Control: 1.1.15 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
Description
Forcing a time out for MFA will help ensure that sessions are not kept alive for an indefinite period of time, ensuring that browser sessions are not persistent will help in prevention of drive-by attacks in web browsers, this also prevents creation and saving of session cookies leaving nothing for an attacker to take.
Administrative roles this should apply to include those such as:
- Global Administrator
- Billing Administrator
- Exchange Administrator
- SharePoint Administrator
- Password Administrator
- Skype for Business Administrator
- Service Support Administrator
- User Administrator
- Dynamics 365 Service Administrator
- Power BI Administrator
Note: The frequency at which MFA is prompted will be determined by your organization's policy and need.
Ensuring these additional controls are present for Administrative users adds an additional layer of defense against drive-by attacks and even some ransomware attacks.
Remediation
To enable the multifactor timeout and persistent browser settings are set for administrators, use the Microsoft 365 Admin Center:
- Log in to
https://admin.microsoft.comas aGlobal Administrator. - Go to
Admin centersand click onAzure Active Directory. - Select
Enterprise applicationsthen, underSecurity, selectConditional Access. - Click
New policy. - Go to
Assignments>Users and groups>Include>Select users and groups> checkDirectory roles. - At a minimum, select the following roles:
Billing admin,Conditional Access admin,Exchange admin,Global admin,Helpdesk admin,Security admin,SharePoint admin, andUser admin.
- Targeting any role with the word
adminwill ensure that any users with additional privileges will be targeted.
- Go to
Cloud apps or actions>Cloud apps>Include> selectAll cloud apps (and don't exclude any apps). - Under
Access controls>Grant> selectGrant access> checkRequire multi- factor authentication(and nothing else). - Under
SessioncheckSign-in frequencyand enter the value determined by your organization. - Check
Persistent browser sessionthen selectNever persistentin the drop-down menu. - Create.
NOTE: After creation ensure that the policy is set to enabled.
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_1_1_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_1_1_15 --shareSQL
This control uses a named query:
with users_having_admin_roles as ( select array_agg(role_template_id) as rid from azuread_directory_role where display_name like '%Administrator'),signin_frequency_enabled as ( select tenant_id, count(p.*) from azuread_conditional_access_policy as p, users_having_admin_roles as a where (p.users -> 'includeRoles')::jsonb ?| (a.rid) and (p.sign_in_frequency -> 'isEnabled')::bool and (p.persistent_browser -> 'isEnabled')::bool and p.persistent_browser ->> 'mode'='never' and p.applications -> 'includeApplications' ?& array['All'] and jsonb_array_length(p.applications -> 'excludeApplications') = 0 and jsonb_array_length(p.built_in_controls) = 1 and p.built_in_controls ?& array['mfa'] and state = 'enabled' group by tenant_id),tenant_list as ( select distinct on (tenant_id) tenant_id, _ctx from azuread_user)select tenant_id as resource, case when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then 'ok' else 'alarm' end as status, case when (select count from signin_frequency_enabled where tenant_id = t.tenant_id) > 0 then tenant_id || ' has sign-in frequency policy enabled.' else tenant_id || ' has sign-in frequency policy disabled.' end as reason , t.tenant_id as tenant_idfrom tenant_list as t;