Deploying Standard and Strict Preset Security Policy
The security threat landscape evolves rapidly. A security control considered best practice today may not be so tomorrow. What is needed for securing your organization is a security system that automatically evolves and updates its security controls against the rapidly evolving security threat landscape and protects its users. This is exactly what you get when you deploy Microsoft Defender’s Standard and Strict Preset security policies.
Standard or Strict Preset Security Policy? What Should You Choose?
You may need a mix of both. Because different sections of employees may need different protection. For example, the top-level executives often need more protection, because they may have higher permission levels or simply because their credentials can be used against their employees; while the standard security protocol should be enough for the normal employee.
With this in mind, I’ll explain how you can deploy or enable both Standard and Strict preset security policies in this article. First, using the Microsoft Defender portal. Then, using the Windows PowerShell Exchange Online module.
Note: The major difference between the two policies is that the Strict Preset Security Policy has aggressive security controls which results in aggressive detections. The Strict Preset Security Policy is suitable for easy targets like high-level executives. However, the downside of this policy may be a lot of false positives.
Prerequisites
You should have the following permissions for deploying standard or strict preset policy:
You should be a Global administrator or Global reader or Security administrator
Accessing Standard and Strict Preset Security Policy
You can access the Microsoft Defender Preset Security Policy in the following two ways:
By visiting https://security.microsoft.com page and selecting the Policies & rules page >> Threat Policies >> Preset Security Policies option from the Email & collaboration dropdown as shown in Figure 1. [OR] [or]
Note: You can access the Microsoft 365 Security Center [or Microsoft Defender portal] only if you have been assigned the Global Administrator or Security Administrator role.
Both links will lead to you the Microsoft Preset Security Policy page shown in Figure 2.
Deploying or Enabling Standard Preset Security Policy Using Microsoft Defender Portal
To deploy or enable the standard preset security policy, follow these instructions.
Select Manage protection settings under the Standard protection policy as shown in Figure 3.
The Apply standard protection policy flyout opens as shown in Figure 4. As you can see on the left-hand side, the procedure has 5 stages:
Exchange Online protection – where you decide the security controls for Exchange Online Protection (EOP). This helps you secure your Office 365 mails.
Defender for Office 365 protection – where you decide the security controls for your Office 365 tenant.
Impersonation protection – where you take security measures against user impersonation by adding the email addresses of those users who stand a high chance of being impersonated.
Policy Mode – where you decide whether the security policy is going to be turned on immediately or not.
Review – where you get to review the policy settings being configured before implementing the same.
Note: By default, the security policy applies to None option is selected.
Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 5. (For demo purposes, I am going to configure a user-specific standard protection policy. For practical purposes, you’ll be required to do it on a Group or Domain basis). Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 5. Click the Next button to proceed further.
The Apply Defender for Office 365 protection dialog opens. None is selected as the default option. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 6. Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 6. Click the Next button to proceed further.
The Impersonation Protection dialog opens as shown in Figure 7. This feature helps you prevent malicious actors from impersonating your tenant users and legitimate message senders thereby preventing phishing attacks of different kinds. Click Next to proceed further.
The impersonation protection policy can be launched in three steps:
Step 1: Protected custom users: This involves adding users – both insiders and outsiders - who you believe have a chance of being impersonated. Messages from detected impersonations get quarantined for further investigation. Enter the email address of the user and select the user from the appearing list as shown in Figure 8, then click the Add button as shown in Figure 9. Finally, click the Next button to proceed further. Note: You can add multiple users.
Step 2: Protected custom domains: Here you get to add domains that could be yours or ones belonging to those who get in touch with you frequently like partners and suppliers for example. Domains added here get protection from impersonation. Messages from impersonated domains get quarantined for further investigation. Enter the domain name, click Add, then click the Next button to proceed further as shown in Figure 10. Note:You can add multiple domains.
Step 3: Trusted senders and domains: Here you can add legitimate email addresses and domains so that they don’t get flagged unnecessarily. Enter the email address or the domain name, click the Add button, and then click the Next button to proceed further as shown in Figure 11. Note: You can add multiple email addresses or domains.
The Policy mode page opens as shown in Figure 12. Selecting Turn on the policywhen finished option turns on the policy immediately. If you select Leave it turned off option, then you can turn on the policy later. Click Next to proceed further.
The Review and confirm your changes page opens as shown in Figure 13. Review your policy settings and if everything seems fine, click the Confirm button to proceed further. You’ll get a Standard protection updated message as shown in Figure 14. Click Done to complete the process.
Checking Standard Preset Security Policy State Using Windows PowerShell
Run the following PowerShell cmdlets to check whether the standard preset security policy is currently in a turned on or off state.
Run Get-EOPProtectionPolicy -Identity “Standard Preset Security Policy” | Format-Table Name, State command to find out whether the EOP Standard Preset Security policy is enabled or not as shown in Figure 16.
Run Get-ATPProtectionPolicy -Identity “Standard Preset Security Policy” | Format-Table Name, State command to find out whether the Microsoft Defender Preset Security policy is enabled or not as shown in Figure 16.
You should get an output similar to the one shown in Figure 15.
How Does the Script Work?
Get-EOPProtectionPolicy and Get-ATPProtectionPolicy cmdlets help you query for Exchange Online Protection and Microsoft Defender policy states respectively.
The name of the policy being queried is passed to the -Identity parameter.
The result obtained is then passed to the Format-Table parameter and the Name and State values are selected and displayed.
Note: Microsoft Defender for Office 365 was previously known as Advanced Threat Protection (ATP). That’s the reason why the Get-ATPProtectionPolicy cmdlet is still used to query for Microsoft Defender standard preset policy state.
