Tag Archives: security

Enable Office 365 MFA and be safe

Quick guide for Office 365 MFA. Includes admin and user tasks in brief.

Admin: Enable Office 365 MFA

  1. Go to Admin Portal 
  2. Users – Select the user
  3. Office 365 MFA option in User properties
  4. Select user(s) again and click the Enable button
  5. That’s it. Now it is the user’s turn to take the next steps

User: Enable Office 365 MFA – first time only

  1. You must go to a browser – incognito / InPrivate / private mode
  2. Go to https://portal.office.com
  3. Login as usual.
  4. Click Next in the Additional Information dialog
  5. Now there are many options and this can be a confusing step
  6. Open the dropdown choose Mobile App and Choose Receive Notifications for verification option

    Choosing the Mobile App autentication option

  7. Click the Set Up option. After some processing, it will show a QR code
  8. Now it is time to download and install the Microsoft Authenticator App on mobile (Android and iOS)
  9. Open the app and from the top right menu, choose Add Account – Work or School Account
  10. Scan the QR code
  11. Now it will register the account on the mobile and you will see a 6 digit code which keeps changing every 30 seconds (does not require internet connection)

    Mobile account registered showing authentication code

  12. Now click Next on the browser side.
  13. You will now receive an notification on the mobile phone.
    Choose the Approve option.

    image

  14. Now the MFA is configured.
    Please note, the displayed 6 digit number is NOT REQUIRED to be entered anywhere. This is because, we are using the Receive Notification for Verification option.
  15. In the next step, it will ask another number for verification in case you lose your mobile. Add a different number here.  Click Next.

Special password for Outlook and Skype for Business

Outlook client and Skype FB does not support MFA. Your regular account password will stop working as soon as MFA is configured. Outlook will keep asking for your password and your regular password will not work. Now you have to use a special password.

That is the one shown to you in the next dialog as Step 4. Copy that password and use the same password it for Outlook and SFB. Use one password for laptop and one for desktop / mobile, etc.

If you use any ActiveSync client on mobile, that will also require a password. Technically you can use this password, but it is better to create another one.

How to do that? Go to Portal.Office.com, click on your photo, go to My account – Security – You will see a Create App Passwords option. Create a new one from there and use it.

User: Regular Office 365 MFA login

Now onwards, MFA is enabled. Now login using two steps

Step 1: Login using UID PWD as usual.

Step 2: Immediately, you will receive the Approval notification on mobile.

Congratulations

Chances of your account being hacked reduced by 99% now.

Share this with everyone you love and make their digital lives also safer.

Lock picture

Windows Pin Security: 4 digits strong enough?

All of us know that the recommended password length is increasing all the time. Currently a complex password is recommended to be 14 characters or more. Instead of a long and complex password, you can also login using Windows Pin Security. The Windows 10 Pin can be as short as 4 digits. Pin is considered to be BETTER than a password. However, the pin looks fairly weak. Is it not?

On the face of it, yes. PIN appears to be grossly inadequate as a protection mechanism. But it is not. Obviously, Microsoft must have thought about it! How is the Windows Pin Security strong enough? Here are the reasons:

Why Windows Pin Security is better than passwords?

  1. PIN works only on that device. Therefore, even if someone knows your PIN, they need physical access to your PC.
  2. PIN is not visible on the network (Wi-Fi or network cable). Password can be stolen just by monitoring your Wi-Fi. PIN is typed locally on the PC. No chance of it being visible on the network.
  3. Many laptops have a special hardware chip for encrypting stuff. Using this chip to manage the PIN makes it impossible for hackers to find the pin. (This chip is called TPM. Never mind what it means.
  4. If someone steals the laptop, they have to guess the pin. As you would expect, there is a lockout setting with TPM chips. If the laptop does not have TPM, you can still use BitLocker and apply a group policy setting to limit failed logins.
  5. It is easy to get your passwords using various methods. Let us not go into details of what these methods are. What you need to remember is never to click on a random link in email or browser and never reveal the password to anyone. (period).
    If PIN is stolen from you, using the same methods which work with passwords, you are still safe because of the 4 reasons listed above.

