some cases
MS Online for Office 365
Exchange connecting to Exchange for utilizing the unified audit log searches (inbox rules, message traces,
forwarding rules, mailbox delegations, among others)
Azure AD Incident Response
When you use Azure AD commands that are not part of the built-in modules in Azure, you need the MSOnline
module - which is the same module that is used for Office 365. To work with Azure AD (which contains a set of
functions) from PowerShell, install the Azure AD module.
Set-ExecutionPolicy RemoteSigned
NOTE
If you are prompted to install modules from an untrusted repository, type Y and press Enter .
Set-ExecutionPolicy RemoteSigned
NOTE
If you are prompted to install modules from an untrusted repository, type Y and press Enter .
NOTE
If you are prompted to install modules from an untrusted repository, type Y and press Enter .
Workflow
You can also:
Download the phishing and other incident response playbook workflows as a PDF.
Download the phishing and other incident response playbook workflows as a Visio file.
Checklist
This checklist will help you evaluate your investigation process and verify whether you have completed all the
steps during investigation:
Review initial phishing email
Get the list of users who got this email
Get the latest dates when the user had access to the mailbox
Is delegated access configured on the mailbox?
Is there a forwarding rule configured for the mailbox?
Review your Mail Transport Rules
Find the email(s)
Did the user read or open the email?
Who else got the same email?
Did the email contain an attachment?
Was there payload in the attachment?
Check email header for true source of the sender
Verify IP addresses to attackers/campaigns
Did the user click the link in the email?
On what endpoint was the email opened?
Was the attachment payload executed?
Was the destination IP or URL touched or opened?
Was malicious code executed?
What sign-ins happened with the account for the federated scenario?
What sign-ins happened with the account for the managed scenario?
Investigate the source IP address
Investigate the device ID found
Investigate each App ID
You can also download the phishing and other incident playbook checklists as an Excel file.
Investigation steps
For this investigation, it is assumed that you either have a sample phishing email, or parts of it like the sender’s
address, subject of the email, or parts of the message to start the investigation. Please also make sure that you
have completed / enabled all settings as recommended in the Prerequisites section.
This playbook is created with the intention that not all Microsoft customers and their investigation teams will
have the full Microsoft 365 E5 or Azure AD Premium P2 license suite available or configured in the tenant that is
being investigated. We will however highlight additional automation capabilities when appropriate.
Get the list of users / identities who got the email
As the very first step, you need to get a list of users / identities who received the phishing email. The objective of
this step is to record a list of potential users / identities that you will later use to iterate through for additional
investigation steps. Please refer to the Workflow section for a high-level flow diagram of the steps you need to
follow during this investigation.
We do not give any recommendations in this playbook on how you want to record this list of potential users /
identities. Depending on the size of the investigation, you can leverage an Excel book, a CSV file, or even a
database for larger investigations. There are multiple ways to obtain the list of identities in a given tenant, and
here are some examples.
Create a search filter within the security & compliance center
Navigate to the security & compliance center in Microsoft 365 and create a new search filter, using the
indicators you have been provided. Follow the guidance on how to create a search filter.
For a full list of searchable patterns in the security & compliance center, refer to the article on searchable email
properties.
Sample search patterns
The following example query returns messages that were received by users between April 13, 2016 and April
14, 2016 and that contain the words "action" and "required" in the subject line:
The following example query returns messages that were sent by chatsuwloginsset12345@outlook[.]com and
that contain the exact phrase "Update your account information" in the subject line.
For more details, see how to search for and delete messages in your organization.
Use the Search-Mailbox cmdlet
You can use the Search-mailbox cmdlet to perform a specific search query against a target mailbox of interest
and copy the results to an unrelated destination mailbox.
The following example query searches Jane Smith mailbox for an email that contains the phrase Invoice in the
subject and copies the results to IRMailbox in a folder named "Investigation."
In this example command, the query searches all tenant mailboxes for an email that contains the phrase
"InvoiceUrgent" in the subject and copies the results to IRMailbox in a folder named "Investigation."
Get-Mailbox | Search-Mailbox -SearchQuery 'InvoiceUrgent vote' -TargetMailbox "IRMailbox" -TargetFolder
"Investigation" -LogLevel Full
Additionally, you can also utilize the Inbox and Forwarding Rules report in the Office 365 security & compliance
center.
1. Navigate to Dashboard > Report Viewer - Security & Compliance.
2. Look for unusual target locations, or any kind of external addressing.
3. Also look for forwarding rules with unusual key words in the criteria such as all mail with the word
invoice in the subject. Contact the mailbox owner to check whether it is legitimate.
Review inbox rules
Additionally, check for the removal of Inbox rules. As an example, use the following PowerShell commmand:
Look for inbox rules that were removed, consider the timestamps in proximity to your investigations.
Review mail transport rules
There are two ways to obtain the list of transport rules.
1. In the Exchange admin center, navigate to Mail > Flow > Rules .
2. In the Office 365 Security & Compliance Center, navigate to Dashboard Report Viewer > Security &
Compliance - Exchange Transport Rule report and create a report.
The summary view of the report shows you a list of all the mail transport rules you have configured for your
tenancy. When you select any given rule, you'll see details of the rule in a Summar y pane to the right, which
includes the qualifying criteria and action taken when the rule condition matches.
Look for new rules, or rules that have been modified to redirect the mail to external domains. The number of
rules should be relatively small such that you can maintain a list of known good rules. If you a create a new rule,
then you should make a new entry in the Audit report for that event. You can search the report to determine
who created the rule and from where they created it. If you see something unusual, contact the creator to
determine if it is legitimate.
Get the latest dates when the user had access to the mailbox
In the Office 365 security & compliance center, navigate to unified audit log. Under Activities in the drop-down
list, you can filter by Exchange Mailbox Activities .
The capability to list compromised users is available in the Microsoft 365 security & compliance center.
This report shows activities that could indicate a mailbox is being accessed illicitly. It includes created or received
messages, moved or deleted messages, copied or purged messages, sent messages using send on behalf or
send as, and all mailbox sign ins. The data includes date, IP address, user, activity performed, the item affected,
and any extended details.
NOTE
For this data to be recorded, you must enable the mailbox auditing option.
The volume of data included here could be very substantial, so focus your search on users that would have
high-impact if breached. Look for unusual patterns such as odd times of the day, or unusual IP addresses, and
look for patterns such as high volumes of moves, purges, or deletes.
Did the user read / open the email?
There are two main cases here:
Microsoft Exchange Online
Hybrid Exchange with on-premises Exchange servers.
Microsoft Exchange Online
Use the Search-Mailbox cmdlet to perform a specific search query against a target mailbox of interest and copy
the results to an unrelated destination mailbox.
The following example query searches Janes Smith’s mailbox for an email that contains the phrase Invoice in the
subject and copies the results to IRMailbox in a folder named Investigation.
The following sample query searches all tenant mailboxes for an email that contains the phrase InvoiceUrgent in
the subject and copies the results to IRMailbox in a folder named Investigation.
Exchange on-premises
Use the Get-MessageTrackingLog cmdlet to search for message delivery information stored in the message
tracking log. Here's an example:
Get-MessageTrackingLog -Server Mailbox01 -Start "03/13/2018 09:00:00" -End "03/15/2018 17:00:00" -Sender
"[email protected]"
For information about parameter sets, see the Exchange cmdlet syntax.
Who else got the same email?
There are two main cases here: You have Exchange Online or Hybrid Exchange with on-premises Exchange
servers. The workflow is essentially the same as explained in the topic
Get the list of users/identities who got the email.
Exchange Online
Use the Search-Mailbox cmdlet to perform a specific search query against a target mailbox of interest and copy
the results to an unrelated destination mailbox.
This sample query searches all tenant mailboxes for an email that contains the subject InvoiceUrgent in the
subject and copies the results to IRMailbox in a folder named Investigation.
Exchange on-premises
Use the Get-MessageTrackingLog cmdlet to search for message delivery information stored in the message
tracking log. Here's an example:
Exchange on-premises
Use the Search-Mailbox cmdlet to search for message delivery information stored in the message tracking log.
Here's an example:
NOTE
For Exchange 2013, you need CU12 to have this cmdlet running.
NOTE
-all (reject or fail them - don't deliver the email if anything does not match), this is recommended.
Federated scenario
The audit log settings and events differ based on the operating system (OS) Level and the Active Directory
Federation Services (ADFS) Server version.
See the following sections for different server versions.
Server 2012R2
By default, security events are not audited on Server 2012R2. You need to enable this feature on each ADFS
Server in the Farm. In the ADFS Management console and select Edit Federation Ser vice Proper ties .
For more details, see how to configure ADFS servers for troubleshooting.
You may want to also download the ADFS PowerShell modules from:
GitHub
Microsoft scriptcenter
Server 2016 and newer
By default, ADFS in Windows Server 2016 has basic auditing enabled. With basic auditing, administrators can
see five or less events for a single request. But you can raise or lower the auditing level by using this command:
You can also search using Graph API. For example, filter on User proper ties and get lastSignInDate along
with it. Search for a specific user to get the last signed in date for this user. For example,
https://graph.microsoft.com/beta/users?
$filter=startswith(displayName,'Dhanyah')&$select=displayName,signInActivity
Or you can use the PowerShell command Get-AzureADUserLastSignInActivity to get the last interactive sign-in
activity for the user, targeted by their object ID. This example writes the output to a date and time stamped CSV
file in the execution directory.
Or you can use this command from the AzureADIncidentResponse PowerShell module:
Or you can use this command from the AzureADIncidentResponse PowerShell module:
When you look into the results list, navigate to the Device info tab. Depending on the device used, you will get
varying output. Here are a few examples:
Example 1 - Un-managed device (BYOD):
Record the CorrelationID, Request ID and timestamp. You should use CorrelationID and timestamp to correlate
your findings to other events.
Federated user/application
Follow the same procedure that is provided for Federated sign-in scenario.
Look for and record the DeviceID, OS Level, CorrelationID, RequestID.
Investigate the identified DeviceID
This step is relevant for only those devices that are known to Azure AD. For example, from the previous steps, if
you found one or more potential device IDs, then you can investigate further on this device. Look for and record
the DeviceID and Device Owner.
Investigate each AppID
The starting point here are the sign-in logs and the app configuration of the tenant or the federation servers'
configuration.
Managed scenario
From the previously found sign-in log details, check the Application ID under the Basic info tab:
Note the differences between the Application (and ID) to the Resource (and ID). The application is the client
component involved, whereas the Resource is the service / application in Azure AD.
With this AppID, you can now perform research in the tenant. Here's an example:
With this information, you can search in the Enterprise Applications portal. Navigate to All Applications and
search for the specific AppID.
This article provides guidance on identifying and investigating password spray attacks within your organization
and take the required remedial action to protect information and minimize further risks.
This article contains the following sections:
Prerequisites: Covers the specific requirements you need to complete before starting the investigation. For
example, logging that should be turned on, roles and permissions required, among others.
Workflow: Shows the logical flow that you should follow to perform this investigation.
Checklist: Contains a list of tasks for each of the steps in the flow chart. This checklist can be helpful in
highly regulated environments to verify what you have done or simply as a quality gate for yourself.
Investigation steps: Includes a detailed step-by-step guidance for this specific investigation.
Recover y: Contains high-level steps on how to recover/mitigate from a password spray attack.
References: Contains additional reading and reference materials.
Prerequisites
Before starting the investigation, make sure you have completed the setup for logs and alerts and additional
system requirements.
Set up ADFS logging
Event logging on ADFS 2016
By default, the Microsoft Active Directory Federation Services (ADFS) in Windows Server 2016 has a basic level
of auditing enabled. With basic auditing, administrators can see five or less events for a single request.
To view the current auditing level, you can use this PowerShell command:
Get-AdfsProperties
Basic (Default) Set-AdfsProperties -AuditLevel - Basic No more than 5 events will be logged
for a single request
Verbose Set-AdfsProperties -AuditLevel - All events will be logged. This will log a
Verbose significant amount of information per
request.
Set-AdfsProperties -AuditLevel
Workflow
You can also:
Download the password spray and other incident response playbook workflows as a PDF.
Download the password spray and other incident response playbook workflows as a Visio file.
Checklist
Investigation triggers
Received a trigger from SIEM, firewall logs, or Azure AD
Azure AD Identity Protection Password Spray feature or Risky IP
Large number of failed sign-ins (Event ID 411)
Spike in Azure AD Connect Health for ADFS
Another security incident (for example, phishing)
Unexplained activity, such as a sign-in from unfamiliar location or a user getting unexpected MFA prompts
Investigation
What is being alerted?
Can you confirm this is a password spray?
Determine timeline for attack.
Determine the IP address(es) of the attack.
Filter on successful sign-ins for this time period and IP address, including successful password but failed MFA
Check MFA reporting
Is there anything out of the ordinary on the account, such as new device, new OS, new IP address used? Use
Defender for Cloud Apps or Azure Information Protection to detect suspicious activity.
Inform local authorities/third parties for assistance.
If you suspect a compromise, check for data exfiltration.
Check associated account for suspicious behavior and look to correlate to other possible accounts and
services as well as other malicious IP addresses.
Check accounts of anyone working in the same office/delegated access - password hygiene (make sure they
are not using the same password as the compromised account)
Run ADFS help
Mitigations
Check the References section for guidance on how to enable features.
Block IP address of attacker (keep an eye out for changes to another IP address)
Changed user’s password of suspected compromise
Enable ADFS Extranet Lockout
Disabled Legacy authentication
Enabled Azure Identity Protection (sign in and user risk policies)
Enabled MFA (if not already)
Enabled Password Protection
Deploy Azure AD Connect Health for ADFS (if not already)
Recovery
Tag bad IP address in Defender for Cloud Apps, SIEM, ADFS and Azure AD
Check for other forms of mailbox persistence such as forwarding rules or additional delegations added
MFA as primary authentication
Configure SIEM integrations with Cloud
Configure Alerting - Identity Protection, ADFS Health Connect, SIEM and Defender for Cloud Apps
Lessons Learnt (include key stakeholders, third parties, communication teams)
Security posture review/improvements
Plan to run regular attack simulators
You can also download the password spray and other incident playbook checklists as an Excel file.
Investigation steps
Password spray incident response
Let’s understand a few password spray attack techniques before proceeding with the investigation.
Password compromise: An attacker has successfully guessed the user’s password but has not been able to
access the account due to other controls such as multi-factor authentication (MFA).
Account compromise: An attacker has successfully guessed the user’s password and has successfully gained
access to the account.
Environment discovery
Identify authentication type
As the very first step, you need to check what authentication type is used for a tenant/verified domain that you
are investigating.
To obtain the authentication status for a specific domain name, use the Get-MsolDomain PowerShell command.
Here's an example:
Connect-MsolService
Get-MsolDomain -DomainName "contoso.com"
NOTE
The Staged Rollout feature allows the tenant domain name to be federated but specific users to be managed. Determine if
any users are members of this group.
NOTE
You can perform investigation and mitigation simultaneously during sustained/ongoing attacks.
ADFS 2016/2019
Along with the above event IDs, collate the Audit Event 1203 – Fresh Credential Validation Error.
1. Collate all successful sign-ins for this time on ADFS (if federated). A quick sign-in and logout (at the same
second) can be an indicator of a password being guessed successfully and being tried by the attacker.
