Secure Configuration Assessment Guideline¶

This guideline is intended to define a simple approach to ongoing monitoring and assurance of secure configuration of common tools and platforms.

The standard recommended actions within Microsoft Defender should be reviewed and exported each month and retained for 12 months.

Enhanced validation of cloud service configuration¶

A backup of tenant configuration should be taken each month with Microsoft365DSC - Your Cloud Configuration and archived to a Git repository or equivalent VCS tool that allows monitoring of configuration drift.

A tool to review tenant configuration such as the CISA ScubaGear M365 Secure Configuration Baseline Assessment Tool should be run against all tenants at least quarterly with results reviewed and retained for 12 months to guide policy remediations and improvements.

Microsoft365DSC Export

Enhanced validation of endpoint configuration¶

The ACSC’s Cyber Toolbox is comprised of the Essential Eight Maturity Verification Tool (E8MVT) and the Application Control Verification Tool (ACVT) which should be run against a sampling of endpoints on at least a quarterly basis with results reviewed and retained for 12 months to guide policy remediations and improvements.

Infrastructure (public cloud and on-premise compute and storage) configuration monitoring¶

The standard recommended actions within CSPM tools such as Microsoft Defender for Cloud, AWS Security Hub, Oracle Cloud Guard and Google Cloud Security Command Centre should be reviewed and exported each month and retained for 12 months. It is strongly recommended to ensure checks are configured against the ACSC ISM and NIST CSF (SP 800-53 R5) using compliance dashboards where possible:

Essential Eight Implementation¶

The ASD's Blueprint for Secure Cloud (process focused) and Microsoft Compliance - ACSC Essential Eight (technical focus) are being regularly updated, and have in depth guidance aligned to this technical reference.

Small entities should also review the ACSCs Essential Eight Microsoft 365 Cloud Security Guides. Our below links reference security platforms and tools that have been seen to simplify establishment and monitoring of controls as per the ACSC Essential Eight Process Guide and reduce Supply Chain Risk (where possible Certified Service Providers tooling has been referenced).

Application Control¶

ASD Blueprint, ACSC Technical Example

Start with Essential Eight application control using AppLocker for ML1 (simple 3 path block rule)
For modern approaches to WDAC for ML2 see Intune ACSC Windows Hardening Guidelines
If above is still high complexity due to number of legacy or packaged applications review a third party tool like AirLock Digital
Other effective tools: Ivanti Application Control, Trend Vision One Application Control, VMWare Carbon Black App Control

Patch Operating Systems¶

ASD Blueprint, ACSC Technical Example

Manage MS endpoints OS patching with Windows Autopatch
Manage Windows and Linux server patching with Azure Automanage
Manage MacOS endpoints as supervised devices in Intune

Restrict logon (as per MS E8 guidance) of Domain/Enterprise Admin accounts on servers and endpoints, and restrict logon of M365 Global Admins on cloud joined endpoints.
Audit and secure AD CS with tools like Rubeus and PSPKIAudit. Monitor operationally with Microsoft Defender for Identity.
Implement Windows LAPS for secure local administrator password management
Use Administrative Units to partition management scopes and minimise usage of global administration roles
Use Entra ID Privileged Identity Management to enable time bound tracked access to privileged resources (as opposed to persistent privileged access)
Run shared devices in Kiosk Mode with local unprivileged users

Multi-factor Authentication¶

ASD Blueprint, ACSC Technical Example

Once Entra ID passwordless configured, below migrations will get identities and data into compliant states and locations

Combat fake emails (ACSC) by enabling DKIM/DMARC/SPF across all registered domains belonging to the organisation
- If legacy systems/applications dependent on SMTP exist, migrate them to separate subdomains on transactional email platforms such as mailchimp, postmarkapp or sendgrid to avoid reducing the security of the primary identity domains
Disable SMTP Auth for Exchange Online to simplify conditional access policies and avoid reconnaisance and exploitation of primary identity domains and mailboxes
Migrate file shares to OneDrive, Teams, and SharePoint and enable Microsoft Purview risk and compliance
Migrate Microsoft Access data to Microsoft Dataverse and Connect to and manage Microsoft Dataverse in Microsoft Purview
Implement a Security Service Edge or MFA Application Proxy in front of legacy systems in use by staff (internal identities)
Implement a cloud based CDN and WAF such as Akamai, Amazon CloudFront, Azure Front Door, Cloudflare, F5XC, Fastly or Imperva that interoperate with Customer IAM such as Entra External ID, Amazon Cognito, IBM Verify, Okta Customer Identity Cloud, PingOne for Customers in front of legacy systems in use by customers (external identities)

Regular Backups¶

ASD Blueprint, ACSC Technical Example

Mirror onprem fileshares with Azure File Sync (Disaster Recovery for local file shares)
Back up simple servers with Back up on-premises applications and data to the cloud (Azure Backup)
Back up complex environments with backup platforms like Druva Phoenix

Secure Configuration Assessment Guideline¶

Email, File sharing and Endpoint configuration monitoring¶

Enhanced validation of cloud service configuration¶

Enhanced validation of endpoint configuration¶

Infrastructure (public cloud and on-premise compute and storage) configuration monitoring¶

Essential Eight Implementation¶

Application Control¶

Patch Operating Systems¶

Patch Applications¶

Restrict Microsoft Office Macros¶

User Application Hardening¶

Restrict Administrative Privileges¶

Multi-factor Authentication¶

Regular Backups¶