Because Small and Medium Businesses have different security needs and attitudes, the checklist includes suggested recommendations for two common scenarios.
- The normal scenario is designed for a typical business that wants to enable secure remote work and balance ease of use with security.
- The high risk scenario is more appropriate for a business that wants to maximize security protections and has higher concern for risk (for example, to adhere to regulatory requirements such as HIPAA or GLBA). This business is also willing to put more effort into maintaining security and control of the work from home environment.
Both sets of defaults are intended to provide a starting point for a serious discussion around the security and compliance options available, rather than prescriptive guidance. One of the first and most important things that IT leaders and business leaders can do is talk through the possibilities.
Recommend settings – normal scenario | Recommended settings – high risk scenario | ||
---|---|---|---|
Set up tenant | |||
Decide between hybrid & cloud-only identity | Hybrid, Azure AD Connect | Hybrid, Azure AD Connect | |
Azure AD Connect – sign-in method | Password Hash Sync | Password Hash Sync | |
Azure AD Connect – single sign-on | Enabled | Enabled | |
Azure AD Connect – On-premises attribute for Azure AD username | userPrincipalName | userPrincipalName | |
Azure AD Connect – Password writeback | Enabled | Enabled | |
Decide on email migration strategy | Hybrid Agent | Hybrid Agent | |
Configure DNS domains | Situational | Situational | |
Configure identity protection | |||
Plan for administrative access | Required | Required | |
Configure dedicated admin accounts | Recommended | Recommended | |
Multi-factor authentication (MFA) for admins | Security defaults | Required, Conditional Access | |
Multi-factor authentication (MFA) for users | Security defaults | Required, Conditional Access | |
Self-service password reset (SSPR) | Enabled-All | Enabled-All | |
Combined security information registration | Enabled-All | Enabled-All | |
Configure email protection | |||
Enable Common Attachment Types filter | Recommended | Required | |
Enable transport rule for attachments with Office macro extension | Warn | Block | |
Enable transport rule to block auto-forwarded email | Recommended | Required | |
Enable Sender Policy Framework (SPF) to help prevent spoofing | Required | Required | |
Enable DomainKeys Identified Mail (DKIM) to help prevent spoofing | Optional | Signed, all domains | |
Enable DMARC policy to validate email | Enabled, p=quarantine | Enabled, p=reject | |
Enable Office 365 ATP Policies | Recommended policies | Required, with spear phish | |
Configure information governance | |||
Set up Data Loss Prevention (DLP) | Recommended, using default policy | Enabled for sensitive data types (GLBA, HIPAA, etc.) | |
Enable email encryption | Office 365 Message Encryption | Sensitivity Labels | |
Enable retention policies | None | Enabled | |
Enable sensitivity labels | Optional | Enabled, Default or custom labels | |
Configure Teams security | |||
Teams governance (to allow users to create Teams on their own) | Defaults | Restrict groups settings | |
Guest access (to allow external users to fully participate in teams & channels) | Enabled | Enabled | |
External chat (to allow external users to initiate chat) | Allowed, default policy | Restricted | |
3rd party cloud storage | Defaults | Off | |
Meeting policy and settings | Defaults | Block anonymous | |
Messaging policy | Defaults | Defaults | |
OneDrive for Business sharing | Anyone | Require login | |
Migrate files to Teams & OneDrive for Business (to enable recovery) | Required | Required | |
Manage devices | |||
Onboard existing Active Directory joined PCs | Hybrid Azure AD Join | Hybrid Azure AD Join | |
Provision new/refreshed company PCs | Azure AD join Autopilot recommended | Azure AD join Autopilot recommended | |
Configure app protection policies for company owned PCs | Enabled, encrypt data only | Encrypt + block relocation | |
Block/Allow access from employee owned mobile devices | Allowed, default app protection policy | Block client app access, block web downloads | |
Block/Allow access from employee owned PCs | Block client app access, block web downloads | Block client app access, block web downloads | |
Enable device configuration profiles | Basic config profile | Endpoint security profiles | |
Enable device compliance policies | Optional | Enforced, Conditional Access | |
Secure remote access | |||
Access to on-premises data & apps (existing VPN) | Split-tunnel VPN | Split-tunnel-VPN | |
Access to 3rd party cloud apps | Azure AD Single sign-on (SSO) | Azure AD Single sign-on (SSO) | |
Access to on-prem webapps | Azure AD App proxy | Azure AD App proxy | |
Access to desktop apps | Windows Virtual Desktop (WVD) | Windows Virtual Desktop (WVD) |
