Transcription
OFFICIALProtected Utility BlueprintOffice 365 DesignMarch 2020
OFFICIALContentsContents.iiiBackground . 1Overview . 2Purpose . 2Documentation . 5Design Considerations . 8Centralised Logging Facility . 8Basic Authentication . 8Data Migration . 8GovLink . 9Telstra Calling and collaboration . 9Office 365 Organisation .10Residency . 10Licencing . 11Themes . 12Office 365 Services and Add-Ins . 14Self Service Purchase . 16Customer Lockbox . 16Office 365 Connectivity .18Description . 18Design Considerations . 18Design Decisions . 19Mail Flow . 20Mail Connectors . 22Mail Exchange Records . 24Autodiscover . 25SPF, DMARC, DKIM . 26Accepted Domains . 27Remote Domains . 29Digital Transformation Agency —iii
OFFICIALExchange Online .31Description . 31Design Considerations . 31Design Decisions . 32User Mailbox Configuration. 32Authentication Policies . 34Outlook on the Web Policies . 35Mailbox Archive . 36Mailbox Auditing . 36Journaling. 39Shared Mailboxes . 40Resource Mailboxes . 41Distribution Lists . 42Dynamic Security Groups . 43Office 365 Groups . 44Address Book / Address List . 46Exchange Online Protection .47Connection Filtering . 47Anti-malware . 48Policy Filtering . 49Content Filtering . 51SharePoint Online .54SharePoint Sites . 54Application Management . 55Web Parts . 56Sharing and Access Controls. 57Legacy Features . 59OneDrive for Business .62Sharing . 62Synchronisation . 63Notifications. 65Digital Transformation Agency —iv
OFFICIALMicrosoft Teams .67Access. 67Dynamic Security groups . 68Organisation Wide Configuration . 69Policies & Settings . 70Voice Calling . 72Security and Compliance .73Alerts . 73Classification Labels . 75Retention Policies . 77Data Loss Prevention . 79Audit and Logging . 82Office 365 Advanced Threat Protection .85Description . 85Design Considerations . 85Design Decisions . 85Safe Links . 86Safe Attachments . 88Anti-Phishing . 89Abbreviations and Acronyms .92Digital Transformation Agency —v
OFFICIALBackgroundThe DTA developed the Protected Utility Blueprint to enable Australian Government agencies totransition to a secure and collaborative Microsoft Office 365 platform. The solution is underpinned byproven technologies from the Microsoft Modern Workplace solution (Microsoft 365 including Office 365,Enterprise Mobility Security, and Windows 10). The Blueprint design is delivered as three distinctdocuments: Platform – Provides technologies that underpin the delivery of the solution, Workstation – The client device, which is configured and managed by Microsoft Intune, and Office 365 – Microsoft Office 365 productivity applications.The Blueprints are accompanied by Configuration Guides and Security Documentation adhering to theAustralian Cyber Security Centre (ACSC) PROTECTED requirements for Information andCommunication Technology (ICT) systems handling and managing Government information. Theseartefacts provide a standard and proven Microsoft 365 solution aimed to fast track the adoption of theMicrosoft Modern Workplace experience.The following Blueprint documentation contains considerations for best practice deployment advicefrom the Australian Government Information Security Manual (ISM), relevant Microsoft hardeningadvice, the ACSC Essential Eight and the ACSC hardening guidelines for Microsoft Windows 10.Digital Transformation Agency —1
OFFICIALOverviewPurposeThis document provides the design of the technology components that will be implemented to supportOffice 365. For technologies and services not covered, refer to the respective design document.ScopeTable 1 describes the components that are in scope for the design.Table 1 In Scope ComponentsComponentInclusionsOffice 365 OrganisationResidencyLicencingThemesServices & Add-insMicrosoft SearchCustomer LockboxOffice 365 ConnectivityFirewallOptimisationOffice 365 Exchange OnlineMail FlowMail Exchange RecordsAutodiscoverSenders Policy Framework (SPF), Domain Keys IdentifiedMail (DKIM), Domain-based Message Authentication,Reporting and Conformance (DMARC)Accepted DomainsRemote DomainsUser Mailbox ConfigurationAuthentication PoliciesOutlook on the Web PoliciesMailbox AuditingMailbox AuditingJournalingShared MailboxesResource MailboxesDistribution ListsDynamic Security GroupsOffice 365 Groups2Digital Transformation Agency —
OFFICIALPublic FoldersAddress Book / Address ListMail ContactsOffice 365 Exchange Online ProtectionConnection FilteringAnti-malwarePolicy FilteringContent FilteringMail GatewayMail GatewayOffice 365 SharePoint OnlineSharePoint Online base ConfigurationOneDrive for BusinessOneDrive for Business ConfigurationSize LimitsRetention PeriodBackupsMicrosoft TeamsMicrosoft Teams ConfigurationInstant MessagingCollaborationDesktop/app ingOffice 365 Advanced Threat ProtectionOffice 365 ATP Safe LinksOffice 365 ATP Safe AttachmentsOffice 365 ATP Anti-PhishingSecurity and Compliance CenterAlertsLabelsData Loss PreventionRetention PoliciesAudit LoggingCustomer KeyBeyond the BlueprintThe Blueprint is designed to provide a baseline cloud only offering for all government agencies. Even ifa product is licenced for use under Microsoft, it may not be included in this Blueprint if it is not requiredfor all agencies. An organisation may have additional requirements that will need to be consideredoutside of this Blueprint including the following:Digital Transformation Agency —3
