Deploying Standard and Strict Preset Security Policy

The security threat landscape evolves rapidly. A security control considered best practice today may not be so tomorrow. What is needed for securing your organization is a security system that automatically evolves and updates its security controls against the rapidly evolving security threat landscape and protects its users. This is exactly what you get when you deploy Microsoft Defender’s Standard and Strict Preset security policies.

Standard or Strict Preset Security Policy? What Should You Choose?

You may need a mix of both. Because different sections of employees may need different protection. For example, the top-level executives often need more protection, because they may have higher permission levels or simply because their credentials can be used against their employees; while the standard security protocol should be enough for the normal employee.

With this in mind, I’ll explain how you can deploy or enable both Standard and Strict preset security policies in this article. First, using the Microsoft Defender portal. Then, using the Windows PowerShell Exchange Online module.

Note: The major difference between the two policies is that the Strict Preset Security Policy has aggressive security controls which results in aggressive detections. The Strict Preset Security Policy is suitable for easy targets like high-level executives. However, the downside of this policy may be a lot of false positives.

Prerequisites

You should have the following permissions for deploying standard or strict preset policy:

Accessing Standard and Strict Preset Security Policy

You can access the Microsoft Defender Preset Security Policy in the following two ways:

  • By visiting https://security.microsoft.com page and selecting the Policies & rules page >> Threat Policies >> Preset Security Policies option from the Email & collaboration dropdown as shown in Figure 1. [OR] [or]
  • Figure 1: Accessing Preset Security Policies within Microsoft Defender portal
  • By directly visiting Microsoft Preset Security Policy page by clicking https://security.microsoft.com/presetSecurityPolicies link.
  • Note: You can access the Microsoft 365 Security Center [or Microsoft Defender portal] only if you have been assigned the Global Administrator or Security Administrator role.

  • Both links will lead to you the Microsoft Preset Security Policy page shown in Figure 2.
  • Figure 2: Various Preset Security policies being displayed

Deploying or Enabling Standard Preset Security Policy Using Microsoft Defender Portal

To deploy or enable the standard preset security policy, follow these instructions.

  1. Select Manage protection settings under the Standard protection policy as shown in Figure 3.
  2. Figure 3: Selecting the Manage protection settings option in the Standard protection policy
  3. The Apply standard protection policy flyout opens as shown in Figure 4. As you can see on the left-hand side, the procedure has 5 stages:
    • Exchange Online protection – where you decide the security controls for Exchange Online Protection (EOP). This helps you secure your Office 365 mails.
    • Defender for Office 365 protection – where you decide the security controls for your Office 365 tenant.
    • Impersonation protection – where you take security measures against user impersonation by adding the email addresses of those users who stand a high chance of being impersonated.
    • Policy Mode – where you decide whether the security policy is going to be turned on immediately or not.
    • Review – where you get to review the policy settings being configured before implementing the same.
    • Figure 4: Apply standard protection wizard or flyout

      Note: By default, the security policy applies to None option is selected.

  4. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 5. (For demo purposes, I am going to configure a user-specific standard protection policy. For practical purposes, you’ll be required to do it on a Group or Domain basis). Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 5. Click the Next button to proceed further.
  5. Figure 5: Selecting specific users for applying Exchange Online Protection (EOP)
  6. The Apply Defender for Office 365 protection dialog opens. None is selected as the default option. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 6. Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 6. Click the Next button to proceed further.
  7. Figure 6: Selecting specific users for applying the Defender for Office 365 protection
  8. The Impersonation Protection dialog opens as shown in Figure 7. This feature helps you prevent malicious actors from impersonating your tenant users and legitimate message senders thereby preventing phishing attacks of different kinds. Click Next to proceed further.
  9. Figure 7: The Impersonation Protection Wizard for Standard Protection policy.
  10. The impersonation protection policy can be launched in three steps:
    • Step 1: Protected custom users: This involves adding users – both insiders and outsiders - who you believe have a chance of being impersonated. Messages from detected impersonations get quarantined for further investigation. Enter the email address of the user and select the user from the appearing list as shown in Figure 8, then click the Add button as shown in Figure 9. Finally, click the Next button to proceed further. Note: You can add multiple users.
    • Figure 8: Selecting the email addresses that stand a high chance of being impersonated.
    • Step 2: Protected custom domains: Here you get to add domains that could be yours or ones belonging to those who get in touch with you frequently like partners and suppliers for example. Domains added here get protection from impersonation. Messages from impersonated domains get quarantined for further investigation. Enter the domain name, click Add, then click the Next button to proceed further as shown in Figure 10. Note:You can add multiple domains.
    • Figure 9: Adding the domains (both internal and external) that stand a high chance of being impersonated
    • Step 3: Trusted senders and domains: Here you can add legitimate email addresses and domains so that they don’t get flagged unnecessarily. Enter the email address or the domain name, click the Add button, and then click the Next button to proceed further as shown in Figure 11. Note: You can add multiple email addresses or domains.
    • Figure 10: Adding the trusted email address and domains to prevent unnecessary impersonation flagging.
  11. The Policy mode page opens as shown in Figure 12. Selecting Turn on the policywhen finished option turns on the policy immediately. If you select Leave it turned off option, then you can turn on the policy later. Click Next to proceed further.
  12. Figure 11: Setting the policy mode as Turn on the policy when finished.
  13. The Review and confirm your changes page opens as shown in Figure 13. Review your policy settings and if everything seems fine, click the Confirm button to proceed further. You’ll get a Standard protection updated message as shown in Figure 14. Click Done to complete the process.
  14. Figure 12: Reviewing the standard protection policy settings.
    Figure 13: Click the Done button to close the standard protection policy wizard.
  15. Now if you go back to the preset policies page: https://security.microsoft.com/presetSecurityPolicies you will notice that the preset Standard protection is turned on for your tenant as shown in Figure 14.
  16. Figure 14: Turned on preset standard security policy.

