Tag: Best practices

Best practices for configuring anti-spam policy settings in Microsoft Exchange Online

bp1

Best Practice Anti-Spam Policy Settings for SMBs

For small and medium-sized businesses (SMBs), the goal is to strike a balance between strong protection and minimal disruption to legitimate communications. The following are recommended best practices:

1. Use Preset Security Policies (Standard or Strict)

Microsoft recommends starting with the built-in Standard or Strict preset security policies. These are optimised for most organisations and include anti-spam, anti-phishing, and anti-malware settings.

  • Standard: Balanced protection with fewer false positives.
  • Strict: Higher protection, suitable for high-risk users or domains.

You can assign these policies to all users or specific groups via the Microsoft Defender portal.

2. Custom Anti-Spam Policies

If you need more control, create custom anti-spam policies. These allow you to:

  • Adjust thresholds for spam, high-confidence spam, phishing, and bulk email.
  • Choose actions like:

    • Move to Junk Email folder
    • Quarantine
    • Add X-headers
    • Redirect to another mailbox

Custom policies override the default and can be prioritised as needed.

3. Outbound Spam Protection

Configure outbound spam policies to prevent compromised accounts from sending spam:

Set-HostedOutboundSpamFilterPolicy -Identity "Default" -NotifyOutboundSpam $true -OutboundSpamFilterAction Quarantine

This ensures that outbound spam is quarantined and alerts are generated.

4. Enable Advanced Threat Protection (ATP)

For SMBs using Microsoft 365 Business Premium or Defender for Office 365 Plan 2, enable:

  • Safe Links: Time-of-click protection for URLs.
  • Safe Attachments: Sandboxing for email attachments.
  • Anti-Phishing Policies: Impersonation protection and spoof intelligence.

These features significantly enhance protection against sophisticated threats.

5. Disable Legacy Protocols

Block POP, IMAP, and SMTP AUTH unless explicitly needed. These protocols don’t support modern authentication and are often exploited.

6. Monitor and Adjust

Use tools like Threat Explorer, Quarantine Reports, and User Submissions to monitor effectiveness and adjust policies accordingly.

️ How to Configure These Settings in the Microsoft 365 Admin Console
Step-by-Step via Microsoft Defender Portal:
  1. Go to: https://security.microsoft.com
  2. Navigate to:
    Email & collaborationPolicies & rulesThreat policies
  3. Anti-Spam Policies:

    • Click Anti-spam policies
    • Edit the Default policy or click + Create policy
    • Configure actions for spam, high-confidence spam, phishing, and bulk email
  4. Safe Links & Safe Attachments:

    • Under Threat policies, configure Safe Links and Safe Attachments
    • Apply policies to users, groups, or domains
  5. Anti-Phishing:

    • Enable impersonation protection
    • Configure spoof intelligence and thresholds
  6. Outbound Spam:

    • Configure under Outbound spam filter policies
  7. Monitoring:

    • Use Reports and Explorer to review detections and user reports

For PowerShell users, the following script configures best practice spam settings:

Connect-ExchangeOnline
Set-HostedContentFilterPolicy -Identity "Default" ` 
-EnableSafetyTips $true ` 
-EnableEndUserSpamNotifications $true ` 
-EndUserSpamNotificationFrequency 1 ` 
-SpamAction Quarantine ` 
-HighConfidenceSpamAction Quarantine ` 
-PhishSpamAction Quarantine ` 
-HighConfidencePhishAction Quarantine ` 
-BulkSpamAction Quarantine ` 
-BulkThreshold 6 ` 
-QuarantineRetentionPeriod 30 ` 
-InlineSafetyTipsEnabled $true ` 
-EnableRegionBlockList $true ` 
-RegionBlockList @("CN","RU","KP","IR") ` 
-EnableLanguageBlockList $true ` 
-LanguageBlockList @("zh-cn","ru","ko","fa") ` 
-IncreaseScoreWithImageLinks Off ` 
-IncreaseScoreWithNumericIps Off ` 
-IncreaseScoreWithRedirectToOtherPort Off ` 
-IncreaseScoreWithBizOrInfoUrls Off ` 
-MarkAsSpamEmptyMessages On ` 
-MarkAsSpamJavaScriptInHtml On ` 
-MarkAsSpamFramesInHtml On ` 
-MarkAsSpamObjectTagsInHtml On ` 
-MarkAsSpamEmbedTagsInHtml On ` 
-MarkAsSpamFormTagsInHtml On ` 
-MarkAsSpamWebBugsInHtml On ` 
-MarkAsSpamSensitiveWordList On ` 
-MarkAsSpamSpfRecordHardFail On ` 
-MarkAsSpamFromAddressAuthFail On ` 
-MarkAsSpamBulkMail On ` 
-TestModeAction None