If you forget your own pin, you must login using another method and reset the pin. Also note that if you enable biometric login (face recognition or fingerprint), creating a PIN is mandatory. Why so? Because, for whatever reason if biometric does not work, you need an equally secure alternative to login (login / password is less secure).  That is why you also need to set up a PIN. These new methods of secure login are called Windows Hello.

In short, if you have a choice, always use PIN (and biometric) instead of username and password with Windows 10.

Windows Pin entry button

Warning: Office 365 SPAM – Phishing attack

DO NOT respond to any mails which ask for Urgent Upgrade. Here is a sample mail which I just received.

image

There is a link called UPGRADE NOW.
DO NOT CLICK ON THIS LINK.

This link leads to an authentic looking Office 365 login page. Needless to say, it is a fake page. This is called a Phishing attack.

image

DO NOT put your password there.
Just delete the mail permanently and do not think about it again.

I have already informed the relevant authorities in Microsoft. They will do the needful.

If you are in another country or region, you may not receive this particular type of mail. But in any case, do not trust any such mails. If you are an IT person, go to the Office 365 Admin page and check if there is a genuine need for license upgrade. If you are not an IT person, just alert your IT team.

Be safe!.

Security Neglect: Office 365 Worst Practices

Everyone is worried about putting corporate files, data and emails on the cloud – or Office 365. This worry continues after deploying Office 365. Paradoxically, the actual efforts put into maximizing Office 365 are inadequate. Of course, Microsoft data centers follow and often create new, global security standards. However, there is Security Neglect at the individual tenant (customer) level. Most do not even know that there is a Office 365 Secure Score. Find out more. Reading time 7 min.

Security Neglect - Secure score

Continue reading Security Neglect: Office 365 Worst Practices

Irritating = Extremely Useful – The “Enable Editing” button

Since Office 2013, you will often see a yellow bar at the top asking you to Enable Editing. Unless you press this button, you cannot type anything or format any content. This may sound irritating, but it is a very useful feature. It safeguards your interests.

enable editing

The reason is simple. Even today, many viruses travel through Office documents – as macros. These files arrive either through email, downloaded from Internet or copied from USB drives. In these cases, there is a great danger of the file infecting your PC. To prevent this from happening, these files are now opened in a special way. Here you can read the file but not edit it.

If you trust the source, you will have to click the Enable Editing button. Unless you want to edit it, don’t Enable Editing. Just read and take the required action.

Office 365 prevents confidential data leakage: Are you using it?

This is a brief article. I will cover it in more detail later. But this is just to inform all the readers that such a sophisticated facility exists within Office 365 and they should take advantage of it.

I have observed that although Office 365 is a popular product, all customers do not really notice, appreciate and utilize this powerful platform to the fullest extent.

One such feature is called Data Loss Prevention. It helps you control, monitor and prevent leakage of confidential data, customer privacy related information, financial data, etc. by any employee through Email. This feature is also being extended to SharePoint.

Exactly how to activate the feature and configure it is beyond the scope of this article. It is not even the intention of writing the article. Just understand what it does and if you find it useful and relevant to your business – make sure your IT team implements it.

What does DLP in Office 365 do?

In simple terms, it monitors every outgoing mail message and checks if any pre-defined restricted information is being sent outside your organization.

If it does find such a mail, it can either warn the user, capture the reason for sending it, prevent the user from sending it, forward it to a compliance officer, delete the mail, follow an approval process and so on.

You choose what is objectionable, sensitive, confidential or privacy related data. You create the rules and DLP follows it faithfully.

To make your life simpler, many ready-made rules are available. These rules are created as per stringent government and banking guidelines. You can start with a ready-to-use template and then refine it as needed.

In short, Try it, Assess it and Use it.

SharePoint – Part 3: Secure Document Sharing

You can learn how to decide WHO can do WHAT with the documents (or other content) which you have shared. If you are using OneDrive for Business, by default, all documents can only be viewed and edited by YOU – and nobody else.

This video contains SPS 2010 screenshots. However, the concepts are still the same as of Feb 2015.