Checking Standard Preset Security Policy State Using Windows PowerShell

Run the following PowerShell cmdlets to check whether the standard preset security policy is currently in a turned on or off state.

  1. Run Get-EOPProtectionPolicy -Identity “Standard Preset Security Policy” | Format-Table Name, State command to find out whether the EOP Standard Preset Security policy is enabled or not as shown in Figure 16.
  2. Run Get-ATPProtectionPolicy -Identity “Standard Preset Security Policy” | Format-Table Name, State command to find out whether the Microsoft Defender Preset Security policy is enabled or not as shown in Figure 16.
  3. Figure 15: PowerShell cmdlet for checking the Standard Preset Security policy state.

You should get an output similar to the one shown in Figure 15.

How Does the Script Work?

  1. Get-EOPProtectionPolicy and Get-ATPProtectionPolicy cmdlets help you query for Exchange Online Protection and Microsoft Defender policy states respectively.
  2. The name of the policy being queried is passed to the -Identity parameter.
  3. The result obtained is then passed to the Format-Table parameter and the Name and State values are selected and displayed.

Note: Microsoft Defender for Office 365 was previously known as Advanced Threat Protection (ATP). That’s the reason why the Get-ATPProtectionPolicy cmdlet is still used to query for Microsoft Defender standard preset policy state.


Turning Off the Standard Preset Security Policy Using Windows PowerShell

Run the following PowerShell cmdlets to turn off the standard preset security policy if it is currently in a turned on state.

  1. Disable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"

Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.

You have to confirm the operation as shown in Figure 16.

Figure 16: PowerShell cmdlet for turning off the Standard Preset Security policy

Turning On the Standard Preset Security Policy Using Windows PowerShell

Run the following PowerShell cmdlet to turn on the standard preset security policy if it is currently in a turned off state.

  1. Enable-EOPProtectionPolicyRule -Identity "Standard Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Standard Preset Security Policy"

Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.

You have to confirm the operation as shown in Figure 17.

Figure 17: PowerShell cmdlet for turning off the Standard Preset Security policy

Deploying or Enabling Strict Preset Security Policy Using Microsoft Defender Portal

To deploy or enable the strict preset security policy, follow these instructions.

  1. Select Manage protection settings under the Strict protection policy as shown in Figure 3.
  2. Figure 3: Selecting the Manage protection settings option in the Standard protection policy
  3. The Apply standard protection policy flyout opens as shown in Figure 4. As you can see on the left-hand side, the procedure has 5 stages:
    • Exchange Online protection – where you decide the security controls for Exchange Online Protection (EOP). This helps you secure your Office 365 mails.
    • Defender for Office 365 protection – where you decide the security controls for your Office 365 tenant.
    • Impersonation protection – where you take security measures against user impersonation by adding the email addresses of those users who stand a high chance of being impersonated.
    • Policy Mode – where you decide whether the security policy is going to be turned on immediately or not.
    • Review – where you get to review the policy settings being configured before implementing the same.
    • Figure 4: Apply standard protection wizard or flyout

      Note: By default, the security policy applies to None option is selected.