2. Collate any Azure AD successful or interrupted events for this time-period for both federated and managed
scenarios.
Monitor and collate Event IDs from Azure AD
See how to find the meaning of error logs.
The following Event IDs from Azure AD are relevant:
50057 - User account was disabled
50055 - Password expired
50072 – User prompted to provide MFA
50074 - MFA required
50079 - user needs to register security info
53003 - User blocked by Conditional Access
53004 - Cannot configure MFA due to suspicious activity
530032 - Blocked by Conditional Access on Security Policy
Sign-In status Success, Failure, Interrupt
Collate event IDs from Sentinel playbook
You can get all the Event IDs from the Sentinel Playbook that is available on GitHub.
Isolate and confirm attack
Isolate the ADFS and Azure AD successful and interrupted sign-in events. These are your accounts of interest.
Block the IP Address ADFS 2012R2 and above for federated authentication. Here's an example:
Get-WinEvent -ProviderName 'ADFS' | Where-Object { $_.ID -eq '412' -or $_.ID -eq '411' -or $_.ID -eq '342' -
or $_.ID -eq '516' -and $_.TimeCreated -gt ((Get-Date).AddHours(-"8")) }
Also, search the Azure portal for time frame, IP address and successful and interrupted sign-in as shown in these
images.
Searching for sign-ins within a specific time frame
2. Create a CA policy to target all applications and block for this named location only.
Has the user used this operating system, IP, ISP, device, or browser before?
If the user has not used them before and this activity is unusual, then flag the user and investigate all of their
activities.
Is the IP marked as “risky”?
Ensure you record successful passwords but failed multi-factor authentication (MFA) responses, as this activity
indicates that the attacker is getting the password but not passing MFA.
Set aside any account that appears to be a normal sign-in, for example, passed MFA, location and IP not out of
the ordinary.
MFA reporting
It is important to also check MFA logs as an attacker could have successfully guessed a password but be failing
the MFA prompt. The Azure AD MFA logs shows authentication details for events when a user is prompted for
multi-factor authentication. Check and make sure there are no large suspicious MFA logs in Azure AD. For more
information, see how to use the sign-ins report to review Azure AD Multi-Factor Authentication events.
Additional checks
In Defender for Cloud Apps, investigate activities and file access of the compromised account. For more
information, see:
Investigate compromise with Defender for Cloud Apps
Investigate anomalies with Defender for Cloud Apps
Check whether the user has access to additional resources, such as virtual machines (VMs), domain account
permissions, storage, among others.
If data has been breached, then you should inform additional agencies, such as the police.
Recovery
Password protection
Implement password protection on Azure AD and on-premises by enabling the custom-banned password lists.
This configuration will prevent users from setting weak passwords or passwords associated with your
organization:
Enabling password protection
For more information, see how to defend against password spray attacks.
Tagging IP address
Tag the IP addresses in Defender for Cloud Apps to receive alerts related to future use:
Tagging IP addresses
In Defender for Cloud Apps, “tag” IP address for the IP scope and set up an alert for this IP range for future
reference and accelerated response.
Setting alerts for a specific IP address
Configure alerts
Depending on your organization needs, you can configure alerts.
Set up alerting in your SIEM tool and look at improving logging gaps. Integrate ADFS, Azure AD, Office 365 and
Defender for Cloud Apps logging.
Configure the threshold and alerts in ADFS Health Connect and Risky IP portal.
Configure threshold settings
Configure notifications
See how to configure alerts in the Identity Protection portal.
Set up sign-in risk policies with either Conditional Access or Identity Protection
Configure Sign-In risk
Configure User Risk
Configure policy alerts in Defender for Cloud Apps
Recommended defenses
Educate end users, key stakeholders, front line operations, technical teams, cyber security and
communications teams
Review security control and make necessary changes to improve or strengthen security control within your
organization
Suggest Azure AD configuration assessment
Run regular attack simulator exercises
References
Prerequisites
Sentinel Alerting
SIEM integration into Defender for Cloud Apps
SIEM integration with Graph API
Splunk alerting video
Splunk alerting manual
Installing ADFS Health Connect
Understanding Azure AD sign-in logs
Understanding MFA reporting
Mitigations
Mitigations for password spray
Enable password protection
Block legacy authentication
Block IP address on ADFS
Access controls (including blocking IP addresses) ADFS v3
ADFS Password Protection
Enable ADFS Extranet Lockout
MFA as primary authentication
Enable Identity Protection
Azure AD audit activity reference
Azure AD audit logs schema
Azure AD sign-in logs schema
Azure AD audit log Graph API
Risky IP Alerts
ADFS Help
Recovery
SIEM tool integrations
Create Defender for Cloud Apps alerts
Create Risky IP and ADFS Health Connect Alerts
Identity Protection alerts
Attack simulator
This article provides guidance on identifying and investigating app consent attacks, protecting information, and
minimizing further risks.
This article contains the following sections:
Prerequisites: Covers the specific requirements you need to complete before starting the investigation. For
example, logging that should be turned on, roles and permissions required, among others.
Workflow: Shows the logical flow that you should follow to perform this investigation.
Checklist: Contains a list of tasks for each of the steps in the flow chart. This checklist can be helpful in
highly regulated environments to verify what you have done or simply as a quality gate for yourself.
Investigation steps: Includes a detailed step-by-step guidance for this specific investigation.
Recover y: Contains high level steps on how to recover/mitigate from an Illicit Application Consent grant
attack.
References: Contains additional reading and reference materials.
Prerequisites
Here are general settings and configurations you should complete to perform an investigation for Application
Consent Grants. Before starting the investigation, make sure you have read about the types of consent
permissions explained in Consent permission types.
Customer data
To start the investigation process, you need the following data:
Access to the tenant as a Global Admin - A Cloud only account (not part of their on-premises environment)
Detail of indicators of compromise (IoCs)
The date and time when you noticed the incident
Date range
Number of compromised accounts
Name(s) of compromised accounts
Roles of the compromised account
Are the accounts highly privileged (GA Microsoft Exchange, SharePoint)?
Are there any Enterprise Applications that are related to the incident?
Did any users report about any applications that were requesting permissions to data on their behalf?
System requirements
Ensure you complete the following installations and configuration requirements:
1. The AzureAD and MSOnline PowerShell modules are installed.
2. You have global administrator rights on the tenant that the script will be run against.
3. You are assigned local administrator role on the computer that you will use to run the scripts.
Install the AzureAD module
Use this command to install the AzureAD module.
Install-Module -Name AzureAD -Verbose
NOTE
If you are prompted to install the modules from an untrusted repository, type Y and press Enter .
Set-ExecutionPolicy RemoteSigned
NOTE
If you are prompted to install the modules from an untrusted repository, type Y and press Enter .
Disconnect-AzureAD
Consent terminologies
What are application consent grants?
Consent is the process of granting authorization to an application to access protected resources on the users’
behalf. An administrator or user can be asked for consent to allow access to their organization/individual data.
An application is granted access to data based on a particular user or for the entire organization. These consents,
however, can be misused by attackers to gain persistence to the environment and access sensitive data. These
types of attacks are called Illicit Consent Grants, which can happen through a phishing email, a user account
compromise through password spray, or when an attacker registers an application as a legitimate user. In
scenarios where a Global Admin account is compromised, then the registration and consent grant are for
tenant-wide and not just for one user.
Before an application can access your organization's data, a user must grant the application permissions to do
so. Different permissions allow different levels of access. By default, all users are allowed to consent to
applications for permissions that don't require administrator consent. For instance, by default, a user can
consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and
write to all files in your organization.
NOTE
By allowing users to grant apps access to data, users can easily acquire useful applications and be productive. However, in
some situations, this configuration can represent a risk if it's not monitored and controlled carefully.
5. Select the type of permissions the registered application is using: Delegated permissions or
Application permissions . In the above image, Application permissions is selected.
6. You can search for one of the high-risk impact permissions such as EduRoster .
7. Select EduRoster and expand the permissions.
Workflow
You can also:
Download the app consent grant and other incident response playbook workflows as a PDF.
Download the app consent grant and other incident response playbook workflows as a Visio file.
Checklist
Use this checklist to perform application consent grant validation.
Requirements
Make sure you have access to the tenant as a Global Admin. This is a cloud-only account and is not part
of your on-premises environment.
Indicators of compromise (IoC)
Check the following indicators of compromise (IoC):
When did you notice the incident?
Date range of the incident (how far left is the goal post?)
Number of compromised accounts
Name(s) of compromised accounts
Roles of the compromised account(s)
Are the compromised accounts highly privileged, a standard user, or a combination
Roles
You must be assigned with these roles:
Global administrator rights on the tenant to execute the script
Local Administrator role on the computer from which will run the script
PowerShell configuration
Configure your PowerShell environment with the following:
Install the Azure AD PowerShell module.
Run the Windows PowerShell app with elevated privileges. (Run as administrator).
Configure PowerShell to run signed scripts.
Download the Get-AzureADPSPermissions.ps1 script.
Investigation triggers
Account compromise
App Consent settings modified on the tenant
Alert/audit event status reason "risky application" detected
Noticed odd looking applications
You can also download the app consent grant and other incident playbook checklists as an Excel file.
Investigation steps
You can use the following two methods to investigate application consent grants:
Azure portal
PowerShell script
NOTE
Using the Azure portal will only allow you to see Admin Consent Grants for the last 90 days and based on this, we
recommend using the PowerShell script method only to reduce the attacker registers investigation steps.
4. Once the script completes, it is recommended to disconnect the Azure AD session with this command.
Disconnect-AzureAD
NOTE
The script may take hours to complete, depending on the size and permissions configured as well as your
connection.
7. In the ConsentType column (G), search for the value AllPrinciples . The AllPrincipals permission
allows the client application to access everyone's content in the tenancy. Native Microsoft 365
applications need this permission to work correctly. Ever y non-Microsoft application with this
permission should be reviewed carefully .
8. In the Permission column (F) , review the permissions that each delegated application has. Look for
Read and Write permission or *. All permission, and review these carefully because they may not be
appropriate.
NOTE
Review the specific users that have consents granted. If high profile or high impact users have inappropriate
consents granted, you should investigate further.
9. In the ClientDisplayName column (C) , look for apps that seem suspicious, such as:
Apps with misspelled names
Example Output: AllPrincipals and read write all. Applications may not have anything suspicious like bland
names and are using MS graph. However, perform research and determine the purpose of the applications and
the actual permissions the applications have in the tenant, as shown in this example.
Here are some useful tips to review information security policy (ISP) investigations:
1. ReplyURL/RedirectURL
Look for suspicious URLs
2. Is the URL hosted on a suspicious domain?
Is it compromised?
Is the domain recently registered?
Is it a temporary domain?
3. Are there terms of service/service agreement link in the app registration?
4. Are the contents unique and specific to the application/publisher?
5. Is the tenant that registered the application either newly created or compromised (for example, is the app
registered by an at-risk user)?
4. Select Filter results and in the Activity field, enter Consent to application.
5. If you have activity under consent to grant, continue as directed below.
6. Select the result to see the details of the activity. Select More Information to get details of the activity.
7. Check whether IsAdminContent is set to ‘True’.
NOTE
This process can take from 30 minutes up to 24 hours for the corresponding audit log entry to be displayed in
the search results after an event occurs.
The extent of time that an audit record is retained and is searchable in the audit log depends on your
Microsoft 365 subscription, and specifically the type of the license that is assigned to a specific user. If
this value is true, it indicates that someone with Global Administrator access may have
granted broad access to data. If this is unexpected, take immediate steps to confirm an
attack .
Get-ADOAuth2PermissionGrantoAuth
You can use PowerShell to revoke the Ser vice App Role Assignment by following the steps in
Remove-AzureADSer viceAppRoleAssignment .
Here's an example.
Recommended defenses
Steps to protect your organization
There are various consent attack types, but if you follow these recommended defenses, which will mitigate all
types of attacks, especially consent phishing, where attackers trick users into granting a malicious app access to
sensitive data or other resources. Instead of trying to steal the user’s password, an attacker is seeking
permission for an attacker-controlled app to access valuable data.
To help prevent consent attacks from affecting Azure AD and Office 365, see the following recommendations:
Set policies
This setting will have user implications and may not be applicable for an environment. If you are going to
allow any consents, ensure the administrators approve the requests.
Allow consents for applications from verified publishers only and specific types of permissions classified
as low impact.
NOTE
The above recommendations are suggested based on the most ideal, secure configurations. However, as security
is a fine balance between functionalities and operations, the most secure configurations might cause additional
overheads to administrators. It is a decision best made after consulting with your administrators.
NOTE
Any tasks that require administrator’s approval will have operational overhead. The "Consent and permissions, User
consent settings " is in Preview currently. Once it is ready for general availability (GA), the "Allow user consent from
verified publishers, for selected permissions " feature should reduce administrators’ overhead and it is
recommended for most organizations.
Educate your application developers to follow the trustwor thy app ecosystem.
To help developers build high-quality and secure integrations, we’re also announcing public preview of the
Integration Assistant in Azure AD app registrations.
The Integration Assistant analyzes your app registration and benchmarks it against a set of recommended
security best practices.
The Integration Assistant highlights best practices that are relevant during each phase of your integration’s
lifecycle—from development all the way to monitoring—and ensures every stage is properly configured.
It’s designed to make your job easier, whether you’re integrating your first app or you’re an expert looking to
improve your skills.
Educate your organization on consent tactics ( phishing tactics, admin and user consents ):
Check for poor spelling and grammar. If an email message or the application’s consent screen has spelling
and grammatical errors, it’s likely to be a suspicious application.
Keep a watchful eye on app names and domain URLs. Attackers like to spoof app names that make it appear
to come from legitimate applications or companies but drive you to consent to a malicious app.
Make sure you recognize the app name and domain URL before consenting to an application.
Promote and allow access to apps you trust
Promote the use of applications that have been publisher verified. Publisher verification helps admins and
end users understand the authenticity of application developers. Over 660 applications by 390 publishers
have been verified thus far.
Configure application consent policies by allowing users to only consent to specific applications you trust,
such as applications developed by your organization or from verified publishers.
Educate your organization on how our permissions and consent framework works.
Understand the data and permissions an application is asking for and understand how permissions and
consent work within our platform.
Ensure administrators know how to manage and evaluate consent requests.
Audit apps and consented permissions in your organization to ensure applications being used are accessing
only the data they need and adhering to the principles of least privilege.
Mitigations
Educate the customer and provide awareness and training on securing application consent grants
Tighten the application consent grants process with organizational policy and technical controls
Set up Create schedule to review Consented applications
You can use PowerShell to revoke the OAuth consent grant by following the steps in Remove-
AzureADOAuth2PermissionGrant.
You can use PowerShell to revoke the Service App Role assignment by following the steps in Remove-
AzureADServiceAppRoleAssignment.
You can also deactivate sign-in for the affected account altogether, which will in turn deactivate application
access to data in that account.
You can turn off integrated applications for your tenancy. This is a drastic step that prevents end users from
granting consent to third-party applications on a tenant-wide basis. However, this option is not
recommended.
References
The source of the content for this article is the following:
Protecting remote workforce application attacks
Fostering a secure and trustworthy app ecosystem
Investigate risky OAuth apps
Managing consent to applications and evaluating consent requests
Disable user sign-ins for an enterprise app in Azure Active Directory
Understand the permissions and consent framework in the Microsoft identity platform.