This script ensures all spam types are redirected to quarantine

 

ASD Configuration policy templates for Intune

image

The Australian Signals Directorate (ASD) has produced a number of recommended configuration policies for Intune as part of their Secure Cloud initiative. You can find them here:

ASD Configuration policies

Edge hardening guidelines

All Macros disabled

Macros enabled for trusted publishers

Office Hardening guidelines

Windows hardening guidelines

User rights assignments

Theses policies are in TXT format but are effectively just JSON files.

I have therefore takes these TXT files, renamed to JSON files and uploaded into my best practices repository here:

CIAOPS Best Practice Repo – ASD recommended policies

It would have been good if the ASD had placed in their own repo so they could easily be monitored for updates. Alas, maybe in the future.

So for now you can import these files directly from my repo into your Intune and I’ll try and do my best to keep them current with what the ASD does.

CIAOPS M365 Best Practice Repo is now available

One of the big challenges I have found with securing a Microsoft 365 environment is determining and setting best practices settings for the environment. Recommendations can be found in many different locations from many different sources. I have always done my best to pull all these together and convert them into a single place that I can apply.

With that in mind I am happy to announce the availability of a new CIAOPS Best Practices repository for Microsoft 365here:

https://github.com/directorcia/bp/tree/main

The aim is for it to be the one place you can go that centralizes all the best practice information, security and otherwise, for Microsoft 365.

Let me give you an example of the benefits of this. In the repo you’ll find the following JSON file for an Entra ID authorization policy:

https://github.com/directorcia/bp/blob/main/EntraID/authorization.json

The idea is that you can use a script like I just uploaded:

https://github.com/directorcia/Office365/blob/master/graph-idauthpolicy-get.ps1

To read these settings and compare them to your own environment.

image

You can see the results above when you run this script. The items that are in red do not match the best practice settings that are in repo.

Not only can you use the repo to compare settings but you can also use it to apply settings. Again, you’d just read the JSON setting in the repo and apply that to your environment. Thus, you could take the Entra ID authorization policy JSON and use a script to actually apply, or write,  those settings to your environment. CIAOPS Patron subscribers will have access to the scripts that I develop that will do both the reading and setting of these parameters. Thus, if you don’t to actually write the code to do all this then become a CIAOPS Patron subscriber.

Having these settings available publicly also means people can examine and comment on them and help develop what is best practices in the Microsoft 365 environment. Remember, that best practices are not absolute, they are what works best for the majority of people. You may want to take these as a base and modify them to suit your needs. The benefits of using Github is that is easy to achieve. Thus, you could create your own repo, based on mine, and that as you base for your environment.

The repo also contains links to best practices I have found like this :

https://github.com/directorcia/bp/blob/main/best-practices.txt

That you can also use. Again, the idea is to bring all these resources for Microsoft 365 into a single location.

This best practices repo is far from complete but I wanted to get it out there so people can provide me feedback and we can all build this out to make all our lives easier. Going forward, I plan to spend time developing the repo wiki to provide documentation for all this. However, feel free to take a look at what is there and provide any suggestions for improvement or addition. I’m all ears.

