Most organizations today rely on Entra ID (formerly Azure AD) and Microsoft 365 (formerly Office 365) for core business operations. But how secure are these vital platforms against ransomware?
This article explores the key concern concerns in Entra ID and Microsoft 365 and details the key security controls they offer to block, detect and recover from ransomware. Then it offers a robust solution that can further safeguard your data and IT systems.
Security Concerns in Entra ID
On-premises Active Directory is a top target of cybercriminals because it remains the primary identity management service for most organizations. However, Entra ID can also be compromised and is becoming a more common target. Here are the top factors that make it vulnerable to ransomware attacks:
- No organizational units (OUs) — In on-prem AD, administrators often use OUs to group users and devices for more accurate and efficient provisioning and monitoring. For example, putting all highly privileged accounts in a single OU makes it easier to apply more stringent security controls to them. However, Entra ID does not support organizational units. The resulting increased administrative load on IT teams can lead to mistakes that enable ransomware infections.
- No Group Policy — In on-prem AD, admins also tend to rely heavily on Group Policy to enforce security. Group Policy is not supported in Entra ID, which makes it much more difficult to manage device settings, which can allow ransomware to be installed and executed.
- Flawed protocol for single sign-on (SSO) — SSO enables users to sign into Entra ID without entering their password. However, the SAML protocol used for SSO is flawed, which enables hackers to perform brute-force attacks to compromise user accounts. While multifactor authentication (MFA) can block these attacks, requiring MFA for all accounts is not practical since it interferes with tasks such as providing support using Remote PowerShell. Hackers frequently seek to compromise administrative accounts without MFA enabled. High-profile examples include the Deloitte breach in which hackers compromised the company’s global email server, and the breach of Optus in which lack of authentication for their public-facing API led to the exposure of some 10 million records containing users’ sensitive personal information.
- Blind spots in hybrid environments — Most organizations have a hybrid environment that combines on-prem AD and Entra ID. The resulting complexity in identity and access management and endpoint management can lead to blind spots that provide opportunities for hackers to deploy ransomware.
How compromised Azure AD accounts behave
Entra ID offers role-based access control (RBAC), so the role or roles assigned to a user impact what a hacker can do if they compromise the account. Here are the key built-in roles to know about:
- Reader — A hacker who compromise an account with this role can access sensitive information. They can read Runbooks and other resources that may have hardcoded credentials or additional useful information. Threat actors also track new targets and address spaces through virtual networks.
- Owner — The Owner role can edit resources and grant permissions to any resource. Therefore, this role is of great interest to threat actors.
- Contributor — Users with this role can upload new folders and files, but they cannot remove, move or copy files. As a result, this role is less helpful to hackers.
- User access administrator — Through this role, threat actors can grant access rights to other resources. Therefore, this is also a powerful role that you should grant carefully.
Security Concerns in Microsoft 365
Adversaries can exploit Microsoft 365 as an entry point for ransomware. Key concerns to defend against include:
- Phishing — Adversaries send emails via Exchange Online in order to trick users into opening malicious attachments or visiting malicious sites in order to launch ransomware.
- File sharing — SharePoint and Teams are powerful collaboration tools that make very easy for users to share information with both internal colleagues and external parties. Without proper controls and oversight, this can enable attackers to upload malicious files or glean useful information for ransomware attacks.
- Mismanaged permissions — Microsoft 365 is a highly complex platform to manage, so users can end up with far more access rights than they need. Any ransomware that that runs under their credentials inherits those rights, which enables it to do more damage than it could do if least privilege were strictly enforced.
Microsoft Tools for Defending Against Ransomware
To reduce the risk from ransomware, Office 365 and Entra ID offer a variety of security tools, including the following:.
- Microsoft Defender offers advanced threat detection and protection capabilities. It helps you discover and mitigate vulnerabilities to reduce your attack surface, as well as spot and disrupt ransomware threats in progress.
- Microsoft Secure Score analyzes your security and compares it to Microsoft’s baseline, yielding a numerical score that you can use to gauge the effectiveness of your security improvement strategy.
- Microsoft Purview Compliance Managerhelps you assess your compliance with regulatory requirements and understand what actions to take to improve, which can help you keep up with both new regulations and new versions of existing mandates.
- Microsoft Purview Data Loss Prevention helps you control and monitor access to data in order to prevent the unauthorized sharing, use or transfer of sensitive information. For example, you can define confidentiality levels and determine which actions are permitted for sensitive information.
- Microsoft Conditional Access enables you to define policies that dynamically determine whether to allow, block or limit access or require an additional verification step, based on factors such as device, location or session risk. For example, Conditional Access could block an adversary attempting to log on using stolen credentials from an unusual location by adding an MFA step, thereby preventing them from planting ransomware.
- Microsoft Purview Information Protection helps you discover, classify and protect sensitive information wherever it resides or moves. For example, you can ensure that emails sent to any user are encrypted so that only authorized recipients can read them.
- Microsoft Entra Identity Protection helps organizations detect, investigate and remediate identity-based risks. In particular, it can help you spot unusual user behavior that could indicate a ransomware actor trying to use stolen credentials or a ransomware threat in progress.
- Data recovery — If a ransomware attack does succeed, Microsoft offers some Entra ID and Office 365 ransomware recovery options. These include the “Restore your OneDrive” feature, the OneDrive Recycle Bin and the SharePoint site collection Recycle Bin. However, organizations also need to implement an enterprise-quality backup and recovery strategy.
How Netwrix GroupID Can Help
While these Microsoft solutions are valuable, properly managing your hybrid or cloud environment is a complex task, and any errors or misconfigurations can open the door to costly ransomware infections. A third-party solution can help.
Netwrix GroupID is a powerful identity and access management (IAM) solution that reduces the burden on your IT teams while enhancing security and compliance. It empowers you to:
- Streamline the management of security and distribution groups
- Identify group owners
- Delegate group management tasks
- Generate user-friendly reports for enhanced insights and control
FAQ
Does Microsoft Office 365 have virus protection?
Yes, Office 365 is equipped with robust antivirus and anti-malware capabilities. It employs advanced threat intelligence and scanning technologies to detect and stop virus attacks.
Is Office 365 ransomware protection built in?
Yes, Microsoft 365 includes built-in ransomware protection features. It leverages advanced threat protection measures to detect and mitigate ransomware threats across its suite of applications.
Does OneDrive have ransomware protection?
Yes. OneDrive is part of the Microsoft 365 suite. It uses file versioning and intelligent threat detection to help safeguard your files from ransomware attacks, and offers some backup and recovery capabilities.
Does Microsoft Defender protect against ransomware?
Yes, Microsoft Defender offers protection against ransomware. It employs advanced threat protection mechanisms to detect, block and respond to ransomware threats.