Center for Internet Security releases Microsoft 365 benchmarks

Follow the guidance in this CIS document to configure Microsoft 365 security settings to the level that suits your organization.

The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its CIS Microsoft 365 Foundations Benchmark version 1.0.0. It includes two levels of instructions that allow you to choose if you want “light” security or “heavy” security.

  • Level 1—Recommended minimum security settings that should be configured on any system and should cause little or no interruption of service or reduced functionality.
  • Level 2—Recommended security settings for highly secure environments and could result in some reduced functionality.

For example, the benchmark gives you actionable items to implement in your organization such as multifactor authentication (MFA):

bradley cis bench 1 Center for Internet Security

Implement MFA

To obtain these documents, log into the website and download the guides. They are also requesting feedback. You can sign up on the site and then provide feedback where the settings have or have not worked for you.

The document sets forth the recommendation and then provides the rationale for the recommendation. For example, the recommendation currently on password expirations is not to not expire passwords and add two-factor authentication (2FA) as a protection device:

Review the password expiration policy to ensure that user passwords in Office 365 are not set to expire.
NIST has updated their recommendation to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it.

Then it provides information about how you can confirm that the policy you chose was set properly. In the case of passwords, you can audit the setting as shown:

bradley cis bench 2 Center for Internet Security

Audit password policy

The final section is a checklist of all the recommended settings in the document.

bradley cis bench 3 Center for Internet Security

Checklist for recommended Microsoft 365 security settings

I highly recommend downloading the document and reviewing the recommended settings. I guarantee you will find some settings you never knew about.

If you run Office 365 rather than Microsoft 365, the CIS guidance still has value, as many of the same concepts apply. Additional resources for Office 365 can be found on the Office 365 Security and Compliance site.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)