Turning Off the Standard Preset Security Policy Using Windows PowerShell
Run the following PowerShell cmdlets to turn off the standard preset security policy if it is currently in a turned on state.
Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.
You have to confirm the operation as shown in Figure 16.
Turning On the Standard Preset Security Policy Using Windows PowerShell
Run the following PowerShell cmdlet to turn on the standard preset security policy if it is currently in a turned off state.
Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.
You have to confirm the operation as shown in Figure 17.
Deploying or Enabling Strict Preset Security Policy Using Microsoft Defender Portal
To deploy or enable the strict preset security policy, follow these instructions.
Select Manage protection settings under the Strict protection policy as shown in Figure 3.
The Apply standard protection policy flyout opens as shown in Figure 4. As you can see on the left-hand side, the procedure has 5 stages:
Exchange Online protection – where you decide the security controls for Exchange Online Protection (EOP). This helps you secure your Office 365 mails.
Defender for Office 365 protection – where you decide the security controls for your Office 365 tenant.
Impersonation protection – where you take security measures against user impersonation by adding the email addresses of those users who stand a high chance of being impersonated.
Policy Mode – where you decide whether the security policy is going to be turned on immediately or not.
Review – where you get to review the policy settings being configured before implementing the same.
Note: By default, the security policy applies to None option is selected.
Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 5. (For demo purposes, I am going to configure a user-specific standard protection policy. For practical purposes, you’ll be required to do it on a Group or Domain basis). Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 5. Click the Next button to proceed further.
The Apply Defender for Office 365 protection dialog opens. None is selected as the default option. Select Specific Recipients value from the Apply protection to option. This opens the Users, Groups, and Domains boxes as shown in Figure 6. Select the Users you want the policy to apply to by entering their names and selecting them from the list as shown in Figure 6. Click the Next button to proceed further.
The Impersonation Protection dialog opens as shown in Figure 7. This feature helps you prevent malicious actors from impersonating your tenant users and legitimate message senders thereby preventing phishing attacks of different kinds. Click Next to proceed further.
The impersonation protection policy can be launched in three steps:
Step 1: Protected custom users: This involves adding users – both insiders and outsiders - who you believe have a chance of being impersonated. Messages from detected impersonations get quarantined for further investigation. Enter the email address of the user and select the user from the appearing list as shown in Figure 8, then click the Add button as shown in Figure 9. Finally, click the Next button to proceed further. Note: You can add multiple users.
Step 2: Protected custom domains: Here you get to add domains that could be yours or ones belonging to those who get in touch with you frequently like partners and suppliers for example. Domains added here get protection from impersonation. Messages from impersonated domains get quarantined for further investigation. Enter the domain name, click Add, then click the Next button to proceed further as shown in Figure 10. Note:You can add multiple domains.
Step 3: Trusted senders and domains: Here you can add legitimate email addresses and domains so that they don’t get flagged unnecessarily. Enter the email address or the domain name, click the Add button, and then click the Next button to proceed further as shown in Figure 11. Note: You can add multiple email addresses or domains.
The Policy mode page opens as shown in Figure 12. Selecting Turn on the policywhen finished option turns on the policy immediately. If you select Leave it turned off option, then you can turn on the policy later. Click Next to proceed further.
The Review and confirm your changes page opens as shown in Figure 13. Review your policy settings and if everything seems fine, click the Confirm button to proceed further. You’ll get a Standard protection updated message as shown in Figure 14. Click Done to complete the process.
Checking Strict Preset Security Policy State Using Windows PowerShell
Run the following PowerShell cmdlets to check whether the strict preset security policy is currently in a turned on or off state.
Run Get-EOPProtectionPolicy -Identity “Strict Preset Security Policy” | Format-Table Name, State command to find out whether the EOP Standard Preset Security policy is enabled or not as shown in Figure 16.
Run Get-ATPProtectionPolicy -Identity “Strict Preset Security Policy” | Format-Table Name, State command to find out whether the Microsoft Defender Preset Security policy is enabled or not as shown in Figure 16.
You should get an output similar to the one shown in Figure 15.
How Does the Script Work?
Get-EOPProtectionPolicy and Get-ATPProtectionPolicy cmdlets help you query for Exchange Online Protection and Microsoft Defender policy states respectively.
The name of the policy being queried is passed to the -Identity parameter.
The result obtained is then passed to the Format-Table parameter and the Name and State values are selected and displayed.
Note: Microsoft Defender for Office 365 was previously known as Advanced Threat Protection (ATP). That’s the reason why the Get-ATPProtectionPolicy cmdlet is still used to query for Microsoft Defender standard preset policy state.
Turning Off the Strict Preset Security Policy Using Windows PowerShell
Run the following PowerShell cmdlets to turn off the strict preset security policy if it is currently in a turned on state.
Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.
You have to confirm the operation as shown in Figure 16.
Turning On the Strict Preset Security Policy Using Windows PowerShell
Run the following PowerShell cmdlet to turn on the strict preset security policy if it is currently in a turned off state.
Note: Cmdlets Disable-EOPProtectionPolicyRule and Disable-ATPProtectionPolicyRule can be executed at the same time by separating them using a ‘;’ as shown in Figure 16.
You have to confirm the operation as shown in Figure 17.
What's Next?
Now that you know how to enable both Microsoft Defender standard and strict preset security policies, in the next article, let’s look at some of the differences between these two policies and perform a simple phishing mail-related test to confirm the same.
How to use this guide?
It is best to read the articles in the order they are written. And since Microsoft 365 security is a vast topic, remember to watch out for this corner for new articles every week.