EXCHANGE ONLINE PROTECTION IN-DEPTH
Session Agenda
• Introduction to EOP
• Administration
• DMARC, SPF & DKIM
• Advanced Threat Protection
• EOP Deployment Tips
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Introduction to EOP• 3 use cases:
– Standalone
– With Exchange Online
– With Exchange Hybrid
• Purchase options
– Standalone
– Included with Exchange Online (free for EDUs)
– Exchange Enterprise CAL with Services
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Introduction to EOP
• Office 365
service
comparison
Tool
#ITDEVCON
technet.microsoft.com/
dn788955
EXCHANGE ONLINE PROTECTION IN-DEPTH
Introduction to EOP
• Is it any good?
#ITDEVCON
Gartner:
Magic Quadrant for
Secure Email Gateways
EXCHANGE ONLINE PROTECTION IN-DEPTH
Introduction to EOP
• SMTP Pipeline– Filters optimized for
performance
– This flowchart may help answer the question:
“Why is this button so far from that one?”
#ITDEVCON
Analysts, Engineering, and
Support
Automation and Response Tools
Edge Protection
Reputation and spam detection engine
Detection
Senders
Recipients
Internal Data
Data Sources
SubscriptionsJMRT
Recipient Feedback Loop
DKIM / DMARC / SPF
Throttling
Response
IP/Domain Block Lists
Tenant–Specific Configuration
Transport Rules and Admin configuration
Quarantine
DataMailProcess
Tenant and Mailbox specific behavior
Sender Support
Anti Malware
Boomerang
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration• EAC (/ecp)
– Good for:• Initial setup• Infrequent configurations• n00bs
• EOP cmdlets:– Good for
• Recipient management• Complex message tracking / Reporting• Consistent Transport Rule creation• Advanced configurations, not exposed in the GUI
(e.g. Azure RMS)
– Cmdlet reference: technet.microsoft.com/dn621038
• On-Premises Active Directory:– Recipient Management, if using Directory
Synchronization
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration• EAC Demo:
– Accepted Domains
– Connectors
– Rules
– Message Trace
– Filters• Malware
• Connection
• Spam
– Quarantine
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration• PowerShell:
– Like any tool, it is only useful once you learn how it works.
– Web portals change frequently; PowerShell cmdlets are more stable.
– Naturally encourages consistent configurations
– PowerShell automates virtually every Microsoft product
– Useful for documentation
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration• Data Loss/Leak Prevention
– ExO P2 or Ent. CAL required
– Not limited to Exchange (SPO, OneDrive, Office Apps)
– DLP policies contain 1 or more rules• Rule = Condition + Action
• ~40 Built-in templates exist (e.g. PCI DSS)
• Templates importable from 3rd
parties
• Build your own#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration• Data Loss/Leak Prevention
cont'd– Document Fingerprinting
• Looks attachments that resemble your org’s forms:
– Government forms– Health Insurance Portability
and Accountability Act (HIPAA) compliance forms
– Employee information forms for Human Resources departments
– Custom forms created specifically for your organization
• Used in policy rule conditions
– Policy Tips
– Auditing• Reports
• Real-time notifications (via email & CRM)
• DLP Search in SPO#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Administration
#ITDEVCON
• On-Demand Ignite Webcast:
End-to-End Data Loss Prevention
channel9.msdn.com/Events/Ignite/2015/BRK3181
Integrated into Exchange Transport Rule (ETR) engine
Text extraction
Transport rule agent
Classification
DLP content detection flow in Exchange
EXCHANGE ONLINE PROTECTION IN-DEPTH
DMARC, SPF & DKIM• Sender Policy Framework (SPF)
– Tell the internet who is authorized to send mail on behalf of <your domain here>• Validates 5322.From
– Limits spoofing and phishing
– Protect others:• DNS TXT records - easy to create with the
help of numerous online wizards
– Protect yourself:• Enable SPF filtering
– EAC\Protection\Spam Filter\<policy>\Advanced Options\SPF record Hard Fail
– PowerShell> Set-HostedContentFilterPolicy default -MarkAsSpamSpfRecordHardFail On
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
DMARC, SPF & DKIM• DomainKeys Identified
Mail (DKIM)– EOP Scans inbound DKIM
• Authentication-Results
• DKIM-Signature
• X-DkimResult-Test
– Outbound is still being rolled out
• http://success.office.com/en-us/roadmap
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
DMARC, SPF & DKIM
• DMARC– Validates 5322.From
• DMARC, SPF, DKIM Gotchya’s:– False negatives are common in
complex organizations which send mail from many systems or services
– Legitimate distribution lists can mess with SMTP headers
– Some DNS servers don’t support TXT records
– Not all recipient systems are going to bother reading your records
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
DMARC, SPF & DKIM
#ITDEVCON
• On-Demand Ignite Webcast:Deep Dive into How Microsoft Handles Spam and Advanced Email Threatschannel9.msdn.com/Events/Ignite/2015/BRK3106
EXCHANGE ONLINE PROTECTION IN-DEPTH
Advanced Threat Protection• Aims to thwart:
– Unknown malware
– Phishing
• Per-user license– Requires EOP (does not require ExO)
– $2 extra, per user• Cheaper for government
• Not available for edu or non-profit
#ITDEVCON
EXCHANGE ONLINE PROTECTION IN-DEPTH
Advanced Threat Protection• Safe Attachments
– Routes messages which meet the criteria to a sandbox. Scans for:
• Executables• Registry calls• Privilege escalation• etc.
