Looking to streamline operations, increase efficiency and remain secure?  

Learn from the experience of Think Up Consulting — a young, fast-growing agency in South Carolina that uses Microsoft Teams, Microsoft 365 Business and Windows 10 to increase productivity and do more. 

With 39 team members and 45 ongoing projects at any given time. Think Up Consulting is always exploring and adapting new technology to increase efficiency and better meet customer needs.  

Check out Think Up’s story and contact us to learn how NovaQuantum can help your company use Windows 10 and Microsoft 365 Business to increase productivity and security.

Optimize your desktop virtualization experience to leverage the power of a modern cloud

Work better together and increase productivity

Windows 10 and Microsoft 365 help teams work better together with better tools—from any location:

• Streamline collaboration—Integrate team chats, meetings, and files in one place to increase productivity with Microsoft Teams.
• Improve performance with intelligent capabilities—Gain instantaneous analysis from intelligent services like Editor, Designer, and Smart Lookup with capabilities built into Microsoft 365.
• Enable work from almost anywhere, on any device—Provide secure remote access to employees working from personal devices.

Simplified for you and reduce cost

Free up resources and reduce IT costs over time with Microsoft by simplifying device management and staying up to date:

• Receive more value—Windows 10 and Microsoft 365 come with features and apps as they are added at no additional cost.
• Deploy intelligent applications and tools—Work smarter, not harder, with the latest Office apps and intelligent capabilities to enable your employees.
• Save time on device management—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about updates, giving you time back.

Securely run and grow your business with enhanced security

Protect against external threats and leaks with security and compliance tools built into your devices.

• Leverage built-in automated threat intelligence—Threat-protection technologies in Windows 10 help protect against spam, malware, viruses, phishing attempts, malicious links, and other threats.
• Ensure secure remote access across all devices—Windows 10 and Microsoft 365 continually update across all apps, so you don’t have to worry about upgrades, keeping you compliant and secure.
• Control access to sensitive business information—Proactively safeguard your organization with enterprise-level security on all apps and devices.

Was that your client’s personal information that
was leaked?

A privacy breach is like having your home burglarized. How would you feel if it happened to you?
What would a privacy breach do to you, as an organization? In addition to the damage to the victim, it would damage our image as soon as it hit the news.
You play a crucial role in guarding your employees and clients’ personal information and fulfilling your legal obligations pertaining to privacy.

Be the strong link!

• Obtain consent before collecting personal information and only collect what is necessary.
• Use personal information only for the purposes established by your organization.
• Destroy, erase or anonymize information when it no longer serves its initial purpose.

CIS 1.2.0 Security Controls for Microsoft 365: a curated list of the most important and least user-impacting security controls that can be audited and remediated.

Account / Authentication

Ensure multifactor authentication is enabled for all users in administrative roles

Ensure that multi-factor authentication is enabled for all non-privileged users

Ensure that between two and four global admins are designated

Ensure self-service password reset is enabled

Ensure that ‘Number of methods required to reset’ is set to ‘2’

Ensure Azure Active Directory Password Protection for Active Directory is enabled in order to protect against the use of common passwords.

Enable Conditional Access policies to block legacy authentication protocols in Office 365.

Ensure that password hash sync is enabled for resiliency and leaked credential detection.

Enabled Identity Protection to identify anomalous logon behavior: Azure Active Directory Identity Protection monitors account behaviors and enables organizations to configure automated responses to detected suspicious actions related to user identities.

Ensure Security Defaults is disabled on Azure Active Directory. The use of Security Defaults however will prohibit custom settings which are being set with more advanced settings from this benchmark.

Ensure modern authentication for Exchange Online is enabled

Ensure modern authentication for Skype/Teams for Business Online is enabled

Ensure modern authentication for SharePoint applications is required

Ensure that Office 365 Passwords Are Not Set to Expire

Application Permissions

Ensure users installing Word, Excel, and PowerPoint add-ins is not allowed

Ensure calendar details sharing with external users is disabled

Ensure O365 ATP SafeLinks for Office Applications is Enabled

Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled

Ensure Office 365 SharePoint infected files are disallowed for download

Data Management

Ensure the customer lockbox feature is enabled: It requires Microsoft to get your approval for any datacenter operation that grants a Microsoft support engineer or other employee direct access to any of your data.