OFFICIAL4ComponentExclusionOffice 365 OrganisationMicrosoft SearchSecurity and Compliance CenterCustomer Key (requires two azure subscriptions)PowerAppsPowerApps ConfigurationMicrosoft FlowFlow ConfigurationPower BIPower BIDigital Transformation Agency —
OFFICIALDocumentationAssociated DocumentationTable 2 identifies the documents that were referenced during the creation of this design.Table 2 Associated ure - ACSC Consumer Guide - Protected - 2018N/A08/2018Australian Government Information Security Manual (June 2019)N/A10/2019DTA – Blueprint Solution OverviewMarch03/2020DTA – Platform DesignMarch03/2020DTA – Workstation DesignMarch03/2020DTA – Office 365 – ABACMarch03/2020DTA – Platform – ABACMarch03/2020DTA – Intune Security Baselines – ABACMarch03/2020DTA – Software Updates – ABACMarch03/2020DTA – Intune Applications – ABACMarch03/2020DTA – Intune Enrolment – ABACMarch03/2020DTA – Conditional Access Policies – ABACMarch03/2020DTA – Intune Compliance – ABACMarch03/2020DTA – Intune Configuration – ABACMarch03/20202018.202/2018ACSC - Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016ACSC - Hardening Microsoft Windows 10, version 1709, Workstations2Protective Security Policy Framework – Sensitive and classified ssified-information.pdf3Digital Transformation Agency —5
OFFICIALDocument StructureThis document is part of the blueprint set of documents as shown in Figure 1 and is technical in naturewith the audience expected to be familiar with Office 365 installation and configuration.Figure 1 - Blueprint Documentation atement ofApplicabilitySecurity atingProceeduresThis document covers the information as described in Table 3Table 3 Document Structure6SectionDescriptionDesign ConsiderationsThis section details items that should be taken intoconsideration during and after the deployment of thissolution.Office 365 OrganisationOffice 365 allows for the configuration of organisation widesettings through the use of a centralised management portal.Office 365 ConnectivityOffice 365 is a globally distributed service. The userexperience with Office 365 involves connectivity throughhighly distributed service connection points that are scaledover many Microsoft locations worldwide.Exchange OnlineExchange Online is a cloud hosted email solution that hasthe capabilities of on-premises Exchange Services.Exchange Online ProtectionExchange Online protection is a cloud hosted email securityservice (Mail Gateway) that acts to filter spam and scan forviruses on email entering and leaving Exchange Online.Mail GatewayThe Mail Gateway acts as the central egress and ingresspoint for mail traffic into an organisation.Digital Transformation Agency —
OFFICIALSharePoint OnlineSharePoint online is an online collaboration and file storagesolution. SharePoint integrates heavily with Teams andOneDrive.OneDrive for BusinessOneDrive is a file hosting and file synchronisation solution.Microsoft TeamsTeams is a cloud hosted unified communications platform. Itprovides chat, meetings, file storage, and applicationintegrations.Office 365 Advanced Threat Protection (ATP)Office 365 ATP is a cloud-based mail threat protectionservice. The service provides protection against unknownmalware and viruses through the use of robust zero-dayprotection and inclusion of features to safeguard anorganisation from harmful links in real time.Security and ComplianceOffice 365 provides Security and Compliance tools which canbe utilised to implement an organisation’s InformationManagement Policy and to assist with informationgovernance.For each component within the document there is a brief description of the contents of the section, acommentary on the things that have been considered in determining the decisions and the designdecisions themselves.Digital Transformation Agency —7
OFFICIALDesign ConsiderationsThis section details items that should be taken into consideration during and after the deployment ofthis solution.Centralised Logging FacilityThis design recommends Microsoft 365 E5 licensing to ensure that the advanced security featuresavailable in the E5 suite are leveraged by the Commonwealth. Office 365 E3 is included as standard inthe Microsoft VSA4 agreement with the Commonwealth. Office 365 E5 provides several advantagesand is rec
Sep 17, 2019 · license with Office 365 E3 licences. 4. It is recommended the Department consider a centralised logging solution to retain Office 365 logs for greater than one year to comply with Commonwealth auditing requirements. Log Analytics (a Microsoft Azure capability) can be configured to centr
