In this article, we would like to show how working with Microsoft Teams looks like from the point of view of users, IT administrators and information security employees.
First, let's be clear about how Teams differs from most other Microsoft products in their Office 365 offering (hereinafter referred to as O365 for short).
Teams is only a client and does not have its own cloud application. And it hosts the data it manages in various O365 applications.
We will show what happens "under the hood" when users work in Teams, SharePoint Online (hereinafter referred to as SPO), and OneDrive.
If you would like to move on to the practical part of Microsoft security now (1 hour of the total course time) - we highly recommend listening to our Office 365 Sharing Audit course, available This course covers, among other things, the sharing settings in O365, which can only be changed through PowerShell.
Meet the Acme Co. Internal Project Team.
This is what this Team looks like in Teams after it has been created and given the appropriate access to its members by the Owner of this Team, Amelia:
The team gets started
Linda implies that the bonus payment plan file posted in the Channel she created will only be accessed by James and William, with whom they discussed it.
James, in turn, sends a link to access this file to an HR employee, Emma, who is not part of the Team.
William, on the other hand, sends an agreement with the personal data of a third party to another member of the Team in the MS Teams chat:
We climb under the hood
Zoey, thanks to Amelia, can now add or remove anyone from the Team at any time:
Linda, posting a document with critical data intended for use only by two of her colleagues, made a mistake with the type of the Channel when it was created, and the file became available to all members of the Team:
Luckily, there is a Microsoft app for O365 that can (by using it completely inappropriately) quickly see what critical data absolutely all users have access to, using a user that is only a member of the most general security group for the test.
Even if the files are inside Private Channels, this may not be a guarantee that only a certain circle of people will have access to them.
In the James example, he provided a link to Emma's file, which is not even part of the Team, let alone access to the Private Channel (if it were).
In this situation, the worst thing is that we will not see information about this anywhere in the security groups in Azure AD, since the access rights are granted to it directly.
The PD file sent by William will be available to Margaret at any time, not just while chatting online.
We climb up to the waist
We understand further. First, let's see what exactly happens when a user creates a new Team in MS Teams:
- A new Office 365 security group is created in Azure AD that includes Team owners and team members
- A site for a new Team is created in SharePoint Online (hereinafter referred to as SPO)
- Three new local (valid only in this service) groups are created in SPO: Owners, Members, Visitors
- Changes are also being made in Exchange Online
MS Teams data and where it lives
Teams is not a data store or a platform. It is integrated with all Office 365 solutions.
- O365 offers many applications and products, but data is always stored in the following locations: SharePoint Online (SPO), OneDrive (hereinafter referred to as OD), Exchange Online, Azure AD
- The data you share or receive through MS Teams is stored on those platforms and not within Teams itself
- In this case, the risk is the growing trend of working together. Anyone with access to data on the SPO and OD platforms can make it available to anyone both inside and outside the organization
- All Team data (excluding private channel content) is collected in an SPO site created automatically when a Team is created
- For each Channel you create, a subfolder is automatically created in the Documents folder in this SPO site:
- files in Channels are uploaded to the appropriate subfolders of the Documents folder of the SPO site Teams (named the same as the Channel)
- Emails sent to a Channel are stored in the “Email Messages” subfolder of the Channel folder
- When a new Private Channel is created, a separate SPO site is created to store its contents, with the same structure as described above for regular Channels (important - a special SPO site is created for each Private Channel)
- Files sent via chats are saved to the sending user's OneDrive account (in the "Microsoft Teams Chat Files" folder) and shared with the chat participants
- The chat and the contents of the correspondence are stored in the mailboxes of users and Teams, respectively, in hidden folders. Currently there is no way to get additional access to them.
There is water in the carburetor, a leak in the hold
The main theses that are important to remember in the context information security:
- Access control, and understanding of who can be granted rights to important data, is transferred to the end user level. Not provided full centralized control or monitoring.
- When someone shares company data, your blind spots are visible to others, but not to you.
In the list of people who are part of the Team (via a security group in Azure AD), we do not see Emma, but she has access to a specific file that James sent her a link to.
Similarly, we will not learn about its ability to access files from the Teams interface either:
Can we somehow get information about which object Emma has access to? Yes, we can, but only by examining the permissions for everything or for a specific object in the SPO that we have suspicions about.
Having examined such rights, we will see that Emma and Chris have rights to the object at the SPO level.
Chris? We don't know any Chris. Where did he come from?
And he “came” to us from the “local” SPO security group, which, in turn, already includes the Azure AD security group, with members of the “Compensations” Team.
Can, Microsoft Cloud App Security (MCAS) can shed light on the issues that interest us, providing the right level of understanding?
Alas, no... Although we can see Chris and Emma, we won't be able to see the specific users who have been granted access.
Levels and ways of granting access in O365 - IT challenges
The simplest process of granting access to data on file storages within the perimeter of organizations is not particularly complicated and practically does not provide opportunities for bypassing the granted access rights.
O365, on the other hand, has many opportunities for collaboration and data access.
- Users do not understand why restrict access to data when you can simply provide a link to a file that is accessible to everyone, because they do not have basic expertise in the field of information security, or they neglect risks, making assumptions about the low probability of their occurrence
- As a result, critical information can leave the organization and become available to a wide range of people.
- In addition, there are a lot of opportunities to provide redundant access.
Microsoft in O365 provided probably too many ways to change access control lists. There are such settings at the level of the tenant, sites, folders, files, the objects themselves and links to them. The configuration of accessibility settings is important and should not be neglected.
We provide the opportunity to take a free, approximately one and a half hour video course on configuring these parameters, the link to which is provided at the beginning of this article.
Without thinking twice, you can block all external file sharing, but then:
- Some of the capabilities of the O365 platform will remain unused, especially if some users are used to using them at home or at a previous job.
- "Power Users" will "help" other employees break the rules you set through other means
Setting up sharing options includes:
- Different configurations for each application: OD, SPO, AAD and MS Teams (some configurations can only be done by the administrator, some can be done only by the users themselves)
- Configuration settings at the tenant level and at the level of each specific site
What does this mean for IB
As we saw above, full valid data permissions cannot be seen in the Unified Interface:
Thus, in order to understand who has access to EACH specific file or folder, you will need to independently form an access matrix by collecting data for it, taking into account the following:
- Team members are visible in Azure AD and in Teams, but not in SPO
- Team Owners can appoint Co-Owners who can expand the list of Teams on their own
- Teams can also include EXTERNAL users - "Guests"
- Shared or downloaded links are not visible in Teams or Azure AD - only in SPO, and only after tedious navigating through tons of links
- SPO site only access not visible in Teams
Lack of centralized control means you can't:
- See who has access to which resources
- See where critical data is
- Comply with regulations requiring a privacy-centric approach to service planning
- Detect non-standard behavior on critical data
- Limit attack area
- Choose an effective way to reduce the level of risks, based on their assessment
Summary
As a conclusion, we can say that
- For IT departments of organizations choosing to work with O365, it is important to have qualified employees who are able both to technically implement changes to sharing settings and to justify the consequences of changing certain parameters in order to write policies for working with O365 agreed with information security and business units
- It is important for information security to be able to automatically audit data access on a daily basis, or even in real time, violations of O365 policies agreed with IT and business departments and analyze the correctness of the access provided, as well as see attacks on each of the services in their tenante O365
Source: habr.com