Which security settings can I customize in Office Protect?

There are three security profile presets from which to choose. We recommend the strongest profile with which your company is comfortable.

  • Low User Impact
  • Recommended Best Practices
  • Max Security

 You can also create your own custom profile by modifying the settings below. 

 

To learn how to apply security profiles in Office Protect, click HERE.

 

Settings that can be customized: 

Account Passwords Never Expire

Passwords on accounts will never expire or request to be changed.

The National Institute of Standards and Technology (NIST) now recommends requiring a password change only when there is reason to believe it has been compromised. Forced password change encourages weak passwords and bad storing habits. This should be combined with other security measures like Multi-Factor Authentication.

Security Impact: Medium | User Impact: None 

Audit Logs Always On

Force back on the audit logs if they are ever turned off.

Audit logs are a requirement to using this service. If they are turned off, you lose all visibility on the activities of your tenant. If audit logs are turned off by mistake, or by a rogue administrator, through the Microsoft 365 portal or by PowerShell, we will automatically turn it back on. It will also produce an event in our reports.

Security Impact: High | User Impact: High 

Block "Bad" File Extension Attachments

This will block bad known file extensions as email attachments.

The vast majority of files with the blocked extensions are security threats. Should the need arise to share such a file, channels other than email should be used.

Security Impact: Medium | User Impact: Medium 

Do Not Allow Calendar Details Sharing

This will prevent users from sharing the full details of their calendar with external users.

Attackers will often research your organization to prepare targeted attacks. A person's calendar is a great source of information and should not be shared externally.

Security Impact: Custom | User Impact: Custom 

Do Not Allow Third-Party Integrated Applications

This will prevent your users from giving permissions on Microsoft 365 to third-party apps.

Third-party apps should only be accepted following a vetting process by an IT specialist. This will prevent normal users from accepting apps. Admins will still be able to accept applications.

Security Impact: Custom | User Impact: Custom 

Enable Client Rules Forwarding Block

This will create a rule preventing auto-forwarding from your tenant to external organizations.

This Security Control will create a transport rule preventing auto-forwarded external messages from leaving your tenant. The rule applies when: the Sender is located 'Inside the organization'; the Recipient is located 'Outside the organization'; the message type is 'Auto-Forward'. It will Reject the message with the explanation 'External Mail Forwarding via Client Rules is not permitted'.

Security Impact: Custom | User Impact: Custom 

Enable Multi-Factor Authentication

Enable Multi-Factor Authentication for admins or all users.

This will activate multi-factor authentication (MFA). Affected users will be asked to submit a temporary code when logging in. Activating MFA protects your accounts from breach by requiring an additional verification when logging in. Although activating MFA for all users is recommended, it may create workflow disruptions. Activating it for all Global Admins considered a minimum.

This uses the free MFA provided with Microsoft 365.

Security Impact: Low | User Impact: High 

Mailbox Audit Logs Always On

Force back on the mailbox audit logs if they are ever turned off.

Mailbox audit logs are a requirement when using this service. If they are turned off, you lose all visibility on the activities of your tenant. Mailboxes have their own logs. If they are turned off by mistake, or by a rogue administrator, through the Microsoft 365 portal or by PowerShell, we will automatically turn them back on. It will also produce an event in our reports.

Security Impact: High | User Impact: High 

Set Outbound Spam Notifications

A notification will be sent to the email account set here if one of the organization's accounts is flagged for sending spam.

A normal user suddenly sending out spam is often a sign that the account has been breached and is being abused. Even if the account was not breached, a spamming account should be addressed.

Security Impact: Medium | User Impact: Medium  

 

If you have any question, please browse our other FAQs, or contact us directly.