Understand the difference between delegated permissions and application permissions.
Configure how end-users consent to applications
Unexpected application in my applications list
Detect and Remediate Illicit Consent Grants
How and Why Azure AD Applications are Added
Application and service principal objects in Azure Active Directory
Azure AD Config Documentor
Managing consent to applications and evaluating consent requests
Get-AzureADServicePrincipal
Build 2020: Fostering a secure and trustworthy app ecosystem for all users
Configure the admin consent workflow
Admins should evaluate all consent requests carefully before approving a request, especially when Microsoft
has detected risk.
Application Registration vs. Enterprise Applications
Permissions
KrebsOnSecurity on AppConsent Phishing
Human-operated ransomware is not a malicious software problem—it’s a human criminal problem. The
solutions used to address commodity problems aren’t enough to prevent a threat that more closely resembles a
nation-state threat actor who:
Disables or uninstalls your antivirus software before encrypting files
Disables security services and logging to avoid detection
Locates and corrupts or deletes backups before sending a ransom demand
These actions are commonly done with legitimate programs that you might already have in your environment
for administrative purposes. In criminal hands, these tools are used maliciously to carry out attacks.
Responding to the increasing threat of ransomware requires a combination of modern enterprise configuration,
up-to-date security products, and the vigilance of trained security staff to detect and respond to the threats
before data is lost.
The Microsoft Detection and Response Team (DART) responds to security compromises to help customers
become cyber-resilient. DART provides onsite reactive incident response and remote proactive investigations.
DART leverages Microsoft’s strategic partnerships with security organizations around the world and internal
Microsoft product groups to provide the most complete and thorough investigation possible.
This article describes how DART handles ransomware attacks for Microsoft customers so that you can consider
applying elements of their approach and best practices for your own security operations playbook.
See these sections for the details:
How DART uses Microsoft security services
The DART approach to conducting ransomware incident investigations
DART recommendations and best practices
NOTE
This article content was derived from the A guide to combatting human-operated ransomware: Part 1 and A guide to
combatting human-operated ransomware: Part 2 Microsoft Security team blog posts.
In Defender for Endpoint, you have access to a real-time expert-level monitoring and analysis service by
Microsoft Threat Experts for ongoing suspected actor activity. You can also collaborate with experts on demand
for additional insights into alerts and incidents.
Here’s an example of how Defender for Endpoint shows detailed ransomware activity.
Defender for Identity
You use Defender for Identity to investigate known compromised accounts and to find potentially compromised
accounts in your organization. Defender for Identity sends alerts for known malicious activity that actors often
use such as DCSync attacks, remote code execution attempts, and pass-the-hash attacks. Defender for Identity
enables you to pinpoint suspect activity and accounts to narrow down the investigation.
Here's an example of how Defender for Identity sends alerts for known malicious activity related to ransomware
attacks.
ST EP GO A L IN IT IA L Q UEST IO N S
1. Assess the current situation Understand the scope What initially made you aware of a
ransomware attack?
2. Identify the affected line-of-business Get systems back online Does the application require an
(LOB) apps identity?
Identity and access management is critical to both security assurances as an access control as well as enterprise
enablement of applications and services.
The following videos provide guidance on identity and access management.
Next steps
See the Identity and access management and Capabilities topics.
See also
PowerPoint slides for the Microsoft Azure Security Compass Workshop
Zero Trust Security Model and Framework
Microsoft security documentation
Microsoft security best practices for identity and
access management
12/13/2021 • 8 minutes to read • Edit Online
In cloud-based architecture, identity provides the basis of a large percentage of security assurances. While
legacy IT infrastructure often heavily relied on firewalls and network security solutions at the internet egress
points for protection against outside threats, these controls are less effective in cloud architectures with shared
services being accessed across cloud provider networks or the internet.
It is challenging or impossible to write concise firewall rules when you don’t control the networks where these
services are hosted, different cloud resources spin up and down dynamically, cloud customers may share
common infrastructure, and employees and users expect to be able to access data and services from anywhere.
To enable all these capabilities, you must manage access based on identity authentication and authorization
controls in the cloud services to protect data and resources and to decide which requests should be permitted.
Additionally, using a cloud-based identity solution like Azure Active Directory (Azure AD) offers additional
security features that legacy identity services cannot because they can apply threat intelligence from their
visibility into a large volume of access requests and threats across many customers.
Simulate attacks
Best practice: Regularly simulate attacks against your users to educate and empower them.
People are a critical part of your defense, so ensure they have the knowledge and skills to avoid and resist
attacks will reduce your overall organizational risk.
You can use Attack Simulator in Microsoft Defender for Office 365 or any number of third-party offerings.
Next step
Review identity and device access capabilities.
See also
Zero Trust Security Model and Framework
Microsoft security documentation
Identity and access management capabilities
12/13/2021 • 3 minutes to read • Edit Online
Azure Active Directory (Azure AD) Establish a single Azure AD enterprise Azure Active Directory documentation
directory for managing identities of
full-time employees and enterprise
resources. A single authoritative source
increases clarity and consistency for all
roles in IT and security and reduces
security risk from human errors and
automation failures resulting from
complexity.
Azure AD Connect Synchronize Azure AD with your What is hybrid identity with Azure
existing authoritative on premises Active Directory?
Active Directory using Azure AD
connect. This is also required for an
Office 365 migration, so it is often
already done before Azure migration
and development projects begin.
Azure AD B2B collaboration Use Azure AD business-to-business Azure Active Directory B2B
(B2B) collaboration to host non- documentation
employee accounts like vendors and
partners. This reduces risk by granting
the appropriate level of access to
external entities instead of the full
default permissions given to full-time
employees. This least privilege
approach and clear clearly
differentiation of external accounts
from company staff makes it easier to
prevent and detect attacks coming in
from these vectors.
Azure AD B2C Use Azure AD B2C for consumer and Azure Active Directory B2C
citizen accounts. Azure AD B2C is an documentation
identity management service that
enables custom control of how your
customers sign up, sign in, and
manage their profiles when using your
iOS, Android, .NET, single-page (SPA),
and other applications.
Azure Multi-Factor Authentication MFA provides additional security by How MFA works
(MFA) requiring a second form of
authentication.
Azure AD self-service password reset SSPR allows your users to reset their How it works: Azure AD self-service
(SSPR) passwords securely and without password reset
helpdesk intervention, by providing
verification of multiple authentication
methods that the administrator can
control.
Azure Active Directory Identity Azure AD Identity Protection enables What is Azure Active Directory Identity
Protection you to detect potential vulnerabilities Protection?
affecting your organization's identities
and configure automated remediation
policy to low, medium, and high sign-
in risk and user risk.
Azure AD password protection for Protect on-premises Active Directory Enforce Azure AD password protection
Windows Server Active Directory accounts with Azure AD password for Windows Server Active Directory
protection. This does the same checks
on-premises as Azure AD does for
cloud-based changes. These checks are
performed during password changes
and password reset scenarios.
Azure AD Privileged Identity Privileged Identity Management What is Azure AD Privileged Identity
Management provides time-based and approval- Management?
based role activation to mitigate the
risks of excessive, unnecessary, or
misused access permissions on
resources that you care about.
Managed Identities You can reduce use of passwords by What are managed identities for Azure
applications using Managed Identities resources?
to grant access to resources in Azure
See also
Zero Trust Security Model and Framework
Microsoft security documentation
Microsoft Security Best Practices module: Network
security and containment
12/13/2021 • 2 minutes to read • Edit Online
Network Security & Containment helps reduce organizational risk by providing access controls to limit the
ability of attackers to traverse the enterprise environment without impeding legitimate communications and
interactions.
See the Network security and containment and Capabilities topics for more information.
The following videos provide guidance on network security and containment. You can also download the
PowerPoint slides associated with these videos.
Network security has been the traditional lynchpin of enterprise security efforts. However, cloud computing has
increased the requirement for network perimeters to be more porous and many attackers have mastered the art
of attacks on identity system elements (which nearly always bypass network controls). These factors have
increased the need to focus primarily on identity-based access controls to protect resources rather than
network-based access controls.
These do diminish the role of network security controls, but do not eliminate it entirely. While network security
is no longer the primary focus for securing cloud-based assets, it is still a top priority for the large portfolio of
legacy assets (which were built with the assumption that a network firewall-based perimeter was in place). Many
attackers still employ scanning and exploit methods across public cloud provider IP ranges, successfully
penetrating defenses for those who don’t follow basic network security hygiene. Network security controls also
provide a defense-in-depth element to your strategy that help protect, detect, contain, and eject attackers who
make their way into your cloud deployments.
In the category of network security and containment, we have the following best practice recommendations:
Align network segmentation with overall strategy
Centralize network management and security
Build a network containment strategy
Define an internet edge strategy
This article lists capabilities that can help with network traffic and containment.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Azure Application Gateway Azure Application Gateway is a web What is Azure Application Gateway?
traffic load balancer that enables you
to manage traffic to your web
applications. Traditional load balancers
operate at the transport layer (OSI
layer 4 - TCP and UDP) and route
traffic based on source IP address and
port, to a destination IP address and
port. With Application Gateway, you
can make routing decisions based on
additional attributes of an HTTP
request, such as URI path or host
headers.
Azure Traffic Manager Azure Traffic Manager is a DNS-based What is Traffic Manager?
traffic load balancer that enables you
to distribute traffic optimally to
services across global Azure regions,
while providing high availability and
responsiveness. Traffic Manager uses
DNS to direct client requests to the
most appropriate service endpoint
based on a traffic-routing method and
the health of the endpoints.
Azure Virtual Network Azure Virtual Network (VNet) is the What is Azure Virtual Network?
fundamental building block for your
private network in Azure. VNet enables Virtual Network documentation
many types of Azure resources, such
as Azure Virtual Machines (VM), to
securely communicate with each other,
the internet, and on-premises
networks. VNet is similar to a
traditional network that you'd operate
in your own data center, but brings
with it additional benefits of Azure's
infrastructure such as scale, availability,
and isolation.
Point-to-site virtual private network You can connect your on-premises Point-to-site VPN
(VPN) and Site-to-site VPN computers and networks to a virtual
network using any combination of Site-to-site VPN
these VPN options and Azure
ExpressRoute.
Security groups and Network virtual You can filter network traffic between Network security groups
appliances subnets using either or both of these
options. Application security groups
Route tables and border gateway Azure routes traffic between subnets, Route tables
protocol (BGP) routes connected virtual networks, on-
premises networks, and the Internet, About BGP with Azure VPN Gateway
by default. You can implement either
or both of the options to override the
default routes Azure creates.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Azure DDoS Protection Azure DDoS protection, combined with Azure DDoS Protection Standard
application design best practices, overview
provide defense against DDoS attacks.
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Securing privileged access
12/13/2021 • 2 minutes to read • Edit Online
Organization's should make securing privileged access the top security priority because of the significant
potential business impact (and high likelihood) of attackers compromising this level of access.
Privileged access includes IT administrators with control of large portions of the enterprise estate and other
users with access to business critical assets.
Attackers frequently exploit weaknesses in privileged access security during human operated ransomware
attacks and targeted data theft. Privileged access accounts and workstations are so attractive to attackers
because these targets allow them to rapidly gain broad access to the business assets in the enterprise, often
resulting in rapid and significant business impact.
The following diagram summarizes the recommended privileged access strategy to create an isolated virtual
zone that these sensitive accounts can operate in with low risk.
Securing privileged access effectively seals off unauthorized pathways completely and leaves a select few
authorized access pathways that are protected and closely monitored. This diagram is discussed in more detail
in the article, Privileged Access Strategy.
Building this strategy requires a holistic approach combining multiple technologies to protect and monitor those
authorized escalation paths using Zero Trust principles including explicit validation, least privilege, and assume
breach. This strategy requires multiple complementary initiatives that establish a holistic technology approach,
clear processes, and rigorous operational execution to build and sustain assurances over time.
UK National Cyber Security Center Australian Cyber Security Center MITRE ATT&CK
(NCSC) (ACSC)
Next steps
Strategy, design, and implementation resources to help you rapidly secure privileged access for your
environment.
A RT IC L E DESC RIP T IO N
Microsoft recommends adopting this privileged access strategy to rapidly lower the risks to your organization
from high impact and high likelihood attacks on privileged access.
Privileged access should be the top security priority at ever y organization. Any compromise of these
users has a high likelihood of significant negative impact to the organization. Privileged users have access to
business critical assets in an organization, nearly always causing major impact when attackers compromise their
accounts.
This strategy is built on Zero Trust principles of explicit validation, least privilege, and assumption of breach.
Microsoft has provided implementation guidance to help you rapidly deploy protections based on this strategy
IMPORTANT
There is no single "silver bullet" technical solution that will magically mitigate privileged access risk, you must blend
multiple technologies together into a holistic solution that protects against multiple attacker entry points. Organizations
must bring the right tools for each part of the job.
IMPORTANT
Human operated ransomware is different from commodity single computer ransowmare attacks that target a single
workstation or device.
This graphic describes how this extortion based attack is growing in impact and likelihood using privileged
access:
High business impact
It is difficult to overstate the potential business impact and damage of a loss to privileged access.
Attacker's with privileged access effectively have full control of all enterprise assets and resources,
giving them the ability to disclose any confidential data, stop all business processes, or subvert
business processes and machines to damage property, hurt people, or worse. Massive business
impact has been seen across every industry with:
Targeted data theft - attackers use privileged access to access and steal sensitive intellectual
property for their own use it or to sell/transfer to your competitors or foreign governments
Human-operated ransomware (HumOR) - attackers use privileged access to steal and/or
encrypt all data and systems in the enterprise, often stopping all business operations. They then
extort the target organization by demanding money to not disclose the data and/or providing
the keys to unlock it.
High likelihood of occurrence
The prevalence of privileged access attacks has grown since the advent of modern credential theft
attacks starting with pass the hash techniques. These techniques first jumped in popularity with
criminals starting with the 2008 release of the attack tool "Pass-the-Hash Toolkit" and have grown into
a suite of reliable attack techniques (mostly based on the Mimikatz toolkit). This weaponization and
automation of techniques allowed the attacks (and their subsequent impact) to grow at a rapid rate,
limited only by the target organization's vulnerability to the attacks and the attacker's
monetization/incentive models.
Prior to the advent of human-operated ransomware (HumOR), these attacks were prevalent but
often unseen or misunderstood because of:
Attacker monetization limits - Only groups and individuals who knew how to
monetize sensitive intellectual property from target organizations could profit from
these attacks.
Silent impact - Organizations often missed these attacks because they didn't have
detection tools, and also had a hard time seeing and estimating the resulting business
impact (for example, how their competitors were using their stolen intellectual property
and how that affected prices and markets, sometimes years later). Additionally,
organizations who saw the attacks often stayed silent about them to protect their
reputations.
Both the silent impact and attacker monetization limitations on these attacks are disintegrating
with the advent of human operated ransomware, which is growing in volume, impact, and
awareness because it is both:
Loud and disruptive - to business processes to payment of extortion demands.
Universally applicable - Every organization in every industry is financially motivated
to continue operations uninterrupted.
For these reasons, privileged access should be the top security priority at every organization.