• Safe Links– Re-writes (not proxies) URLs.
• Like a filtering version of bitly.com or tinyurl.com
– Inspects• Exchange Online• Exchange On-Prem• SharePoint in the future*
• Reporting– See who is being targeted & how the
phishing messages are crafted
#ITDEVCON
*https://channel9.msdn.com/Events/Ignite/2015/THR0136
Protection against unknown malware/virus
• Behavioral analysis with machine learning
• Admin alerts
Time of click protection• Real time protection
against Malicious URLs
• Growing URL coverage
Rich reporting and tracing• Built-in URL and message
trace
• Reports for advanced threats
Safe
Multiple filters + 3 antivirus engineswith Exchange Online protection
Links
RecipientUnsafe
Attachment• Supported file type• Clean by AV/AS filters• Not in Reputation list
Detonation chamber (sandbox)Executable? Registry call?Elevation?……?
Sender
EXCHANGE ONLINE PROTECTION IN-DEPTH
EOP Deployment Tips
• Microsoft’s Best Practices– technet.microsoft.com/jj723164
• Use a test domain
• Synchronize recipients
• SPF record customization
• Set anti-spam options (Start with Test Mode)
• Set anti-malware options
• Create transport rules
• Reporting and troubleshooting
EXCHANGE ONLINE PROTECTION IN-DEPTH
EOP Deployment Tips
• Other Best Practices– Read the service descriptions
– EOP should not be daisy-chained
– Create firewall rules, allowing SMTP only from EOP’s IP ranges• Subscribe to the rss feed
– Route mail out through EOP as well• Helps with backscatter, <your> IP reputation, reporting
• Simplifies mail flow
– For high-confidence spam: Quarantine
– For med/low-confidence spam: Consider the end-user interactions• Central quarantine or delete all spam?
• Regular report?
• Personal quarantine?
• Junk folder routing?
– Use PowerShell
EXCHANGE ONLINE PROTECTION IN-DEPTH
Additional Resources• TechNet/MSDN Articles
– ExO & ATP Service Descriptions• https://technet.microsoft.com/en-us/library/office-365-service-descriptions.aspx
– ATP Video• https://channel9.msdn.com/Events/Ignite/2015/THR0136
– 3rd party migration resources• technet.microsoft.com/jj723140
• Tools– DMARC Deployment Tools
• https://dmarc.org/resources/deployment-tools
– DMARC Inspector• https://dmarcian.com/dmarc-inspector
– MX Toolbox• http://mxtoolbox.com/SuperTool.aspx
– RCA• https://testconnectivity.microsoft.com
– SPF Record Creation Wizard• http://www.spfwizard.net/
– SPF Record Testing Tool• http://www.kitterman.com/spf/validate.html
• Blogs– EOP Field Notes
• http://blogs.technet.com/b/eopfieldnotes/
– Terry Zink: Security Talk• http://blogs.msdn.com/b/tzink/
– Brian Reid’s articles on ATP• http://www.c7solutions.com/category/atp
Rate This Session Now!Rate with Mobile App:
• Select the session from the
Agenda or Speakers menus
• Select the Actions tab
• Click Rate Session
Rate with Website:
Register at www.devconnections.com/logintoratesession
Go to www.devconnections.com/ratesession
Select this session from the list and rate it
Tell Us
What
You
Thought
of This
Session
Be Entered to
WINPrizes!
#ITDEVCON
Top Related