What led to Microsoft Security Baseline?
AMEN was getting a lot of phishing emails in their inbox. The employees complained of wasting time filtering the right emails and repeatedly deleting the spam landing on their inboxes. The emails would come with unsafe links and attachments. One of such emails reached their manager with phishing content in it. This was quite an alarm. And this is when our experts at CSE suggested the Security Baseline. With that, we aimed to safeguard such emails by leveraging the conditional access offered by Microsoft.
The Journey from Office 365 to Security Baseline
We extended our services for their field officers as well, who’d visit the offices occasionally by setting up MFA coupled with a robust BYOD policy.
Alpha Medical Equipment of N.Y, Inc. (AMEN) is a New York-based distributor and service provider of medical diagnostic imaging equipment. With over a team of 50 people, they enable quality solutions, services, and support for a wide range of medical equipment. Today, AMEN has established itself as one of the leading diagnostic imaging solutions in the area.
At CSE, we value the quality of work by those in the medical industry amidst an ongoing pandemic. And when we first contacted AMEN, we were quite excited about the kind of work they do, and our experts were ready to add value with robust Microsoft solutions for them. Our journey began with setting Office 365 to unlock the power of collaborative tools for their team.
Project Overview
We began by providing a dedicated implementation team to the AMEN for the Security Baseline setup. The scope also includes securing the mobile devices of their field officers to ensure a robust BYOD policy in place. Our team needed to set up calls to get access to their machines. This was to put a certain clause, priorities, and changes to the devices that come under their network. We then set up the project deadline, which involved dealing with roadblocks like the availability of employees’ machines, device time, etc.
Enabling Microsoft Intune with BYOD
Our Microsoft-certified professionals recommended AMEN implement Microsoft Intune to allow complete control over how their organization’s devices, such as mobile phones, tablets, and laptops, are utilized. Additionally, we defined policies to manage applications. This includes conditional access to block emails as we needed to address their frequent spam and phishing concerns. Further, Intune enabled employees to use their devices for school or work. On personal devices, Intune helped AMEN employees ensure the security of the organization’s data to isolate it from personal data with a robust BYOD policy.
With Intune, we implemented security baselines to secure and protect their people and devices. When configuring security settings, we leveraged pre-configured groups of Windows settings known as security baselines to help security configuration decisions suggested by the relevant security teams.
Adding more value to services, we enable their IT admin to control employees’ devices by setting up a BYOD policy and implementing it. Alternatively, if these users require just email or Microsoft Teams access, enforce app protection policies that require multi-factor authentication (MFA) to use these applications.
With administrators enrolling and managing devices in Intune, they can now –
- • View the devices that have been enrolled and obtain an inventory of devices using company services.
- • Configure devices following the organization’s security and health guidelines.
- • Distribute certificates to devices so customers may quickly connect to their office’s Wi-Fi network or connect via a VPN.
- • View reports on which people and devices are compliant and which are not.
- • Delete organization data from a device that has been lost, stolen, or is no longer in use.
Providing Mobile Application Management
Our team worked with their IT team to set up Intune’s mobile application management (MAM), which is designed to safeguard enterprise data at the application level, including bespoke and store apps. App management is now enabled for both – organization-owned and personal devices.
With their administrators managing apps in Intune, they can now-
- • Add and assign mobile apps to user groups and devices, including specific users and devices.
- • Configure apps to start or run with specified options enabled, as well as update pre-installed apps.
- • View reports on which applications are being utilized and how they are being used.
- • Conduct a selective wipe, deleting any data associated with the organization from apps.
Implementing Multi-Factor Authentication (MFA) to ensure all-round access control security
To add another layer of security to sign-ins, we implemented multi-factor authentication (MFA) that combines a strong password with an additional verification method based on two things –
1) Uses’ smartphone.
2) A characteristic unique to users physiologically, such as user fingerprints, face, or another biometric identifier.
The second method of verification is not used until the user’s password has been validated. Even if a user’s strong password is hacked, the attacker does not have access to the smartphone or fingerprint to complete the sign-in.
We authorized AMEN to use security defaults, which require MFA for all user accounts because they were utilizing Microsoft 365.
Setting up Conditional Access policies
With Conditional Access policies, we help AMEN define their sign-in criteria regarding which ones need to be reviewed and which ones are permitted. We established a conditional access policy to counter phishing emails and secure BYOD that stated –
If the user account name belongs to a group for users granted the Exchange, user, password, security, SharePoint, or global administrator responsibilities, MFA is required before granting access.
This policy helps us integrate the MFA based on group membership rather than manually configuring MFA for individual user accounts when allocated or unassigned from certain administrator positions.
Introducing AMEN to the Bitlocker removable drive policy
This policy setting was used to specify the encryption technique and strength of the encryption for their Bitlocker.
Our project team also helped AMEN regulate the encryption amount for additional security (AES-256 is stronger than AES-128). Our clients’ IT admins can independently customize the encryption algorithm and critical encryption strength for variable bit drives, operating system discs, and detachable data drives with this setting enabled.
The team at CSE also utilized the XTS-AES algorithm as per Microsoft’s recommendation for fixed and operating system discs.
What benefits do our client AMEN is currently rendering with the implementation of Security Baseline for Microsoft 365?
When we first implemented Microsoft 365 for AMEN, we had a more extended goal in mind to help our clients unlock the actual value of their investment. With a security baseline, we enabled them to establish a secure end-to-end workflow.
Here are the key advantages.
- • With security baseline, we implemented best practices and recommendations for security-related settings. Intune collaborates with our Windows security team responsible for developing group policy security baselines. These recommendations are based on substantial expertise and guidance.
- • Since AMEN was new to Intune, we recommended the security baselines quickly design and deploy a private profile, confident in the knowledge that helps the organization protect its resources and data.
They have a robust group policy with baselines moved to Intune for easy administration with minimal time investment.