Building your privileged access strategy
Privileged access strategy is a journey that must be composed of quick wins and incremental progress. Each
step in your privileged access strategy must take you closer to "seal" out persistent and flexible attackers from
privileged access, who are like water trying to seep into your environment through any available weakness.
This guidance is designed for all enterprise organizations regardless of where you already are in the journey.
Holistic practical strategy
Reducing risk from privileged access requires a thoughtful, holistic, and prioritized combination of risk
mitigations spanning multiple technologies.
Building this strategy requires recognition that attackers are like water as they have numerous options they can
exploit (some of which can appear insignificant at first), attackers are flexible in which ones they use, and they
generally take the path of least resistance to achieving their objectives.
IMPORTANT
You must adopt a strategy that includes multiple technologies to defend against these attacks. Simply implementing a
prvileged identity management / privileged access management (PIM/PAM) solution is not sufficient. For more
information see, Privileged access Intermediaries.
The attackers are goal-oriented and technology agnostic, using any type of attack that works.
The access control backbone you are defending is integrated into most or all systems in the enterprise
environment.
Expecting you can detect or prevent these threats with just network controls or a single privileged access
solution will leave you vulnerable to many other types of attacks.
Strategic assumption - Cloud is a source of security
This strategy uses cloud services as the primary source of security and management capabilities rather than on-
premises isolation techniques for several reasons:
Cloud has better capabilities - The most powerful security and management capabilities available today
come from cloud services, including sophisticated tooling, native integration, and massive amounts of
security intelligence like the 8+ trillion security signals a day Microsoft uses for our security tools.
Cloud is easier and faster - Adopting cloud services requires little to no infrastructure for implementing
and scaling up, enabling your teams to focus on their security mission rather than technology integration.
Cloud requires less maintenance - The cloud is also managed, maintained, and secured consistently by
vendor organizations with teams dedicated to that single purpose for thousands of customer organizations,
reducing the time and effort for your team to rigorously maintain capabilities.
Cloud keeps improving - Features and functionality in cloud services are constantly being updated
without a need for your organization to invest ongoing.
Building the recommended strategy
Microsoft's recommended strategy is to incrementally build a 'closed loop' system for privileged access that
ensures only trustworthy 'clean' devices, accounts, and intermediary systems can be used for privileged access
to business sensitive systems.
Much like waterproofing something complex in real life like a boat, you need to design this strategy with an
intentional outcome, establish and follow standards carefully, and continually monitor and audit the outcomes
so that you remediate any leaks. You wouldn't just nail boards together in a boat shape and magically expect a
waterproof boat. You would focus first on building and waterproofing significant items like the hull and critical
components like the engine and steering mechanism (while leaving ways for people to get in), then later
waterproofing comfort items like radios, seats, and the like. You would also maintain it over time as even the
most perfect system could spring a leak later, so you need to keep up with preventive maintenance, monitor for
leaks, and fix them to keep it from sinking.
Securing Privileged Access has two simple goals
1. Strictly limit the ability to perform privileged actions to a few authorized pathways
2. Protect and closely monitor those pathways
There are two types of pathways to accessing the systems, user access (to use the capability) and privileged
access (to manage the capability or access a sensitive capability)
User Access - the lighter blue path on the bottom of the diagram depicts a standard user account performing
general productivity tasks like email, collaboration, web browsing, and use of line-of-business applications or
websites. This path includes an account logging on to a device or workstations, sometimes passing through
an intermediary like a remote access solution, and interacting with enterprise systems.
Privileged Access - the darker blue path on the top of the diagram depicts privileged access, where privileged
accounts like IT Administrators or other sensitive accounts access business critical systems and data or
perform administrative tasks on enterprise systems. While the technical components may be similar in
nature, the damage an adversary can inflict with privileged access is much higher.
The full access management system also includes identity systems and authorized elevation paths.
Identity Systems - provide identity directories that host the accounts and administrative groups,
synchronization and federation capabilities, and other identity support functions for standard and privileged
users.
Authorized Elevation Paths - provide means for standard users to interact with privileged workflows, such as
managers or peers approving requests for administrative rights to a sensitive system through a just in time
(JIT) process in a Privileged Access Management / Privileged Identity management system.
These components collectively comprise the privileged access attack surface that an adversary may target to
attempt gaining elevated access to your enterprise:
NOTE
For on-premises and infrastructure as a service (IaaS) systems hosted on a customer managed operating system, the
attack surface dramatically increases with management and security agents, service accounts, and potential configuration
issues.
Creating a sustainable and manageable privileged access strategy requires closing off all unauthorized vectors
to create the virtual equivalent of a control console physically attached to a secure system that represents the
only way to access it.
This strategy requires a combination of:
Zero Trust access control described throughout this guidance, including the rapid modernization plan
(RAMP)
Asset protection to protect against direct asset attacks by applying good security hygiene practices to these
systems. Asset protection for resources (beyond access control components) is out of scope of this guidance,
but typically includes rapid application of security updates/patches, configuring operating systems using
manufacturer/industry security baselines, protecting data at rest and in transit, and integrating security best
practices to development / DevOps processes.
Next steps
Securing privileged access overview
Measuring success
Security levels
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Enhanced Security Admin Environment (ESAE) retirement
Success criteria for privileged access strategy
12/13/2021 • 7 minutes to read • Edit Online
This document describes the success criteria for a privileged access strategy. This section describes strategic
perspectives of success for a privileged access strategy. For a roadmap on how to adopt this strategy, see the
rapid modernization plan (RaMP). For implementation guidance, see privileged access deployment
Implementing a holistic strategy using Zero Trust approaches creates a "seal" of sorts over the access control for
privileged access that makes it resistant to attackers. This strategy is accomplished by limiting pathways to
privileged access only a select few, and then closely protecting and monitoring those authorized pathways.
A successful strategy must address the all points attackers can use to intercept privileged access workflows
including four distinct initiatives:
Privileged Access workflow elements of the privileged access workflow including underlying devices,
operating systems, applications, and identities
Identity systems hosting the privileged accounts and the groups, and other artifacts that confer privilege
on the accounts
User access workflow and authorized elevation paths that can lead to privileged access
Application interfaces where zero trust access policy is enforced and role-based access control (RBAC) is
configured to grant privileges
NOTE
A complete security strategy also includes asset protections that are beyond the scope of access control, such as data
backups and protections against attacks on the application itself, the underlying operating system and hardware, on
service accounts used by the application or service, and on data while at rest or in transit. For more information on
modernizing a security strategy for cloud, see the article Define a security strategy.
An attack consists of human attackers leveraging automation and scripts to attack an organization is composed
of humans, the processes they follow, and the technology they use. Because of this complexity of both attackers
and defenders, the strategy must be multi-faceted to guard against all the people, process, and technology ways
that the security assurances could inadvertently be undermined.
Ensuring sustainable long-term success requires meeting the following criteria:
Ruthless prioritization
Balance security and productivity
Strong partnerships within the organization
Disrupt attacker return on investment
Follow clean source principle
Ruthless prioritization
Ruthless prioritization is the practice of taking the most effective actions with the fastest time to value first, even
if those efforts don't fit pre-existing plans, perceptions, and habits. This strategy lays out the set of steps that
have been learned in the fiery crucible of many major cybersecurity incidents. The learnings from these
incidents form the steps we help organizations take to ensure that these crises don't happen again.
While it's always tempting for security professionals to try to optimize familiar existing controls like network
security and firewalls for newer attacks, this path consistently leads to failure. Microsoft's Detection and
Response Team (DART) has been responding to privileged access attacks for nearly a decade and consistently
sees these classic security approaches fail to detect or stop these attacks. While network security provides
necessary and important basic security hygiene, it's critical to break out of these habits and focus on mitigations
that will deter or block real world attacks.
Ruthlessly prioritize the security controls recommended in this strategy, even if it challenges existing
assumptions and forces people to learn new skills.
IMPORTANT
A privileged access strategy should be comprehensive and provide defense in depth, but must avoid the Expense in depth
fallacy where defenders simply pile on more same (familiar) type controls (often network firewalls/filters) past the point
where they add any meaningful security value.
For more information on attacker ROI, see the short video and in-depth discussion Disrupting attacker return on
investment.
Any subject in control of an object is a security dependency of that object. If an adversary can control anything
in control of a target object, they can control that target object. Because of this threat, you must ensure that the
assurances for all security dependencies are at or above the desired security level of the object itself. This
principle applies across many types of control relationships:
While simple in principle, this concept gets complex easily in the real world as most enterprises grew organically
over decades and have many thousands of control relationships recursively that build on each other, loop back
on each other, or both. This web of control relationships provides many access paths that an attacker can
discover and navigate during an attack, often with automated tools.
Microsoft's recommended privileged access strategy is effectively a plan to untangle the most important parts
of this knot first using a Zero Trust approach, by explicitly validating that the source is clean before allowing
access to the destination.
In all cases, the trust level of the source must be the same or higher than the destination.
The only notable exception to this principle is allowing the use of unmanaged personal devices and partner
devices for enterprise scenarios. This exception enables enterprise collaboration and flexibility and can be
mitigated to an acceptable level for most organizations because of the low relative value of the enterprise
assets. For more context on BYOD security, see the blog post How a BYOD policy can reduce security risk in
the public sector.
This same exception cannot be extended to specialized security and privileged security levels however
because of the security sensitivity of these assets. Some PIM/PAM vendors may advocate that their solutions
can mitigate device risk from lower-level devices, but we respectfully disagree with those assertions based
on our experience investigating incidents. The asset owners in your organization may choose to accept risk of
using enterprise security level devices to access specialized or privileged resources, but Microsoft does not
recommend this configuration. For more information, see the intermediary guidance for Privileged Access
Management / Privileged Identity management.
The privileged access strategy accomplishes this principle primarily by enforcing Zero Trust policy with
Conditional Access on inbound sessions at interfaces and intermediaries. The clean source principle starts with
getting a new device from an OEM that is built to your security specifications including operating system
version, security baseline configuration, and other requirements such as using Windows Autopilot for
deployment.
Optionally, the clean source principle can extend into a highly rigorous review of each component in the supply
chain including installation media for operating systems and applications. While this principle would be
appropriate for organizations facing highly sophisticated attackers, it should be a lower priority than the other
controls in this guidance.
Next steps
Securing privileged access overview
Privileged access strategy
Security levels
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Privileged access security levels
12/13/2021 • 4 minutes to read • Edit Online
This document describes the security levels of a privileged access strategy For a roadmap on how to adopt this
strategy, see the rapid modernization plan (RaMP). For implementation guidance, see privileged access
deployment
These levels are primarily designed to provide simple and straightforward technical guidance so that
organizations can rapidly deploy these critically important protections. The privileged access strategy recognizes
that organizations have unique needs, but also that custom solutions create complexity that results in higher
costs and lower security over time. To balance this need, the strategy provides firm prescriptive guidance for
each level and flexibility through allowing organizations to choose when each role will be required to meet the
requirements of that level.
Making things simple helps people understand it and lowers the risk they will be confused and make mistakes.
While the underlying technology is almost always complex, it is critical to keep things simple rather than
creating custom solutions that are difficult to support. For more information, see the article Security design
principles.
Designing solutions that are focused on the needs of the administrators and end users, will keep it simple for
them. Designing solutions that are simple for security and IT personnel to build, assess, and maintain (with
automation where possible) leads to less security mistakes and more reliable security assurances.
The recommended privileged access security strategy implements a simple three level system of assurances,
that span across areas, designed to be easy to deploy for: accounts, devices, intermediaries, and interfaces.
Each successive level drives up attacker costs, with additional level of Defender for Cloud investment. The levels
are designed to target the 'sweet spots' where defenders get the most return (attacker cost increase) for each
security investment they make.
Each role in your environment should be mapped to one of these levels (and optionally increased over time as
part of a security improvement plan). Each profile is clearly defined as a technical configuration and automated
where possible to ease deployment and speed up security protections. For implementation details see the
article, Privileged access roadmap.
The security levels used throughout this strategy are:
Enterprise security is suitable for all enterprise users and productivity scenarios. In the progression of
the rapid modernization plan, enterprise also serves as the starting point for specialized and privileged
access as they progressively build on the security controls in enterprise security.
NOTE
Weaker security configurations do exist, but aren't recommended by Microsoft for enterprise organizations today
because of the skills and resources attackers have available. For information on what attackers can buy from each
other on the dark markets and average prices, see the video Top 10 Best Practices for Azure Security
Specialized security provides increased security controls for roles with an elevated business impact (if
compromised by an attacker or malicious insider).
Your organization should have documented criteria for specialized and privileged accounts (for example,
potential business impact is over $1M USD) and then identify all the roles and accounts meeting that
criteria. (used throughout this strategy, including in the Specialized Accounts)
Specialized roles typically include:
Developers of business critical systems.
Sensitive business roles such as users of SWIFT terminals, researchers with access to sensitive
data, personnel with access to financial reporting prior to public release, payroll administrators,
approvers for sensitive business processes, and other high impact roles.
Executives and personal assistants / administrative assistants that that regularly handle sensitive
information.
High impact social media accounts that could damage the company reputation.
Sensitive IT Admins with a significant privileges and impact, but are not enterprise-wide. This group
typically includes administrators of individual high impact workloads. (for example, enterprise
resource planning administrators, banking administrators, help desk /tech support roles, etc.)
Specialized Account security also serves as an interim step for privileged security, which further builds on
these controls. See privileged access roadmap for details on recommended order of progression.
Privileged security is the highest level of security designed for roles that could easily cause a major
incident and potential material damage to the organization in the hands of an attacker or malicious
insider. This level typically includes technical roles with administrative permissions on most or all
enterprise systems (and sometimes includes a select few business critical roles)
Privileged accounts are focused on security first, with productivity defined as the ability to easily and
securely perform sensitive job tasks securely. These roles will not have the ability to do both sensitive
work and general productivity tasks (browse the web, install and use any app) using the same account or
the same device/workstation. They will have highly restricted accounts and workstations with increased
monitoring of their actions for anomalous activity that could represent attacker activity.
Privileged access security roles typically include:
Azure AD Global Administrators and related roles
Other identity management roles with administrative rights to an enterprise directory, identity
synchronization systems, federation solution, virtual directory, privileged identity/access management
system, or similar.
Roles with membership in these on-premises Active Directory groups
Enterprise Admins
Domain Admins
Schema Admin
BUILTIN\Administrators
Account Operators
Backup Operators
Print Operators
Server Operators
Domain Controllers
Read-only Domain Controllers
Group Policy Creator Owners
Cryptographic Operators
Distributed COM Users
Sensitive on-premises Exchange groups (including Exchange Windows Permissions and
Exchange Trusted Subsystem)
Other Delegated Groups - Custom groups that may be created by your organization to manage
directory operations.
Any local administrator for an underlying operating system or cloud service tenant that is
hosting the above capabilities including
Members of local administrators group
Personnel who know the root or built in administrator password
Administrators of any management or security tool with agents installed on those
systems
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Privileged access: Accounts
12/13/2021 • 5 minutes to read • Edit Online
Account security is a critical component of securing privileged access. End to end Zero Trust security for sessions
requires strongly establishing that the account being used in the session is actually under the control of the
human owner and not an attacker impersonating them.