Secure more with Secure Score in M365 online course

Designer

The live course Secure more with Secure Score in Microsoft 365 over the past four weeks has now completed. All materials, including recordings of each session are now available on demand.

I think this course does provide a good overview of suitable best practices across the Microsoft 365 environment. You’ll get the most from this course if you are a CIAOPS Patron, thanks to all the Patron script that are part of the subscription. As CIAOPS Patron you’ll also get a sizable discount via a coupon code discount.

The aim of this training is to help configure security best practices inside your Microsoft 365 environment. You’ll learn what settings you should enable and why you should have these enabled. The sessions will also take you through common examples of configuring these settings and the impact they will have on your users. The course covers identities using EntraID, securing emails, devices as well as data using information protection services all included in Microsoft 365.

Watch out for more online courses from CIAOPS coming soon.

Exchange user best practices script

image

I’ve created a new Exchange user best practices summary script which you can find at:

https://github.com/directorcia/Office365/blob/master/o365-mx-usr-all.ps1

The idea with this script is to give you a quick visual summary of your user mailboxes to ensure they conform to best practices.

When you run the script without any command line options you will see the above output. Each row is a user with their name at the end of the line. The entries on the right provide you an indication of settings status. A green dot is for good and a red X is for bad. You will see this creates a matrix of settings for each mailbox. These settings are designated by a letter (currently a through p). These letters correspond to the following settings:

a = Mailbox type: S = Shared, R = Resource, U = User
b = Enabled
c = Inactive
d = Remote PowerShell Enabled
e = Retain Deleted Items for at least 30 days
f = Deliver to Mailbox and Forward
g = Litigation Hold Enabled
h = Archive Mailbox Status
i = Auto-expanding Archive Enabled
j = Hidden From Address Lists Enabled
k = POP Enabled
l = IMAP Enabled
m = EWS Enabled
n = EWS Allow Outlook
o = EWS Allow Mac Outlook
p = Mailbox Audit Enabled

image

If you use the –verbose command line option, you’ll get additional information about the script operation as you see above.

If you use the –debug command line option, a log file of the script process will be created in the parent directory.

If you use the –prompt command line option, the script will wait after each user for you to press ENTER.

If you use the –select command line option, the script will prompt you to select the users you wish to display.

If you also specify any letter from, currently, a through p on the command line, those settings will not be checked by the script. Thus, specifying dhl on the command line will not check or display Remote PowerShell Enabled (setting = d), Archive Mailbox Status (setting = h) or IMAP enabled (setting = l).

Thus:

.\o365-mx-usr-all.ps1 dhl

will display:

image

(note: no d, h or l in the output)

and

.\o365-mx-usr-all.ps1 dhl –select

will display:

image

no d, h or l settings as well as prompting for selection of users to check and display.

The script requires that you are connected to Exchange Online first via PowerShell prior and this can be done using my script:

https://github.com/directorcia/Office365/blob/master/o365-connect-exo.ps1

In summary then, this script when run without any command line options is designed to give you a quick reference to your user mailboxes and whether they have best practice settings enabled. You can also run the script with number of different command line options to create a log, individually select users and settings to test as well as pause after each user if desired.

I’ll continue to update and improve this script over time so make sure you follow my Office 365 GitHub repository, which you can find here:.

https://github.com/directorcia/Office365/

Windows 10 in cloud configuration

Microsoft has released a handy guide called

Windows 10 in cloud configuration

that walks you through a recommended best practice configuration of you Windows 10 devices using Endpoint Manager. what they are now doing, as highlighted by my video, is begin to roll this into a wizard inside the Endpoint Manager portal, allowing you to quickly and easily create and apply policies to protection your Windows 10 machines.

I believe this in only the beginning of what Microsoft plans to roll out and I expect to see lots more configuration coming very soon, not only for Windows 10 but also iOS and Android.

Watch this space.