Επεξεργασία

Κοινή χρήση μέσω


Step 3. Protect identities

Use the following sections to protect your organization from credential compromise, which is typically the first stage of a larger ransomware attack.

Increase sign-in security

Use passwordless authentication for user accounts in Microsoft Entra ID.

During the transition to passwordless authentication, use these best practices for user accounts that still use password authentication:

Next, implement the Common identity and device access policies. These policies provide higher security for access to Microsoft 365 cloud services.

For user sign-ins, these policies include:

  • Requiring multi-factor authentication (MFA) for priority accounts (immediately) and eventually all user accounts.
  • Requiring high-risk sign-ins to use MFA.
  • Requiring high-risk users with high-risk sign-ins to change their passwords.

Prevent privilege escalation

Use these best practices:

  • Implement the principle of least privilege and use password protection as described in Increase sign-in security for those user accounts that still use passwords for their sign-ins.
  • Avoid the use of domain-wide, admin-level service accounts.
  • Restrict local administrative privileges to limit installation of Remote Access Trojans (RATs) and other unwanted applications.
  • Use Microsoft Entra Conditional Access to explicitly validate the trust of users and workstations before allowing access to administrative portals. See this example for the Azure portal.
  • Enable Local Admin password management.
  • Determine where highly privileged accounts are signing in and exposing credentials. Highly privileged accounts should not be present on workstations.
  • Disable the local storage of passwords and credentials.

Impact on users and change management

You must make the users in your organization aware of:

  • The new requirements for stronger passwords.
  • The changes in sign-in processes, such as the required use of MFA and the MFA secondary authentication method registration.
  • The use of password maintenance with SSPR. For example, no more calls to helpdesk for a password reset.
  • The prompting to require MFA or a password change for sign-ins that are determined to be risky.

Resulting configuration

Here's the ransomware protection for your tenant for steps 1-3.

Ransomware protection for your Microsoft 365 tenant after Step 3

Next step

Step 4 for ransomware protection with Microsoft 365

Continue with Step 4 to protect devices (endpoints) in your Microsoft 365 tenant.