Strong account security starts with secure provisioning and full lifecycle management through to
deprovisioning, and each session must establish strong assurances that the account isn't currently compromised
based on all available data including historical behavior patterns, available threat intelligence, and usage in the
current session.
Account security
This guidance defines three security levels for account security that you can use for assets with different
sensitivity levels:
These levels establish clear and implementable security profiles appropriate for each sensitivity level that you
can assign roles to and scale out rapidly. All of these account security levels are designed to maintain or improve
productivity for people by limiting or eliminating interruption to user and admin workflows.
NOTE
While your organization may choose to use an existing weaker form of MFA during a transition period, attackers
are increasingly evading the weaker MFA protections, so all new investment into MFA should be on the strongest
forms.
Enforce account/session risk - ensure that the account is not able to authenticate unless it is at a low (or
medium?) risk level. See Interface Security Levels for details on conditional enterprise account security.
Monitor and respond to alerts - Security operations should integrate account security alerts and get
sufficient training on how these protocols and systems work to ensure they are able to rapidly
comprehend what an alert means and react accordingly.
Enable Azure AD Identity Protection
Investigate risk Azure AD Identity Protection
Troubleshoot/Investigate Conditional Access Sign-in failures
The following diagram provides a comparison to different forms of MFA and passwordless authentication. Each
option in the best box is considered both high security and high usability. Each has different hardware
requirements so you may want to mix and match which ones apply to different roles or individuals. All Microsoft
passwordless solutions are recognized by Conditional Access as multi-factor authentication because they
require combining something you have with either biometrics, something you know, or both.
NOTE
For more information on why SMS and other phone based authentication is limited, see the blog post It's Time to Hang
Up on Phone Transports for Authentication.
Specialized accounts
Specialized accounts are a higher protection level suitable for sensitive users. Because of their higher business
impact, specialized accounts warrant additional monitoring and prioritization during security alerts, incident
investigations, and threat hunting.
Specialized security builds on the strong MFA in enterprise security by identifying the most sensitive accounts
and ensuring alerts and response processes are prioritized:
1. Identify Sensitive Accounts - See specialized security level guidance for identifying these accounts.
2. Tag Specialized Accounts - Ensure each sensitive account is tagged
a. Configure Microsoft Sentinel Watchlists to identify these sensitive accounts
b. Configure Priority Account Protection in Microsoft Defender for Office 365 and designate specialized
and privileged accounts as priority accounts -
3. Update Security Operations processes - to ensure these alerts are given the highest priority
4. Set up Governance - Update or create governance process to ensure that
a. All new roles to are evaluated for specialized or privileged classifications as they are created or
changed
b. All new accounts are tagged as they are created
c. Continuous or periodic out of band checks to ensure that roles and accounts didn't get missed by
normal governance processes.
Privileged accounts
Privileged accounts have the highest level of protection because they represent a significant or material
potential impact on the organization's operations if compromised.
Privileged accounts always include IT Admins with access to most or all enterprise systems, including most or all
business critical systems. Other accounts with a high business impact may also warrant this additional level of
protection. For more information about which roles and accounts should be protected at what level, see the
article Privileged Security.
In addition to specialized security , privileged account security increases both:
Prevention - add controls to restrict the usage of these accounts to the designated devices, workstations, and
intermediaries.
Response - closely monitor these accounts for anomalous activity and rapidly investigate and remediate the
risk.
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Privileged access: Intermediaries
12/13/2021 • 12 minutes to read • Edit Online
An attacker can attack an intermediary to attempt to escalating privileges using credentials stored on them, get
network remote access to corporate networks, or exploit trust in that device if being used for Zero Trust access
decisions. Targeting intermediaries has become an all too common, especially for organizations that don't
rigorously maintain the security posture of these devices. For example, credentials collected from VPN devices.
Intermediaries vary in purpose and technology, but typically provide remote access, session security, or both:
Remote access - Enable access to systems on enterprise networks from the internet
Session security - Increase security protections and visibility for a session
Unmanaged device scenario - Providing a managed virtual desktop to be accessed by unmanaged
devices (for example, personal employee devices) and/or devices managed by a partner/vendor.
Administrator security scenario - Consolidate administrative pathways and/or increase security
with just in time access, session monitoring and recording, and similar capabilities.
Ensuring security assurances are sustained from the originating device and account through to the resource
interface requires understanding the risk profile of the intermediary and mitigation options.
The attacker oppor tunity is represented by the available attack surface an attack operator can target:
Native cloud ser vices like Azure AD PIM, Azure Bastion, and Azure AD App Proxy offer a limited attack
surface to attackers. While they are exposed to the public internet, customers (and attackers) have no access
to underlying operating systems providing the services and they are typically maintained and monitored
consistently via automated mechanisms at the cloud provider. This smaller attack surface limits the available
options to attackers vs. classic on-premises applications and appliances that must be configured, patched,
and monitored by IT personnel who are often overwhelmed by conflicting priorities and more security tasks
than they have time to complete.
Vir tual Private Networks (VPNs) and Remote Desktops / Jump ser vers frequently have a significant
attacker opportunity as they are exposed to the internet to provide remote access and the maintenance of
these systems is frequently neglected. While they only have a few network ports exposed, attackers only
need access to one unpatched service for an attack.
Third-par ty PIM/PAM services are frequently hosted on-premises or as a VM on Infrastructure as a Service
(IaaS) and are typically only available to intranet hosts. While not directly internet exposed, a single
compromised credential may allow attackers to access the service over VPN or another remote access
medium.
Attacker value represents what an attacker can gain by compromising an intermediary. A compromise is
defined as an attacker gaining full control over the application/VM and/or an administrator of the customer
instance of the cloud service.
The ingredients that attackers can collect from an intermediary for the next stage of their attack include:
Get network connectivity to communicate with most or all resource on enterprise networks. This access is
typically provided by VPNs and Remote Desktop / Jump server solutions. While Azure Bastion and Azure AD
App Proxy (or similar third-party solutions) solutions also provide remote access, these solutions are
typically application or server-specific connections and don’t provide general network access
Impersonate device identity - can defeat Zero Trust mechanisms if a device is required for authentication
and/or be used by an attacker to gather intelligence on the targets networks. Security Operations teams
often don't closely monitor device account activity and focus only on user accounts.
Steal account credentials to authenticate to resources, which are the most valuable asset to attackers as it
offers the ability to elevate privileges to access their ultimate goal or the next stage in the attack. Remote
Desktop / Jump servers and third-party PIM/PAM are the most attractive targets and have the “All your eggs
in one basket” dynamic with increased attacker value and security mitigations:
PIM/PAM solutions typically store the credentials for most or all privileged roles in the organization,
making them a highly lucrative target to compromise or to weaponize.
Azure AD PIM doesn't offer attackers the ability to steal credentials because it unlocks privileges
already assigned to an account using MFA or other workflows, but a poorly designed workflow could
allow an adversary to escalate privileges.
Remote Desktop / Jump ser vers used by administrators provide a host where many or all
sensitive sessions pass through, enabling attackers to use standard credential theft attack tools to steal
and reuse these credentials.
VPNs can store credentials in the solution, providing attackers with a potential treasure trove of
privilege escalation, leading to the strong recommendation to use Azure AD for authentication to
mitigate this risk.
An intermediary is a link in the Zero Trust chain that presents an interface to users/devices and then enables
access to the next interface. The security controls must address inbound connections, security of the
intermediary device/application/service itself, and (if applicable) provide Zero Trust security signals for the next
interface.
IMPORTANT
PIM/PAM capabilities provide excellent mitigations for some attacks, but do not address many privielged access
risks, notably risk of device compromise. While some vendors advocate that their PIM/PAM solution is a 'silver
bullet' solution that can mitigate device risk, our experience investigating customer incidents has consistently
proven that this does not work in practice.
An attacker with control of a workstation or device can use those credentials (and privileges assigned to them)
while the user is logged on (and can often steal credentials for later use as well). A PIM/PAM solution alone cannot
consistently and reliably see and mitigate these device risks, so you must have discrete device and account
protections that complement each other.
NOTE
Ensure you set up a second person in business critical workflows to help mitigate insider risk (increases the cost/friction
for potential collusion by insider threats).
NOTE
This guidance refers only to "point to site" VPNs used by users, not "site to site" VPNs that are typically used for
datacenter/application connectivity.
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Privileged access accounts
Interfaces
Privileged access devices
Enterprise access model
Privileged access: Interfaces
12/13/2021 • 4 minutes to read • Edit Online
A critical component of securing privileged access is the application of zero trust policy to ensure that devices,
accounts, and intermediaries meet security requirements before providing access.
This policy ensures users and devices initiating the inbound session are known, trusted, and allowed to access
the resource (via the interface). The policy enforcement is performed by the Azure AD Conditional Access policy
engine that evaluates policy assigned to the specific application interface (such as Azure portal, Salesforce,
Office 365, AWS, Workday, and others).
This guidance defines three security levels for interface security that you can use for assets with different
sensitivity levels. These levels are configured in the securing privileged access rapid modernization plan (RAMP)
and correspond to security levels of accounts and devices.
The security requirements for inbound sessions to interfaces apply to accounts and the source device, whether
it’s a direct connection from physical devices or a Remote Desktop / Jump server intermediary. Intermediaries
can accept sessions from personal devices to provide enterprise security level (for some scenarios), but
specialized or privileged intermediaries should not allow connections from lower levels because of the security
sensitive nature of their roles.
NOTE
These technologies provide strong end to end access control to the application interface, but the resource itself must also
be secured from out of band attacks on the application code/functionality, unpatched vulnerabilities or configuration
errors in the underlying operating system or firmware, on data at rest or in transit, supply chains, or other means.
Ensure to assess and discover risks to the assets themselves for complete protection. Microsoft provides tooling and
guidance to help you with that including Microsoft Defender for Cloud, Microsoft Secure Score, and threat modelling
guidance.
Interface examples
Interfaces come in different forms, typically as:
Cloud service/application websites such as Azure portal, AWS, Office 365
Desktop Console managing an on-premises application (Microsoft Management Console (MMC) or custom
application)
Scripting/Console Interface such as Secure Shell (SSH) or PowerShell
While some of these directly support Zero Trust enforcement via the Azure AD Conditional Access policy engine,
some of them will need to be published via an intermediary such as Azure AD App Proxy or Remote Desktop /
jump server.
Interface security
The ultimate goal of interface security is to ensure that each inbound session to the interface is known, trusted,
and allowed:
Known – User is authenticated with strong authentication and device is authenticated (with exceptions for
personal devices using a Remote Desktop or VDI solution for enterprise access)
Trusted – Security health is explicitly validated and enforced for accounts and devices using a Zero Trust
policy engine
Allowed – Access to the resources follows least privilege principle using a combination of controls to ensure
it can only be accessed
By the right users
At the right time ( just in time access, not permanent access)
With the right approval workflow (as needed)
At an acceptable risk/trust level
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Privileged access accounts
Intermediaries
Privileged access devices
Enterprise access model
Securing devices as part of the privileged access
story
12/13/2021 • 6 minutes to read • Edit Online
This guidance is part of a complete privileged access strategy and is implemented as part of the Privileged
access deployment
End to end zero trust security for privileged access requires a strong foundation of device security upon which
to build other security assurances for the session. While security assurances may be enhanced in the session,
they will always be limited by how strong the security assurances are in the originating device. An attacker with
control of this device can impersonate users on it or steal their credentials for future impersonation. This risk
undermines other assurances on the account, intermediaries like jump servers, and on the resources
themselves. For more information, see clean source principle
The article provides an overview of security controls to provide a secure workstation for sensitive users
throughout its lifecycle.
This solution relies on core security capabilities in the Windows 10 operating system, Microsoft Defender for
Endpoint, Azure Active Directory, and Microsoft InTune.
NOTE
The solution can be deployed with new hardware, existing hardware, and bring your own device (BYOD) scenarios.
At all levels, good security maintenance hygiene for security updates will be enforced by Intune policies. The
differences in security as the device security level increases are focused on reducing the attack surface that an
attacker can attempt to exploit (while preserving as much user productivity as possible). Enterprise and
specialized level devices allow productivity applications and general web browsing, but privileged access
workstations do not. Enterprise users may install their own applications, but specialized users may not (and are
not local administrators of their workstations).
NOTE
Web browsing here refers to general access to arbitrary websites which can be a high risk activity. Such browsing is
distinctly different from using a web browser to access a small number of well-known administrative websites for services
like Azure, Microsoft 365, other cloud providers, and SaaS applications.
Next steps
Deploy a secure Azure-managed workstation.
Enterprise access model
12/13/2021 • 3 minutes to read • Edit Online
This document describes an overall enterprise access model that includes context of how a privileged access
strategy fits in. For a roadmap on how to adopt a privileged access strategy, see the rapid modernization plan
(RaMP). For implementation guidance to deploy this, see privileged access deployment
Privileged access strategy is part of an overall enterprise access control strategy. This enterprise access model
shows how privileged access fits into an overall enterprise access model.
The primary stores of business value that an organization must protect are in the Data/Workload plane:
Each of these planes has control of the data and workloads by virtue of their functions, creating an attractive
pathway for attackers to abuse if they can gain control of either plane.
For these systems to create business value, they must be accessible to internal users, partners, and customers
using their workstations or devices (often using remote access solutions) - creating user access pathways. They
must also frequently be available programmatically via application programming interfaces (APIs) to facilitate
process automation, creating application access pathways.
Finally, these systems must be managed and maintained by IT staff, developers, or others in the organizations,
creating privileged access pathways. Because of the high level of control they provide over business critical
assets in the organization, these pathways must be stringently protected against compromise.
Providing consistent access control in the organization that enables productivity and mitigates risk requires you
to
Enforce Zero Trust principles on all access
Assume Breach of other components
Explicit validation of trust
Least privilege access
Pervasive security and policy enforcement across
Internal and external access to ensure consistent policy application
All access methods including users, admins, APIs, service accounts, etc.
Mitigate unauthorized privilege escalation
Enforce hierarchy – to prevent control of higher planes from lower planes (via attacks or abuse of
legitimate processes)
Control plane
Management plane
Data/workload plane
Continuously audit for configuration vulnerabilities enabling inadvertent escalation
Monitor and respond to anomalies that could represent potential attacks
The enterprise access model incorporates these elements as well as full access management requirements of a
modern enterprise that spans on-premises, multiple clouds, internal or external user access, and more.
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Privileged access deployment
12/13/2021 • 23 minutes to read • Edit Online
This document will guide you through implementing the technical components of the privileged access strategy,
including secure accounts, workstations and devices, and interface security (with conditional access policy).
This guidance sets up all of the profiles for all three security levels and should be assigned your organizations
roles based on the Privileged access security levels guidance. Microsoft recommends configuring them in the
order described in the rapid modernization plan (RAMP)
License requirements
The concepts covered in this guide assume you have Microsoft 365 Enterprise E5 or an equivalent SKU. Some of
the recommendations in this guide can be implemented with lower SKUs. For more information, see Microsoft
365 Enterprise licensing.
To automate license provisioning, consider group-based licensing for your users.
NOTE
You will need to create a user group, and include your emergency user that can bypass the Conditional Access policy. For
our example we have a security group called Emergency BreakGlass
This policy set will ensure that your Administrators must use a device that is able to present a specific device
attribute value, that that MFA is satisfied, and the device is marked as compliant by Microsoft Endpoint Manager
and Microsoft Defender for Endpoint.
