Posted by Martin Zinaich on January 10, 2018.
In an earlier post, I talked about how some vendors tend to push enterprises into a weaker security posture. In this post, I continue with information relating to Office 365. Microsoft’s cloud implementation of the Office suite is mind boggling in its complexity and sheer want of native connectivity.
If you are using a proxy, you can forget using it for Office-365 (O365). The life and usefulness of proxy firewalls is arguably approaching an end. Microsoft recommends (almost insists) bypassing the proxy. The volume of posts, TechNet articles and actual recommended published PAC files let us deduce they have run into more than one corporation using said tools.
If you happen to be a corporation that uses proxy firewalls and split-brain DNS as a defense in depth strategy, you are in for a real shocker. In fact, Microsoft just recently learned about split-brain DNS adding support to Windows Server 2016. Most posts related to O365 and Proxy servers clearly show that Microsoft had little awareness of such configurations before pushing the O365 solution.
Regardless of your view on proxy firewalls and split-brain DNS, the lack of awareness is disappointing. Yet for this discussion, you can throw out the topics altogether and still have plenty of concerns.
Microsoft has long been a PR giant, and if you watch closely, you will observe some fine corporate messaging. Like the time Microsoft removed the Start Menu from Windows in an effort to save their failing mobile phone platform (ie: same experience on the desktop may attract users to the phone platform). The online community and my local MS representative started using the phrase “well if you want to stay in the past.” Microsoft eventually brought back an even more enhanced Start Menu to “stay in the past”.
The new mantra for O365 deployments is “Trusted Endpoints” or “Trusted Partner.” You see, they say you do not need to treat Microsoft as an external organization, but as a trusted partner. Let me quote a Microsoft TechNet post:
“Services like Office 365 should be treated somewhere between how you treat internet traffic, and how you treat traffic to your on premises datacenters (which usually has no security applied)”
Why? Because doing so will allow you to turn off a lot of security so their connection hungry application will work properly. Only one problem with that, their deployment is not a site-to-site VPN configuration like other large SaaS solutions but a connection to the same places every other cloud office user connects.
The sheer number of locations is mind numbing. You can click here to see the current ever-changing list of connection IPs, hosts and domains. You will see among the hundreds of entries things like *.onenote.com, *.office.com, www.outlook.com and forms.microsoft.com. Those “*” mean anything in that domain, not just your corporation’s instance. That means anyone that has an account (home user and hacker alike) is now on the approved “Trusted Partner” list.
We are not finished! Again quoting a Microsoft TechNet post:
“Here is the question we need to ask though. Does the same policy which applies to unmanaged and unknown endpoints on the internet, need to apply to known, managed and trusted endpoints used for business-critical services? The answer is hopefully no.”
“We’re not going to unknown and untrusted/unmanaged endpoints with Office 365 like we are with the internet traffic; we’re going to known, business critical, managed and security controlled endpoints.”
Again, you can click here to see the current ever-changing list of connection IPs, hosts and domains.
So based on our full trust of all those domains, Microsoft further recommends:
“Therefore, Microsoft strongly recommends that SSL interception is not performed on Office 365 traffic going to Microsoft owned endpoints.”
Another potential issue is port exhaustion. In reading more about planning for O365, it is recommended to expect around 20-25 connections per user. Considering there is a maximum of 64K ports per IP, when a location starts getting above 2,500 users there will be a need for NAT pooling.
To sum up, the dismantling of any defense-in-depth strategy, these are Microsoft’s recommendations (or implied necessities) to any such corporation wanting to utilize O365:
I did have the opportunity to talk with someone from the O365 development team. I confirmed my assumptions and concerns. The development team will be working to define what domains and IPs are needed for which applications. Additionally, they will try to define what traffic needs to be escaped from SSL inspection and what traffic can continue over normal traffic paths, including proxy servers. That narrowing should help. However, any traffic that requires limited or no deep packet inspection that is also tied to publicly available domains would appear to remain problematic from a security standpoint.
Based on Office 365 uptake into organizations, it may just be the next-best hacker playground. Imagine knowing that by exploiting one cloud location you may have a much lower bar (or none at all) accessing many corporations. Even easier, does my fake outlook.com account provide a better Launchpad for malware links, since I am now a trusted partner?
Submitted in: Martin Zinaich |