  4. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 5. (For demo purposes, I am going to configure a user-specific standard protection policy. For practical purposes, you’ll be required to do it on a Group or Domain basis). Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 5. Click the Next button to proceed further.
  5. Figure 5: Selecting specific users for applying Exchange Online Protection (EOP)
  6. The Apply Defender for Office 365 protection dialog opens. None is selected as the default option. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 6. Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 6. Click the Next button to proceed further.
  7. Figure 6: Selecting specific users for applying the Defender for Office 365 protection
  8. The Impersonation Protection dialog opens as shown in Figure 7. This feature helps you prevent malicious actors from impersonating your tenant users and legitimate message senders thereby preventing phishing attacks of different kinds. Click Next to proceed further.
  9. Figure 7: The Impersonation Protection Wizard for Standard Protection policy.
  10. The impersonation protection policy can be launched in three steps:
    • Step 1: Protected custom users: This involves adding users – both insiders and outsiders - who you believe have a chance of being impersonated. Messages from detected impersonations get quarantined for further investigation. Enter the email address of the user and select the user from the appearing list as shown in Figure 8, then click the Add button as shown in Figure 9. Finally, click the Next button to proceed further. Note: You can add multiple users.
    • Figure 8: Selecting the email addresses that stand a high chance of being impersonated.
    • Step 2: Protected custom domains: Here you get to add domains that could be yours or ones belonging to those who get in touch with you frequently like partners and suppliers for example. Domains added here get protection from impersonation. Messages from impersonated domains get quarantined for further investigation. Enter the domain name, click Add, then click the Next button to proceed further as shown in Figure 10. Note:You can add multiple domains.
    • Figure 9: Adding the domains (both internal and external) that stand a high chance of being impersonated
    • Step 3: Trusted senders and domains: Here you can add legitimate email addresses and domains so that they don’t get flagged unnecessarily. Enter the email address or the domain name, click the Add button, and then click the Next button to proceed further as shown in Figure 11. Note: You can add multiple email addresses or domains.
    • Figure 10: Adding the trusted email address and domains to prevent unnecessary impersonation flagging.
  11. The Policy mode page opens as shown in Figure 12. Selecting Turn on the policywhen finished option turns on the policy immediately. If you select Leave it turned off option, then you can turn on the policy later. Click Next to proceed further.
  12. Figure 11: Setting the policy mode as Turn on the policy when finished.
  13. The Review and confirm your changes page opens as shown in Figure 13. Review your policy settings and if everything seems fine, click the Confirm button to proceed further. You’ll get a Standard protection updated message as shown in Figure 14. Click Done to complete the process.
  14. Figure 12: Reviewing the standard protection policy settings.
    Figure 13: Click the Done button to close the standard protection policy wizard.
  15. Now if you go back to the preset policies page: https://security.microsoft.com/presetSecurityPolicies you will notice that the preset Standard protection is turned on for your tenant as shown in Figure 14.
  16. Figure 14: Turned on preset standard security policy.

Checking Strict Preset Security Policy State Using Windows PowerShell

Run the following PowerShell cmdlets to check whether the strict preset security policy is currently in a turned on or off state.

  1. Run Get-EOPProtectionPolicy -Identity “Strict Preset Security Policy” | Format-Table Name, State command to find out whether the EOP Standard Preset Security policy is enabled or not as shown in Figure 16.
  2. Run Get-ATPProtectionPolicy -Identity “Strict Preset Security Policy” | Format-Table Name, State command to find out whether the Microsoft Defender Preset Security policy is enabled or not as shown in Figure 16.
  3. Figure 15: PowerShell cmdlet for checking the Standard Preset Security policy state.

You should get an output similar to the one shown in Figure 15.

How Does the Script Work?

  1. Get-EOPProtectionPolicy and Get-ATPProtectionPolicy cmdlets help you query for Exchange Online Protection and Microsoft Defender policy states respectively.
  2. The name of the policy being queried is passed to the -Identity parameter.
  3. The result obtained is then passed to the Format-Table parameter and the Name and State values are selected and displayed.

Note: Microsoft Defender for Office 365 was previously known as Advanced Threat Protection (ATP). That’s the reason why the Get-ATPProtectionPolicy cmdlet is still used to query for Microsoft Defender standard preset policy state.


Turning Off the Strict Preset Security Policy Using Windows PowerShell

Run the following PowerShell cmdlets to turn off the strict preset security policy if it is currently in a turned on state.

  1. Disable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Disable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"

Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.

You have to confirm the operation as shown in Figure 16.

Figure 16: PowerShell cmdlet for turning off the Standard Preset Security policy

Turning On the Strict Preset Security Policy Using Windows PowerShell

Run the following PowerShell cmdlet to turn on the strict preset security policy if it is currently in a turned off state.

  1. Enable-EOPProtectionPolicyRule -Identity "Strict Preset Security Policy"; Enable-ATPProtectionPolicyRule -Identity "Strict Preset Security Policy"

Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.

You have to confirm the operation as shown in Figure 17.

Figure 17: PowerShell cmdlet for turning off the Standard Preset Security policy

What's Next?

Now that you know how to enable both Microsoft Defender standard and strict preset security policies, in the next article, let’s look at some of the differences between these two policies and perform a simple phishing mail-related test to confirm the same.

How to use this guide?

It is best to read the articles in the order they are written. And since Microsoft 365 security is a vast topic, remember to watch out for this corner for new articles every week.

**** Articles marked in red will be uploaded soon! Keep an eye on this corner!

© Your Site Name. All Rights Reserved. Design by HTML Codex