Organizations should also consider blocking legacy authentication protocols in their environments. There are
multiple ways to accomplish this task, for more information about blocking legacy authentication protocols, see
the article, How to: Block legacy authentication to Azure AD with Conditional Access.
P RO F IL E DO W N LO A D LO C AT IO N F IL EN A M E
Enterprise https://aka.ms/securedworkstationgit|
Enterprise-Workstation-Windows10-
(20H2).ps1
NOTE
The removal of of admin rights and access, as well as, Application execution control (AppLocker) are managed by the
policy profiles that are deployed.
After the script successfully executes, you can make updates to profiles and policies in Intune. The scripts will
create policies and profiles for you, but you must assign the policies to your Secure Workstations device
group.
Here's where you can find the Intune device configuration profiles created by the scripts: Azure por tal >
Microsoft Intune > Device configuration > Profiles .
Here's where you can find the Intune device compliance policies created by the scripts: Azure por tal >
Microsoft Intune > Device Compliance > Policies .
Run the Intune data export script DeviceConfiguration_Export.ps1 from the DeviceConfiguration GitHub
repository to export all current Intune profiles for comparison, and evaluation of the profiles.
Enterprise : This configuration is the most permissive as it mirrors the default behavior of a Windows Install. All
inbound traffic is blocked except for rules that are explicitly defined in the local policy rules as merging of local
rules is set to allowed. All outbound traffic is allowed.
Specialized : This configuration is more restrictive as it ignores all locally defined rules on the device. All
inbound traffic is blocked including locally defined rules the policy includes two rules to allow Delivery
Optimization to function as designed. All outbound traffic is allowed.
Privileged : All inbound traffic is blocked including locally defined rules the policy includes two rules to allow
Delivery Optimization to function as designed. Outbound traffic is also blocked apart from explicit rules that
allow DNS, DHCP, NTP, NSCI, HTTP, and HTTPS traffic. This configuration not only reduces the attack surface
presented by the device to the network it limits the outbound connections that the device can establish to only
those connections required to administer cloud services.
A P P L IC AT IO N REM OT E
RUL E DIREC T IO N A C T IO N / SERVIC E P ROTO C O L LO C A L P O RT S P O RT S
NOTE
There are two rules defined for each rule in the Microsoft Defender Firewall configuration. To restrict the inbound and
outbound rules to Windows Services, e.g. DNS Client, both the service name, DNSCache, and the executable path,
C:\Windows\System32\svchost.exe, need to be defined as separate rule rather than a single rule that is possible using
Group Policy.
You can make additional changes to the management of both inbound and outbound rules as needed for your
permitted and blocked services. For more information, see Firewall configuration service.
URL lock proxy
Restrictive URL traffic management includes:
Deny All outbound traffic except selected Azure and Microsoft services including Azure Cloud Shell and the
ability to allows self-service password reset.
The Privileged profile restricts the endpoints on the internet that the device can connect to using the
following URL Lock Proxy configuration.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="127.0.0.2:8080"
"ProxyOverride"="*.azure.com;*.azure.net;*.microsoft.com;*.windowsupdate.com;*.microsoftonline.com;*.microso
ftonline.cn;*.windows.net;*.windowsazure.com;*.windowsazure.cn;*.azure.cn;*.loganalytics.io;*.applicationins
ights.io;*.vsassets.io;*.azure-
automation.net;*.visualstudio.com,portal.office.com;*.aspnetcdn.com;*.sharepointonline.com;*.msecnd.net;*.ms
ocdn.com;*.webtrends.com"
"AutoDetect"=dword:00000000
The endpoints listed in the ProxyOverride list are limited to those endpoints needed to authenticate to Azure AD
and access Azure or Office 365 management interfaces. To extend to other cloud services, add their
administration URL to the list. This approach is designed to limit access to the wider internet to protect
privileged users from internet-based attacks. If this approach is deemed too restrictive, then consider using the
approach described below for the privileged role.
NOTE
Make sure you assign the Company Portal app to the Secure Workstation Device Tag group used to assign the
Autopilot profile.
NOTE
The Group Tag is used by the Secure Workstation dynamic group to make the device a member of its group,
NOTE
The Specialized and Privileged workstation profiles contain the AppLocker policies. Deployment of the policies is required
for monitoring of application activity on a client.
From the Microsoft Defender Security Center Advanced Hunting pane, use the following query to return
AppLocker events
DeviceEvents
| where Timestamp > ago(7d) and
ActionType startswith "AppControl"
| summarize Machines=dcount(DeviceName) by ActionType
| order by Machines desc
Monitoring
Understand how to review your Exposure Score
Review Security recommendation
Manage security remediations
Manage endpoint detection and response
Monitor profiles with Intune profile monitoring.
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Security rapid modernization plan
12/13/2021 • 13 minutes to read • Edit Online
This rapid modernization plan (RAMP) will help you quickly adopt Microsoft's recommended privileged access
strategy.
This roadmap builds on the technical controls established in the privileged access deployment guidance.
Complete those steps and then use the steps in this RAMP to configure the controls for your organization.
NOTE
Many of these steps will have a green/brownfield dynamic as organizations often have security risks in the way they are
already deployed or configured accounts. This roadmap prioritizes stopping the accumulation of new security risks first,
and then later cleans up the remaining items that have already accumulated.
As you progress through the roadmap, you can utilize Microsoft Secure Score to track and compare many items
in the journey with others in similar organizations over time. Learn more about Microsoft Secure Score in the
article Secure score overview.
Each item in this RAMP is structured as an initiative that will be tracked and managed using a format that builds
on the objectives and key results (OKR) methodology. Each item includes what (objective), why, who, how, and
how to measure (key results). Some items require changes to processes and people's knoweldge/skills, while
others are simpler technology changes. Many of these initiatives will include members outside of the traditional
IT Department that should be included in the decision making and implementation of these changes to ensure
they are successfully integrated in your organization.
It is critical to work together as an organization, create partnerships, and educate people who traditionally were
not part of this process. It is critical to create and maintain buy-in across the organization, without it many
projects fail.
Remove any accounts that are no longer needed in those roles. Then, categorize the remaining
accounts that are assigned to admin roles:
Assigned to administrative users, but also used for non-administrative productivity purposes, like
reading and responding to email.
Assigned to administrative users and used for administrative purposes only
Shared across multiple users
For break-glass emergency access scenarios
For automated scripts
For external users
If you don't have Azure AD Privileged Identity Management in your organization, you can use the PowerShell
API. Also start with the Global Administrator role, because a Global Administrator has the same permissions
across all cloud services for which your organization has subscribed. These permissions are granted no matter
where they were assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for
Microsoft PowerShell.
Measure key results: Review and Identification of privileged access roles has been completed within the
past 90 days
Separate accounts (On-premises AD accounts)
What : Secure on-premises privileged administrative accounts, if not already done. This stage includes:
Creating separate admin accounts for users who need to conduct on-premises administrative tasks
Deploying Privileged Access Workstations for Active Directory administrators
Creating unique local admin passwords for workstations and servers
Why : Hardening the accounts used for administrative tasks. The administrator accounts should have mail
disabled and no personal Microsoft accounts should be allowed.
Who : This initiative is typically led by Identity and Key Management and/or Security Architecture.
Sponsorship: This initiative is typically sponsored by CISO, CIO, or Director of Identity
Execution: This initiative is a collaborative effort involving
Policy and standards team document clear requirements and standards (based on this
guidance)
Identity and Key Management or Central IT Operations to implement any changes
Security Compliance management monitors to ensure compliance
How : All personnel that are authorized to possess administrative privileges must have separate accounts
for administrative functions that are distinct from user accounts. Do not share these accounts
between users.
Standard user accounts - Granted standard user privileges for standard user tasks, such as email, web
browsing, and using line-of-business applications. These accounts are not granted administrative
privileges.
Administrative accounts - Separate accounts created for personnel who are assigned the appropriate
administrative privileges.
Measure key results: 100% of on-premises privileged users have separate dedicated accounts
Microsoft Defender for Identity
What : Microsoft Defender for Identity combines on-premises signals with cloud insights to monitor,
protect, and investigate events in a simplified format enabling your security teams to detect advanced
attacks against your identity infrastructure with the ability to:
Monitor users, entity behavior, and activities with learning-based analytics
Protect user identities and credentials stored in Active Directory
Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
Provide clear incident information on a simple timeline for fast triage
Why : Modern attackers may stay undetected for long periods of time. Many threats are hard to find
without a cohesive picture of your entire identity environment.
Who : This initiative is typically led by Identity and Key Management and/or Security Architecture.
Sponsorship: This initiative is typically sponsored by CISO, CIO, or Director of Identity
Execution: This initiative is a collaborative effort involving
Policy and standards team document clear requirements and standards (based on this
guidance)
Identity and Key Management or Central IT Operations to implement any changes
Security Compliance management monitors to ensure compliance
How : Deploy and enable Microsoft Defender for Identity and review any open alerts.
Measure key results : All open alerts reviewed and mitigated by the appropriate teams.
NOTE
This change will require centralizing the decision-making process with your organization's security and identity
administration teams.
Why : Users can inadvertently create organizational risk by providing consent for an app that can maliciously
access organizational data.
Who : This initiative is typically led by Identity and Key Management and/or Security Architecture.
Sponsorship: This initiative is typically sponsored by CISO, CIO, or Director of Identity
Execution: This initiative is a collaborative effort involving
Policy and standards team document clear requirements and standards (based on this
guidance)
Identity and Key Management or Central IT Operations to implement any changes
Security Compliance management monitors to ensure compliance
Central IT Operations Helpdesk processes have been updated and personnel has been trained
on them
Central IT Operations Service owner processes have been updated and personnel has been
trained on them
How : Establish a centralized consent process to maintain centralized visibility and control of the applications
that have access to data by following the guidance in the article, Managing consent to applications and
evaluating consent requests.
Measure key results : End users are not able to consent to Azure AD application access
Clean up account and sign-in risks
What : Enable Azure AD Identity Protection and cleanup any risks that it finds.
Why : Risky user and sign-in behavior can be a source of attacks against your organization.
Who : This initiative is typically led by Identity and Key Management and/or Security Architecture.
Sponsorship: This initiative is typically sponsored by CISO, CIO, or Director of Identity
Execution: This initiative is a collaborative effort involving
Policy and standards team document clear requirements and standards (based on this
guidance)
Identity and Key Management or Central IT Operations to implement any changes
Security Compliance management monitors to ensure compliance
Central IT Operations Helpdesk processes have been updated for related support calls and
personnel has been trained on them
How : Create a process that monitors and manages user and sign-in risk. Decide if you will automate
remediation, using Azure AD Multi-Factor Authentication and SSPR, or block and require administrator
intervention.Follow the guidance in the article How To: Configure and enable risk policies.
Measure key results : The organization has zero unaddressed user and sign-in risks.
NOTE
Conditional Access policies are required to block accrual of new sign-in risks. See the Conditional access section of
Privileged Access Deployment
NOTE
This step rapidly establishes a security baseline and must be increased to specialized and privileged levels as soon as
possible.
Next steps
Securing privileged access overview
Privileged access strategy
Measuring success
Security levels
Privileged access accounts
Intermediaries
Interfaces
Privileged access devices
Enterprise access model
Enhanced Security Admin Environment
12/13/2021 • 3 minutes to read • Edit Online
The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red forest, admin forest, or
hardened forest) is an approach to provide a secure environment for Windows Server Active Directory (AD)
administrators.
Microsoft’s recommendation to use this architectural pattern has been replaced by the modern privileged access
strategy and rapid modernization plan (RAMP) guidance as the default recommended approach for securing
privileged users. The ESAE hardened administrative forest pattern (on-prem or cloud-based) is now considered
a custom configuration suitable only for exception cases listed below.
NOTE
While Microsoft no longer recommends an isolated hardened forest model for most scenarios at most organizations,
Microsoft still operates a similar architecture internally (and associated support processes and personnel) because of the
extreme security requirements for providing trusted cloud services to organizations around the globe.
Next steps
Review the privileged access strategy and rapid modernization plan (RAMP) guidance for providing secure
environments for privileged users.
Microsoft Security Best Practices module: Privileged
administration
12/13/2021 • 2 minutes to read • Edit Online
Administrative accounts with privileged access to the environment (and associated elements like groups and
workstations) must be protected at the highest levels of security assurances to ensure all other security
assurances aren't undermined.
See the Administration topic for more information.
The following videos provide guidance on administration. You can also download the PowerPoint slides
associated with these videos.
Administration is the practice of monitoring, maintaining, and operating Information Technology (IT) systems to
meet service levels that the business requires. Administration introduces some of the highest impact security
risks because performing these tasks requires privileged access to a very broad set of these systems and
applications. Attackers know that gaining access to an account with administrative privileges can get them
access to most or all of the data they would target, making the security of administration one of the most critical
security areas.
As an example, Microsoft makes significant investments in protection and training of administrators for our
cloud systems and IT systems:
Microsoft’s recommended core strategy for administrative privileges is to use the available controls to reduce
risk
Reduce risk exposure (scope and time) – The principle of least privilege is best accomplished with modern
controls that provide privileges on demand. This help to limit risk by limiting administrative privileges exposure
by:
Scope – Just Enough Access (JEA) provides only the required privileges for the administrative operation
required (vs. having direct and immediate privileges to many or all systems at a time, which is almost
never required).
Time – Just in Time (JIT) approaches provided the required privileged as they are needed.
Mitigate the remaining risks – Use a combination of preventive and detective controls to reduce risks
such as isolating administrator accounts from the most common risks phishing and general web
browsing, simplifying and optimizing their workflow, increasing assurance of authentication decisions,
and identifying anomalies from normal baseline behavior that can be blocked or investigated.
Microsoft has captured and documented best practices for protecting administrative accounts and published
prioritized roadmaps for protecting privileged access that can be used as references for prioritizing mitigations
for accounts with privileged access.
Securing Privileged Access (SPA) roadmap for administrators of on premises Active Directory
Guidance for securing administrators of Azure Active Directory
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Human-operated ransomware
12/13/2021 • 3 minutes to read • Edit Online
Human-operated ransomware is a large and growing attack trend that represents a threat to organizations in
every industry.
Human-operated ransomware is different than commodity ransomware. These “hands-on-keyboard” attacks
target an organization rather than a single device and leverage human attackers’ knowledge of common system
and security misconfigurations to infiltrate the organization, navigate the enterprise network, and adapt to the
environment and its weaknesses as they go.
Hallmarks of these human-operated ransomware attacks typically include credential theft and lateral movement
and can result in deployment of a ransomware payload to high business impact resources the attackers choose.
These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete
adversary eviction to protect against future attacks. Unlike commodity ransomware that only requires malware
remediation, human-operated ransomware will continue to threaten your business operations after the initial
encounter.
This figure shows how this extortion-based attack that uses maintenance and security configuration gaps and
privileged access is growing in impact and likelihood.
You can also see an overview of the phases as levels of protection against ransomware attackers with the
Protect your organization from ransomware poster.
NOTE
This guidance will be updated as new information becomes available.
Mitigating ransomware and extortion attacks is an urgent priority for organizations because of the high impact
of these attacks and high likelihood an organization will experience one.