Ensure Data Loss Prevention(DLP) policies are enabled

Ensure DLP policies are enabled for Microsoft Teams

Ensure that shared access signature tokens expire within an hour

Ensure that external users cannot share files, folders, and sites they do not own

Ensure external file sharing in Teams is enabled for only approved cloud storage services

Email Security / Exchange Online

Ensure the Common Attachment Types Filter is enabled

Ensure Exchange Online Spam Policies are set correctly

Ensure mail transport rules do not forward email to external domains

Ensure mail transport rules do not whitelist specific domains

Ensure the Advanced Threat Protection Safe Links policy is enabled

Ensure the Advanced Threat Protection Safe Attachments policy is enabled

Ensure that an anti-phishing policy has been created

Ensure that DKIM is enabled for all Exchange Online Domains

Ensure that SPF records are published for all Exchange Domains

Ensure DMARC Records for all Exchange Online domains are published

Ensure notifications for internal users sending malware is Enabled

Auditing

Ensure Microsoft 365 audit log search is Enabled

Ensure mailbox auditing for all users is Enabled

Ensure the Azure AD ‘Risky sign-ins’ report is reviewed at least weekly

Ensure the self-service password reset activity report is reviewed at least weekly

Ensure user role group changes are reviewed at least weekly

Ensure mail forwarding rules are reviewed at least weekly

Ensure the Malware Detections report is reviewed at least weekly

Ensure non-global administrator role group assignments are reviewed at least weekly

Ensure the spoofed domains report is review weekly

Ensure the Account Provisioning Activity report is reviewed at least weekly

Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly

Ensure Guest Users are reviewed at least biweekly

Ensure the report of users who have had their email privileges restricted due to spamming is reviewed

Storage

Ensure document sharing is being controlled by domains with whitelist or blacklist

Ensure expiration time for external sharing links is set

Mobile Device Management

Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks

Ensure that mobile device password reuse is prohibited

Ensure that mobile devices are set to never expire passwords

Ensure that users cannot connect from devices that are jail broken or rooted

Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data

Ensure that mobile devices require a complex password to prevent brute force attacks

Ensure that settings are enable to lock devices after a period of inactivity to prevent unauthorized access

Ensure mobile devices require the use of a password

Ensure that devices connecting have AV and a local firewall enabled

Many SMB customers have been purchasing Office 365 E3, but we recommend evaluating if the customer is using any of the capabilities that aren’t provided by Microsoft 365 Business. Microsoft 365 Business provides additional device management and protection capabilities that would need to be added to an Office 365 E3.

If Microsoft 365 Business doesn’t include all of the Microsoft 365 capabilities that a you need, you can add many of these services as additional SKUs.

Securing each & every layer of productivity seamlessly!

Identity Security

• AAD Features like MFA
• Self Service Password Reset
• Conditional Access

Device Security

• Microsoft Defender AV
• Full Centralized Management of Mobile and Laptops with Intune
• Remote wipe of data of lost & stolen devices
• BitLocker Encryption
• Enforce Strong Pin requirements along with WiFi, VPN profiles

Application Security

• Restrict copy/paste/save corp data to personal apps
• Accessing sensitive apps securely (Windows Virtual Desktop)

Email Security

• Advanced Threat Protection for protection against malware and zero day attacks
• Data Loss Prevention to monitor sensitive data from being transmitted
• Email restrictions like “Do Not Forward” or “Encrypt Email”

Document Security

• Azure Information Protection protects, classifies Documents for secure sharing
• Revoke access to Documents
• Track Sensitive documents

Microsoft 365 Business will help you to compete more efficiently, sell more services and retain customers because it brings all of the technology that small business need at a single per-user/per-month price point.

Microsoft 365 Business brings together the security and innovation of Windows 10 with the power and familiarity of Office 365 and streamlined management and maintenance capabilities built specifically for small and mid-sized businesses. Microsoft 365 Business is designed to help keep company data secure while ensuring employees are their most productive, in the office or on the go.

With productivity apps such as Word and Excel, cloud storage, email and calendaring, and an exceptional chat-based workspace to bring teams together, your customers will be able to achieve more as they create and collaborate with people inside and outside their company in ways that they never dreamed possible.

Microsoft 365 Business standardizes your customer’s devices on Windows 10, the most secure Windows ever. Building upon this strong foundation, Microsoft 365 Business adds cloud-based management and servicing which helps ensure that customer devices are properly configured to take advantage of the security innovations in Windows 10 and significantly reduces the businesses risk profile.