Ransomware is a type of extortion attack that encrypts files and folders, preventing access to important data.
Criminals use ransomware to extort money from victims by demanding money, usually in form of
cryptocurrencies, in exchange for a decryption key. Criminals also often use ransomware to extort money from
victims in exchange for not releasing sensitive data to the dark web or the public internet.
While early ransomware mostly used malware that spread with phishing or between devices, human-operated
ransomware has emerged where a gang of active attackers, driven by human intelligence, target an organization
rather than a single device or set of devices and leverage the attackers’ knowledge of common system and
security misconfigurations and vulnerabilities to infiltrate the organization, navigate the enterprise network, and
adapt to the environment and its weaknesses as they go.
These attacks can be catastrophic to business operations and are difficult to clean up, requiring complete
adversary eviction to protect against future attacks. Unlike early forms of ransomware that only required
malware remediation, human-operated ransomware can continue to threaten your business operations after the
initial encounter.
NOTE
See the 3 steps to prevent and recover from ransomware (September 2021) Microsoft security blog post for an additional
summary of this process.
At a glance
You can also see an overview of the phases and their implementation checklists as levels of protection against
ransomware attackers with the Protect your organization from ransomware poster.
Next step
Start with Phase 1 to prepare your organization to recover from an attack without having to pay the ransom.
The first thing you should do for these attacks is prepare your organization so that it has a viable alternative to
paying the ransom. While attackers in control of your organization have a variety of ways to pressure you into
paying, the demands primarily focus on two categories:
Pay to regain access
Attackers demand payment under the threat that they won’t give you back access to your systems and
data. This is most frequently done by encrypting your systems and data and demanding payment for the
decryption key.
IMPORTANT
Paying the ransom isn’t as simple and clean of a solution as it may seem. Because you're dealing with criminals
that are only motivated by payment (and often relatively amateur operators who are using a toolkit provided by
someone else), there is a lot of uncertainty around how well paying the ransom will actually work. There is no legal
guarantee that they will provide a key that decrypts 100% of your systems and data, or even provide a key at all.
The process to decrypt these systems uses homegrown attacker tools, which is often a clumsy and manual
process.
Secure backups
You must ensure that critical systems and their data are backed up and backups are protected against deliberate
erasure or encryption by an attacker.
Attacks on your backups focus on crippling your organization’s ability to respond without paying, frequently
targeting backups and key documentation required for recovery to force you into paying extortion demands.
Most organizations don’t protect backup and restoration procedures against this level of intentional targeting.
NOTE
This preparation also improves resilience to natural disasters and rapid attacks like WannaCry and (Not)Petya.
Backup and restore plan to protect against ransomware addresses what to do before an attack to protect your
critical business systems and during an attack to ensure a rapid recovery of your business operations.
Program and project member accountabilities
This table describes the overall protection of your data from ransomware in terms of a sponsorship/program
management/project management hierarchy to determine and drive results.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Apply these best practices to secure your backup infrastructure.
DO N E TA SK DESC RIP T IO N
Data protection
You must implement data protection to ensure rapid and reliable recovery from a ransomware attack and to
block some techniques of attackers.
Ransomware extortion and destructive attacks only work when all legitimate access to data and systems is lost.
Ensuring that attackers cannot remove your ability to resume operations without payment will protect your
business and undermine the monetary incentive for attacking your organization.
Program and project member accountabilities
This table describes the overall protection of your organization data from ransomware in terms of a
sponsorship/program management/project management hierarchy to determine and drive results.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Apply these best practices to protect your organization data.
DO N E TA SK DESC RIP T IO N
Migrate your organization to the User data in the Microsoft cloud can
cloud: be protected by built-in security and
data management features.
- Move user data to cloud solutions
like OneDrive/SharePoint to take
advantage of versioning and recycle
bin capabilities.
Next step
Continue with Phase 2 to limit the scope of damage of an attack by protecting privileged roles.
In this phase, you prevent attackers from obtaining a large scope of access for potential damage to data and
systems by protecting privileged roles.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Build a multi-part strategy using the guidance at https://aka.ms/SPA that includes this checklist.
DO N E TA SK DESC RIP T IO N
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Central IT Productivity / End User Team Enable features for Defender for
Endpoint, Defender for Office 365,
Defender for Identity, and Defender for
Cloud Apps
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Apply these best practices for improving your detection and response.
DO N E TA SK DESC RIP T IO N
Continue with Phase 3 to make it hard for an attacker to get into your environment by incrementally removing
risks.
In this phase, you make the attackers work a lot harder to get into your on-premises or cloud infrastructures by
incrementally removing the risks at the points of entry.
IMPORTANT
While many of these will be familiar and/or easy to quickly accomplish, it’s critically important that your work on Phase
3 should not slow down your progress on phases 1 and 2 !
Remote access
Gaining access to your organization's intranet through a remote access connection is an attack vector for
ransomware attackers. Once an on-premises user account is compromised, an attacker is free to roam on an
intranet to gather intelligence, elevate privileges, and install ransomware code. The recent Colonial Pipeline
cyberattack is an example.
Program and project member accountabilities
This table describes the overall protection of your remote access solution from ransomware in terms of a
sponsorship/program management/project management hierarchy to determine and drive results.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Apply these best practices to protect your remote access infrastructure from ransomware attackers.
DO N E TA SK DESC RIP T IO N
Configure security for existing third- Take advantage of the built-in security
party VPN solutions (Cisco of your remote access solution.
AnyConnect, Palo Alto Networks
GlobalProtect & Captive Portal,
Fortinet FortiGate SSL VPN, Citrix
NetScaler, Zscaler Private Access (ZPA),
and more).
Audit and monitor to find and fix Reduces risk from ransomware
deviations from baseline and potential activities that probe baseline security
attacks (see Detection and Response). features and settings.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Cloud Productivity or End User Team Enable Defender for Office 365, ASR,
and AMSI
Implementation checklist
Apply these best practices to protect your email and collaboration solutions from ransomware attackers.
DO N E TA SK DESC RIP T IO N
Enable AMSI for Office VBA. Detect Office macro attacks with
endpoint tools like Defender for
Endpoint.
Audit and monitor to find and fix Reduces risk from ransomware
deviations from baseline and potential activities that probe baseline security
attacks (see Detection and Response). features and settings.
Endpoints
Implement relevant security features and rigorously follow software maintenance best practices for computers
and applications, prioritizing applications and server/client operating systems directly exposed to Internet traffic
and content.
Internet-exposed endpoints are a common entry vector that provides attackers access to the organization's
assets. Prioritize blocking common OS and application with preventive controls to slow or stop them from
executing the next stages.
Program and project member accountabilities
This table describes the overall protection of your endpoints from ransomware in terms of a
sponsorship/program management/project management hierarchy to determine and drive results.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Implementation checklist
Apply these best practices to all Windows, Linux, MacOS, Android, iOS, and other endpoints.
DO N E TA SK DESC RIP T IO N
Block known threats with attack Don't let lack of use of these built-in
surface reduction rules, tamper security features be the reason an
protection, and block at first site. attacker entered your organization.
Maintain your software so that it is: Attackers are counting on you missing
or neglecting manufacturer updates
- Updated: Rapidly deploy critical and upgrades.
security updates for operating
systems, browsers, & email clients
Audit and monitor to find and fix Reduces risk from ransomware
deviations from baseline and potential activities that probe baseline security
attacks (see Detection and Response). features and settings.
Accounts
Just as antique skeleton keys won’t protect a house against a modern-day burglar, passwords cannot protect
accounts against common attacks we see today. While multi-factor authentication (MFA) was once a
burdensome extra step, passwordless authentication improves the sign-in experience using biometric
approaches that don’t require your users to remember or type a password. Additionally, a Zero Trust
infrastructure stores information about trusted devices, which reduce prompting for annoying out-of-band MFA
actions.
Starting with high-privilege administrator accounts, rigorously follow these best practices for account security
including using passwordless or MFA.
Program and project member accountabilities
This table describes the overall protection of your accounts from ransomware in terms of a
sponsorship/program management/project management hierarchy to determine and drive results.
L EA D IM P L EM EN TO R A C C O UN TA B IL IT Y
Program lead from Identity and Key Drive results and cross-team
Management or Security Architecture collaboration
teams
Implementation checklist
Apply these best practices to protect your accounts from ransomware attackers.
DO N E TA SK DESC RIP T IO N
Audit and monitor to find and fix Reduces risk from ransomware
deviations from baseline and potential activities that probe baseline security
attacks (see Detection and Response). features and settings.
Ransomware attacks deliberately encrypt or erase data and systems to force your organization to pay money to
attackers. These attacks target your data, your backups, and also key documentation required for you to recover
without paying the attackers (as a means to increase the chances your organization will pay).
This article addresses what to do before an attack to protect your critical business systems and during an attack
to ensure a rapid recovery of business operations.
NOTE
Preparing for ransomware also improves resilience to natural disasters and rapid attacks like WannaCry & (Not)Petya.
What is ransomware?
Ransomware is a type of extortion attack that encrypts files and folders, preventing access to important data
and systems. Attackers use ransomware to extort money from victims by demanding money, usually in the form
of cryptocurrencies, in exchange for a decryption key or in exchange for not releasing sensitive data to the dark
web or the public internet.
While early ransomware mostly used malware that spread with phishing or between devices, human-operated
ransomware has emerged where a gang of active attackers, driven by human attack operators, target all
systems in an organization (rather than a single device or set of devices). An attack can:
Encrypt your data
Exfiltrate your data
Corrupt your backups
The ransomware leverages the attackers’ knowledge of common system and security misconfigurations and
vulnerabilities to infiltrate the organization, navigate the enterprise network, and adapt to the environment and
its weaknesses as they go.
Ransomware can be staged to exfiltrate your data first, over several weeks or months, before the ransomware
actually executes on a specific date.
Ransomware can also slowly encrypt your data while keeping your key on the system. With your key still
available, your data is usable to you and the ransomware goes unnoticed. Your backups, though, are of the
encrypted data. Once all of your data is encrypted and recent backups are also of encrypted data, your key is
removed so you can no longer read your data.
The real damage is often done when the attack exfiltrates files while leaving backdoors in the network for future
malicious activity—and these risks persist whether or not the ransom is paid. These attacks can be catastrophic
to business operations and difficult to clean up, requiring complete adversary eviction to protect against future
attacks. Unlike early forms of ransomware that only required malware remediation, human-operated
ransomware can continue to threaten your business operations after the initial encounter.
Impact of an attack
The impact of a ransomware attack on any organization is difficult to quantify accurately. Depending on the
scope of the attack, the impact could include:
Loss of data access
Business operation disruption
Financial loss
Intellectual property theft
Compromised customer trust or tarnished reputation
Legal expenses
NOTE
There are two types of vaults in Azure Backup. In addition to the Recovery Services vaults, there are also Backup vaults
that house data for newer workloads supported by Azure Backup.
TA SK DETA IL
Identify the important systems that you need to bring back To get back up and running as quickly as possible after an
online first (using top five categories above) and immediately attack, determine today what is most important to you.
begin performing regular backups of those systems.
Migrate your organization to the cloud. Reduce your on-premises exposure by moving data to cloud
services with automatic backup and self-service rollback.
Consider purchasing a Microsoft Unified Support plan or Microsoft Azure has a robust set of tools to help you backup
working with a Microsoft partner to help support your move your business-critical systems and restore your backups
to the cloud. faster.
Move user data to cloud solutions like OneDrive and User data in the Microsoft cloud can be protected by built-in
SharePoint to take advantage of versioning and recycle bin security and data management features.
capabilities.
It's good to teach users how to restore their own files but
Educate users on how to recover their files by themselves to you need to be careful that your users do not restore the
reduce delays and cost of recovery. For example, if a user’s malware used to carry out the attack. You need to:
OneDrive files were infected by malware, they can restore
their entire OneDrive to a previous time. Ensure your users don't restore their files until you are
confident that the attacker has been evicted
Consider a defense strategy, such as Microsoft 365
Defender, before allowing users to restore their own files. Have a mitigation in place in case a user does restore some
of the malware
Implement Azure Security Benchmark. Azure Security Benchmark is Azure’s own security control
framework based on industry-based security control
frameworks such as NIST SP800-53, CIS Controls v7.1. It
provides organizations guidance on how to configure Azure
and Azure services and implement the security controls. See
Backup and Recovery.
TA SK DETA IL
Regularly exercise your business continuity/disaster recovery Ensures rapid recovery of business operations by treating a
(BC/DR) plan. ransomware or extortion attack with the same importance
as a natural disaster.
Simulate incident response scenarios. Exercises you perform
in preparing for an attack should be planned and conducted Conduct practice exercise(s) to validate cross-team processes
around your prioritized backup and restore lists. and technical procedures, including out of band employee
and customer communications (assume all email and chat is
Regularly test ‘Recover from Zero’ scenario to ensure your down).
BC/DR can rapidly bring critical business operations online
from zero functionality (all systems down).
Consider creating a risk register to identify potential risks A risk register can help you prioritize risks based on the
and address how you will mediate through preventative likelihood of that risk occurring and the severity to your
controls and actions. Add ransomware to risk register as business should that risk occur.
high likelihood and high impact scenario.
Track mitigation status via Enterprise Risk Management
(ERM) assessment cycle.
Backup all critical business systems automatically on a Allows you to recover data up to the last backup.
regular schedule (including backup of critical dependencies
like Active Directory).
Protect (or print) supporting documents and systems Attackers deliberately target these resources because it
required for recovery such as restoration procedure impacts your ability to recover.
documents, CMDB, network diagrams, and SolarWinds
instances.
Ensure you have well-documented procedures for engaging Third-party contacts may be useful if the given ransomware
any third-party support, particularly support from threat variant has known weaknesses or decryption tools are
intelligence providers, antimalware solution providers, and available.
from the malware analysis provider. Protect (or print) these
procedures.
Ensure backup and recovery strategy includes: Backups are essential for resilience after an organization has
been breached. Apply the 3-2-1 rule for maximum
Ability to back up data to a specific point in time. protection and availability: 3 copies (original + 2 backups), 2
storage types, and 1 offsite or cold copy.
Multiple copies of backups are stored in isolated, offline (air-
gapped) locations.
Protect backups against deliberate erasure and encryption: Backups that are accessible by attackers can be rendered
unusable for business recovery.
Store backups in offline or off-site storage and/or immutable
storage. Offline storage ensures robust transfer of backup data
without using any network bandwidth. Azure Backup
Require out of band steps (such as MFA or a security PIN) supports offline backup, which transfers initial backup data
before permitting an online backup to be modified or erased. offline, without the use of network bandwidth. It provides a
mechanism to copy backup data onto physical storage
Create private endpoints within your Azure Virtual Network devices. The devices are then shipped to a nearby Azure
to securely back up and restore data from your Recovery datacenter and uploaded onto a Recovery Services vault.
Services vault.
Online immutable storage (such as Azure Blob) enables you
to store business-critical data objects in a WORM (Write
Once, Read Many) state. This state makes the data non-
erasable and non-modifiable for a user-specified interval.
Protect against a phishing attempt: The most common method used by attackers to infiltrate an
organization is phishing attempts via email. Exchange Online
Conduct security awareness training regularly to help users Protection (EOP) is the cloud-based filtering service that
identify a phishing attempt and avoid clicking on something protects your organization against spam, malware, and other
that can create an initial entry point for a compromise. email threats. EOP is included in all Microsoft 365
organizations with Exchange Online mailboxes.
Apply security filtering controls to email to detect and
minimize the likelihood of a successful phishing attempt. An example of a security filtering control for email is Safe
Links. Safe Links is a feature in Defender for Office 365 that
provides URL scanning and rewriting of inbound email
messages in mail flow, and time-of-click verification of URLs
and links in email messages and other locations. Safe Links
scanning occurs in addition to the regular anti-spam and
anti-malware protection in inbound email messages in EOP.
Safe Links scanning can help protect your organization from
malicious links that are used in phishing and other attacks.
TA SK DETA IL
Early in the attack, engage third-party support, particularly These contacts may be useful if the given ransomware
support from threat intelligence providers, antimalware variant has a known weakness or decryption tools are
solution providers and from the malware analysis provider. available.
Contact your local or federal law enforcement agencies. If you are in the United States, contact the FBI to report a
ransomware breach using the IC3 Complaint Referral Form.
Take steps to remove malware or ransomware payload from You can use Windows Defender or (for older clients)
your environment and stop the spread. Microsoft Security Essentials.
Run a full, current antivirus scan on all suspected computers An alternative that will also help you remove ransomware or
and devices to detect and remove the payload that's malware is the Malicious Software Removal Tool (MSRT).
associated with the ransomware.
Restore business-critical systems first. Remember to validate At this point, you don’t need to restore everything. Focus on
again that your backup is good before you restore. the top five business-critical systems from your restore list.
If you have offline backups, you can probably restore the To prevent future attacks, ensure ransomware or malware is
encrypted data after you've removed the ransomware not on your offline backup before restoring.
payload (malware) from your environment.
Identify a safe point-in-time backup image that is known not To prevent future attacks, scan backup for ransomware or
to be infected. malware before restoring.
Use a safety scanner and other tools for full operating Microsoft Safety Scanner is a scan tool designed to find and
system restore as well as data restore scenarios. remove malware from Windows computers. Simply
download it and run a scan to find malware and try to
reverse changes made by identified threats.
TA SK DETA IL
Ensure that your antivirus or endpoint detection and An EDR solution, such as Microsoft Defender for Endpoint, is
response (EDR) solution is up to date. You also need to have preferred.
up-to-date patches.
After business-critical systems are up and running, restore Telemetry data should help you identify if malware is still on
other systems. your systems.
Next steps
In this article, you learned how to improve your backup and restore plan to protect against ransomware. For
best practices on deploying ransomware protection, see Rapidly protect against ransomware and extortion.
Key industry information:
2021 Microsoft Digital Defense Report (see pages 10-19)
Microsoft Azure:
Help protect from ransomware with Microsoft Azure Backup (26 minute video)
Recovering from systemic identity compromise
Advanced multistage attack detection in Microsoft Sentinel
Microsoft 365:
Recover from a ransomware attack
Malware and ransomware protection
Protect your Windows 10 PC from ransomware
Handling ransomware in SharePoint Online
Microsoft 365 Defender:
Find ransomware with advanced hunting
Microsoft Security team blog posts:
Becoming resilient by understanding cybersecurity risks: Part 4, navigating current threats (May 2021). See
the Ransomware section
Human-operated ransomware attacks: A preventable disaster (March 2020). Includes attack chain analysis of
actual human-operated ransomware attacks
Ransomware response — to pay or not to pay? (December 2019)
Norsk Hydro responds to ransomware attack with transparency (December 2019)
Microsoft Security Best Practices module:
Information protection and storage
12/13/2021 • 2 minutes to read • Edit Online
Intellectual property that is valuable to the organization (or its customers/constituents) requires security
protection appropriate to its value.
See the Storage, data, and encryption and Capabilities topics for more information.
The following videos provide guidance on information protection and storage. You can also download the
PowerPoint slides associated with these videos.
For more information about information protection capabilities across Microsoft 365 and SQL databases, see
CISO Workshop Module 5: Information Protection and Information protection and storage capabilities.
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Storage, data, and encryption
12/13/2021 • 3 minutes to read • Edit Online
Protecting data at rest is required to maintain confidentiality, integrity, and availability assurances across all
workloads. Storage in a cloud service like Azure is architected and implemented quite differently than on
premises solutions to enable massive scaling, modern access through REST APIs, and isolation between tenants.
Granting access to Azure storage is possible through Azure Active Directory (Azure AD) as well as key based
authentication mechanisms (Symmetric Shared Key Authentication, or Shared Access Signature (SAS))
Storage in Azure includes a number of native security design attributes
All data is encrypted by the service
Data in the storage system cannot be read by a tenant if it has not been written by that tenant (to mitigate
the risk of cross tenant data leakage)
Data will remain only in the region you choose
The system maintains three synchronous copies of data in the region you choose.
Detailed activity logging is available on an opt-in basis.
Additional security features can be configured such as a storage firewall to provide an additional layer of access
control as well as storage threat protection to detect anomalous access and activities.
Encryption is a powerful tool for security, but it's critical to understand its limits in protecting data. Much like a
safe, encryption restricts access to only those with possession of a small item (a mathematical key). While it's
easier to protect possession of keys than larger datasets, it is imperative that you provide the appropriate
protections for the keys. Protecting cryptographic keys is not a natural intuitive human process (especially
because electronic data like keys can be copied perfectly without a forensic evidence trail), so it is often
overlooked or implemented poorly.
While encryption is available in many layers in Azure (and often on by default), we have identified the layers that
are most important to implement (high potential for data to move to another storage medium) and are easiest
to implement (near zero overhead).
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Information protection and storage capabilities
12/13/2021 • 3 minutes to read • Edit Online
This article lists the capabilities that can help with information protection and storage.
C A PA B IL IT Y M O RE IN F O RM AT IO N
Data loss prevention (DLP) With DLP policies, you can identify,
monitor, and automatically protect
sensitive information across Office 365.
Data loss prevention policies can use
sensitivity labels and sensitive
information types to identify sensitive
information.
Office 365 Message Encryption (OME) With Office 365 Message Encryption,
your organization can send and receive
encrypted email messages between
people inside and outside your
organization. Office 365 Message
Encryption works with Outlook.com,
Yahoo!, Gmail, and other email
services. Email message encryption
helps ensure that only intended
recipients can view message content.
Azure Storage Azure Storage includes Azure Blobs Azure Storage documentation
(objects), Azure Data Lake Storage
Gen2, Azure Files, Azure Queues, and
Azure Tables.
C A PA B IL IT Y DESC RIP T IO N M O RE IN F O RM AT IO N
Azure SQL Database Azure SQL Database is a general- Azure SQL Database documentation
purpose relational database, provided
as a managed service. With it, you can
create a highly available and high-
performance data storage layer for the
applications and solutions in Azure.
Azure SQL Database security Security capabilities for data include An overview of Azure SQL Database
capabilities Always encrypted and Transparent security capabilities
Data Encryption (TDE)
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.
Applications and services
12/13/2021 • 16 minutes to read • Edit Online
Applications and the data associated with them ultimately act as the primary store of business value on a cloud
platform. While the platform components like identity and storage are critical elements of the security
environment, applications play an outsize role in risks to the business because:
Business Processes are encapsulated and executed by applications and services need to be available
and provided with high integrity
Business Data is stored and processed by application workloads and requires high assurances of
confidentiality, integrity, and availability.
This section focuses on applications written by your organization or by others on behalf of your organization vs.
SaaS or commercially available applications installed on IaaS VMs.
Modern cloud platforms like Azure can host both legacy and modern generations of applications
Legacy applications are hosted on Infrastructure as a Service (IaaS) virtual machines that typically
include all dependencies including OS, middleware, and other components.
Modern Platform as a Service (PaaS) applications don’t require the application owner to manage and
secure the underlying server operating systems (OSes) and are sometimes fully “Serverless” and built
primarily using functions as a service.
Notes: Popular forms of modern applications are application code hosted on Azure App Services and
containerized applications (though containers can also be hosted on IaaS VMs or on-premises as well).
Hybrid – While hybrid applications can take many forms, the most common is an “IaaS plus” state where
legacy applications are transitioning to a modern architecture with modern services replacing legacy
components or being added a legacy application.
Securing an application requires security assurances for three different component types:
Application Code – This is the logic that defines the custom application that you write. The security of
this code is the application owners’ responsibility in all generations of application architecture including
any open-source snippets or components included in the code. Securing the code requires identifying
and mitigating risks from the design and implementation of the application as well as assessing supply
chain risk of included components. Note that the evolution of applications into microservices
architectures will break various aspects of application code into smaller services vs. a single monolithic
codebase.
Application Ser vices – These are the various standardized components that the application uses such
as databases, identity providers, event hubs, IoT device management, and so on. For cloud services this is
a shared responsibility:
Cloud Provider - The security of the underlying service is the responsibility of the cloud provider
Application Owner - The application owner is responsible for security implications of the
configuration and operation of the service instance(s) used by the application including any data
stored and processed on the service.
Application Hosting Platform – This is the computing environment where the application actually
executes and runs. In an enterprise with applications hosted on premises, in Azure and in third-party
clouds like Amazon Web Services (AWS), this could take many forms with significant variations on who is
responsible for security:
Legacy Applications typically require a full operating system (and any middleware) hosted on
physical or virtualized hardware. The virtual hardware can be hosted on premises or on
Infrastructure as a Service (IaaS) VMs. This operating system and installed middleware/other
components are operated and secured by the application owner or their infrastructure team(s).
The responsibility for the physical hardware and OS virtualization components (virtualization
hosts, operating systems, and management services) varies:
On premises - The application owner or their organization is responsible for maintenance
and security.
IaaS – The cloud provider is responsible for maintenance and security of the underlying
infrastructure and the application owner’s organization is responsible for the VM
configuration, operating system, and any components installed on it.
Modern Applications are hosted on Platform as a Service (PaaS) environments such as an Azure
application service. In most application service types, the underlying operating system is
abstracted from the application owner and secured by the cloud provider. Application owners are
responsible for the security of the application service configurations that are provided to them.
Containers are an application packaging mechanism in which applications are abstracted from
the environment in which they run. These containerized applications fit into either the legacy or
modern models above depending on whether they are run on a container service by the cloud
provider (Modern Applications) or on a server managed by the organization (on premises or in
IaaS). See the container security section below for more details.
Reduce the count and potential severity of security bugs in your application by implementing security practices
and tools during the development lifecycle.
Security bugs can result in an application disclosing confidential data, allowing criminals to alter data/records, or
the data/application becoming unavailable for use by customers and employees. Applications will always have
some logic errors that can result in security risk, so it is important to discover, evaluate, and correct them to
avoid damage to the organization’s reputation, revenue, or margins. It is easier and cheaper to resolve these
earlier in the development lifecycle than it is to correct them after application has completed testing, is in
production use, or has been breached frequently called “shift left” or “push left” principle.
Mitigating application risk is achieved by integrating security practices and tools into the development lifecycle,
often called a secure development lifecycle (SDL or SDLC). Microsoft has published a number of
recommendations in a whitepaper entitled Develop Secure Apps on Azure based on Microsoft’s Security
Development Lifecycle to mitigate common risks with input and output validation, perform fuzz testing, attack
surface reviews, and more.
Perform threat modeling on your business-critical applications to discover and mitigate potential risks to your
organization.
Threat modeling identifies risks to the application itself as well as risks that application may pose to your
enterprise particularly when evaluating individual applications in a larger system.
Threat modeling can be used at any stage of application development or production, but it is uniquely effective
for the design stages of new functionality because no real-world data yet exists for that application.
Because threat modeling is a skill intensive exercise, we recommend taking measures to minimize time
investment while maximizing security value:
1. Prioritize by risk - Apply threat modeling first to business-critical applications that would have an
outsize impact on the business if compromised
2. Limit Scope - Perform threat modeling in progressive stages of detail to quickly identify quick wins and
actionable mitigations before spending a lot of manual effort:
a. Star t with simple questions method (See Simple questions method) documented below to
quickly get insight into risks and whether basic protections are in place
b. Progressively evaluate Application Design – as resource and expertise are available, move to
a more advanced analysis using the STRIDE method Advanced threat modeling techniques or
another similar one already used by your team. Start with the architecture level design and
progressively increase detail as time and resources allow:
a. System level design – includes applications and how they interact with each other
b. Application level – includes components of the application and how they interact with
each other
c. Component level – includes how the individual component is composed and how each
element of it interacts with each other
3. Align with Development lifecycle – Optimize your efforts by aligning threat modeling activities with
your application development lifecycles.
a. Waterfall – ensure major projects should include threat modeling during the design process and
during significant updates to the application.
b. DevOps –Trigger threat modeling activities at a frequency that adds security value without over-
burdening the development teams. Good integration points are during the introduction of
significant features or changes to the application and a regular recurring calendar schedule for
example, every quarter for business-critical applications.
c. Legacy applications – These applications typically lack support, source code access, and/or
expertise in the organization, so perform threat modeling on a best effort basis with what
application knowledge/expertise you have available.
Simple questions method
This simple questioning method is designed to get security professionals and developers started on threat
modelling before moving on to a more advanced method like STRIDE or OWASP’s method (see, Top-down
approach through threat modeling).
Are you authenticating connections using Azure AD, TLS (with mutual authentication), or another modern
security protocol approved by your security team? This protects against unauthorized access to the
application and data
Between users and the application (if applicable)
Between different application components and services (if applicable)
Do you limit which accounts have access to write or modify data in the application to only those required
to do so? This reduces risk of unauthorized data tampering/alteration
Is the application activity logged and fed into a Security Information and Event Management (SIEM) via
Azure Monitor or a similar solution? This helps the security team detect attacks and quickly investigate
them.
Is business-critical data protected with encryption that has been approved by the security team? This
helps protect against unauthorized copying of data while at rest.
Is inbound and outbound network traffic encrypted using TLS? This helps protect against unauthorized
copying of data while in transit.
Is the application protected against Distributed Denial of Service (DDoS) attacks using services like Azure
DDoS protection, Akamai, or similar? This protects against attacks designed to overload the application so
it can’t be used
Does the application store any sign in credentials or keys to access other applications, databases, or
services? This helps identify whether an attack can use your application to attack other systems.
Do the application controls allow you to fulfill security and privacy requirements for the localities you
operate in? (This helps protect user’s private data and avoid compliance fines)
Impor tant: Security is a complex topic and the potential risks are limited only by the imagination of smart
motivated attackers. These questions are designed to help identify readily discoverable gaps that are easily
exploited by attackers. As you develop comfort and competencies with this method, you can look to grow
your ability to threat model by progressing to advanced threat modelling techniques.
Microsoft Security Development Lifecycle has documented a process of threat modeling in and released
a free tool to assist with this process
This method evaluates application components and connections/relationships against potential
risks, which map to the STRIDE mnemonic:
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Privilege Elevation
This method can be applied to any level of the design from the high level architectural specific
application components.
OWASP – The Open Web Application Security Project (OWASP) has documented a threat modeling
approach for applications, which refers to STRIDE and other methods
https://www.owasp.org/index.php/Application_Threat_Modeling
Next steps
For additional security guidance from Microsoft, see Microsoft security documentation.