Microsoft 365 Business also includes mobile application data and device management, even on personal devices. With this functionality, when an employee leaves the organization, or loses their device, for example, you are going to be able to protect your customers’ company data, while reassuring the employee that her pictures and text messages remain private on her personal device.

Since Microsoft 365 Business is cloud-delivered and enabled, you can count on automatic updates to keep your customers’ apps and devices current with the latest and greatest security protection and features from Microsoft. Your customers will get to host their data on the same cloud that hosts data from over 85% of Fortune 500 companies.

This is all made more efficient for you through the Admin Console. The admin console not only simplifies things on your end, but gives you self-service tools that can create lower delivery costs and increased consulting and managed services margins. This frees up time on your end to invest in new capabilities that expand your business into new market areas.

Because Small and Medium Businesses have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.

• The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
• The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.

Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.

		Recommend settings – normal scenario	Recommended settings – high risk scenario
Set up tenant
	Decide between hybrid & cloud-only identity	Hybrid, Azure AD Connect	Hybrid, Azure AD Connect
	Azure AD Connect – sign-in method	Password Hash Sync	Password Hash Sync
	Azure AD Connect – single sign-on	Enabled	Enabled
	Azure AD Connect – On-premises attribute for Azure AD username	userPrincipalName	userPrincipalName
	Azure AD Connect – Password writeback	Enabled	Enabled
	Decide on email migration strategy	Hybrid Agent	Hybrid Agent
	Configure DNS domains	Situational	Situational
Configure identity protection
	Plan for administrative access	Required	Required
	Configure dedicated admin accounts	Recommended	Recommended
	Multi-factor authentication (MFA) for admins	Security defaults	Required, Conditional Access
	Multi-factor authentication (MFA) for users	Security defaults	Required, Conditional Access
	Self-service password reset (SSPR)	Enabled-All	Enabled-All
	Combined security information registration	Enabled-All	Enabled-All
Configure email protection
	Enable Common Attachment Types filter	Recommended	Required
	Enable transport rule for attachments with Office macro extension	Warn	Block
	Enable transport rule to block auto-forwarded email	Recommended	Required
	Enable Sender Policy Framework (SPF) to help prevent spoofing	Required	Required
	Enable DomainKeys Identified Mail (DKIM) to help prevent spoofing	Optional	Signed, all domains
	Enable DMARC policy to validate email	Enabled, p=quarantine	Enabled, p=reject
	Enable Office 365 ATP Policies	Recommended policies	Required, with spear phish
Configure information governance
	Set up Data Loss Prevention (DLP)	Recommended, using default policy	Enabled for sensitive data types (GLBA, HIPAA, etc.)
	Enable email encryption	Office 365 Message Encryption	Sensitivity Labels
	Enable retention policies	None	Enabled
	Enable sensitivity labels	Optional	Enabled, Default or custom labels
Configure Teams security
	Teams governance (to allow users to create Teams on their own)	Defaults	Restrict groups settings
	Guest access (to allow external users to fully participate in teams & channels)	Enabled	Enabled
	External chat (to allow external users to initiate chat)	Allowed, default policy	Restricted
	3rd party cloud storage	Defaults	Off
	Meeting policy and settings	Defaults	Block anonymous
	Messaging policy	Defaults	Defaults
	OneDrive for Business sharing	Anyone	Require login
	Migrate files to Teams & OneDrive for Business (to enable recovery)	Required	Required
Manage devices
	Onboard existing Active Directory joined PCs	Hybrid Azure AD Join	Hybrid Azure AD Join
	Provision new/refreshed company PCs	Azure AD join Autopilot recommended	Azure AD join Autopilot recommended
	Configure app protection policies for company owned PCs	Enabled, encrypt data only	Encrypt + block relocation
	Block/Allow access from employee owned mobile devices	Allowed, default app protection policy	Block client app access, block web downloads
	Block/Allow access from employee owned PCs	Block client app access, block web downloads	Block client app access, block web downloads
	Enable device configuration profiles	Basic config profile	Endpoint security profiles
	Enable device compliance policies	Optional	Enforced, Conditional Access
Secure remote access
	Access to on-premises data & apps (existing VPN)	Split-tunnel VPN	Split-tunnel-VPN
	Access to 3rd party cloud apps	Azure AD Single sign-on (SSO)	Azure AD Single sign-on (SSO)
	Access to on-prem webapps	Azure AD App proxy	Azure AD App proxy
	Access to desktop apps	Windows Virtual Desktop (WVD)	Windows Virtual Desktop (WVD)