Prerequisites - Microsoft



Compliance: Advanced Threat ProtectionDemo GuideThis document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.? 2016 Microsoft. All rights reserved.Contents TOC \o "1-3" \h \z \u Prerequisites PAGEREF _Toc466554543 \h 4Demo home page and login PAGEREF _Toc466554544 \h 4User Accounts PAGEREF _Toc466554545 \h 4First-time Post-Install Steps PAGEREF _Toc466554546 \h 4Pre-demo Setup Steps PAGEREF _Toc466554547 \h 4Advanced Threat Protection PAGEREF _Toc466554548 \h 4Advanced Threat Protection Demo Steps PAGEREF _Toc466554549 \h 6Introduction PAGEREF _Toc466554550 \h 6Email Content Filtering PAGEREF _Toc466554551 \h 6Advanced Threats PAGEREF _Toc466554552 \h 7The Information Worker Experience PAGEREF _Toc466554553 \h 8URL Trace PAGEREF _Toc466554554 \h 9Conclusion PAGEREF _Toc466554555 \h 10Reset Instructions PAGEREF _Toc466554556 \h 10Advanced Threat Protection PAGEREF _Toc466554557 \h 10Post-Install Steps PAGEREF _Toc466554558 \h 11Advanced Threat Protection PAGEREF _Toc466554559 \h 11PrerequisitesDemo home page and loginYou will need a Microsoft Office Demo (MOD) Office 365 tenant to complete this demo. You can obtain a demo environment at . User AccountsMegan Bowen (alias MeganB) is the typical account used in MOD Hero demo modules. If this MOD Hero module requires a different account for logon or if additional logon accounts are needed, the information is provided in the Pre-demo Setup Steps.Office 365 tenant: name:MeganB@<Tenant>.Password:Your password can be located within the details section of your tenant on demos.First-time Post-Install StepsIf this is the first time you are using the demo environment, complete the REF _Ref399929624 \h \* MERGEFORMAT Post-Install Steps at the end of this document.Pre-demo Setup StepsAdvanced Threat ProtectionThe hero for this demo is Lidia Holloway.User name:LidiaH@<Tenant>.Password:Your password can be located within the details section of your tenant on demos.The following steps are required prior to each presentation of the demo:Start a browser session and log into Outlook in Office 365 as Lidia Holloway (alias LidiaH) using the credentials above.URL: a new browser session and log into the Office 365 tenant as the tenant administrator (alias admin) using the same password above.Click App Launcher, and then click Admin.If prompted to update your admin contact info, click cancel.In the left navigation, click Admin centers area, and then select Security & Compliance.In the left navigation, click Threat management, and then select Mail filtering.Advanced Threat Protection Demo StepsIntroductionSpeaker ScriptClick StepsMicrosoft has made great investments for Office 365 in the area of compliance.Email Content FilteringSpeaker ScriptClick StepsExchange Online Protection has been in place for a while in Office 365. In the Security & Compliance Center, administrators can create filtering policies for different types of content.Spam filteringThe default spam filter settings in Exchange Online Protection will meet the needs of many organizations. But for a more tailored approach, administrators can customize their filter settings. For example, they can use risk levels to enhance their organizations’ bulk email protection capabilities. The higher the threshold is set, the more bulk email can get through to users.Connection filteringIP addresses can also be blocked. Of course, administrators cannot possibly identify every potentially harmful IP address, so Microsoft provides them with a safe list, a growing list of IP addresses that are known to be benign.Malware filteringAdministrators can also implement policies that detect malware in individual email messages, whether intentional or not. As a response to detection, the email messages can be deleted, or they can be delivered without attachments. Malware notifications can be sent to internal and external senders, as well as administrators.Start as Admin in the Security & Compliance Center, with the Threat Management > Mail filtering page displayed.On the Standard tab, point to the default settings for the spam filter (Spam action, Bulk threshold…).Click the Custom tab, then beside Custom settings, click the slider to turn the settings On.Beside the Default spam filter policy, click the down arrow, and then click Edit Policy. On the right, expand the Spam and bulk options section, scroll down to Select the threshold, and show the options in the dropdown.Click Cancel to close the spam filter options.Collapse the Default spam filter policy section, then expand the Connection filter policy section, and then click Edit policy.Point to the IP Allow List and IP Block List areas, and then point to the Turn on safe list check box. Click Cancel to close the policy pane. In the left navigation, click Anti-malware.Double-click the Default policy, and then click settings.In the Malware Detection Response area, point to the different options.Scroll down and in the Notifications area, show the Sender Notifications and Administrator Notifications options.Click Cancel.Advanced ThreatsSpeaker ScriptClick StepsAdvanced Threat Protection (ATP) expands on existing content filtering capabilities, further hardening the company’s email environment.Safe attachmentsMalware filtering policies work great for threats that are known by anti-virus programs and that have corresponding signature files. ATP goes even further by using Safe Attachments to detect threats that are unknown by anti-virus programs. With Safe Attachments, messages containing attachments are routed through a detonation chamber, where they are analyzed for potentially malicious behavior.If, for example, an email attachment is trying to access a user’s registry, a Safe Attachment policy can block that attachment, replace it, or simply monitor the scan results. Additionally, administrators can redirect blocked, replaced, or monitored attachments to a specific email address.In the left navigation, click Safe attachments.Double-click Safe Attachment Policy – Block, and then click settings.In the Safe attachments unknown malware response area, point to the different options (Block, Replace, Monitor).In the Redirect attachment on detection area, point to Enable redirect and email address.Click Cancel.Safe linksATP also uses Safe Links to scan email messages and detect potentially malicious URLs, like those from phishing scams. Safe Link policies check URLs against a list of known malicious links. A link can then be rewritten so that, when clicked, users are redirected to a protective shell and notified that the original URL has been classified as malicious.Administrators can track user clicks to these links and allow users to click through to the original URLs. Administrators can also identify a list of URLs that should not be rewritten, should they happen to inadvertently end up on the list of known malicious links. In the left navigation, click Safe links.Double-click Safe Link Policy, and then click settings.Point to the first section that enables or disables rewriting URLs.Point to the options for tracking user clicks and allowing users to click through to the original URL.Point to the area where administrators can specify a list of URLs that are not to be rewritten.Click Cancel.The Information Worker ExperienceSpeaker ScriptClick StepsSafe attachmentsThe information worker experience for ATP is all about protection. Alex sent Lidia a Statement of Work message with an attachment. The organization’s Safe Attachment policy detected unverified signatures in the attachment and thus blocked it.Lidia still has access to the original message body, but the malware threat was removed. Meanwhile, the attachment was redirected to the administrator for further analysis.Maximize the browser session logged in as LidiaH in Office 365 Outlook.Click the message from Alex Wilber with the subject Litware Statement of Work.Point to the attachment, which displays Malware Alert Text.txt indicating a threat was detected.Click the attachment to display the message indicating that it was blocked.On the right, point to the message body Here is the SOW file.At the top, click the X to close the message.Safe linksLidia can also feel secure knowing that the Safe Links policies are in place. In this message about cheap flights, she clicks a known phishing link. The organization’s Safe Link policy found that link to be malicious and rewrote it. Lidia is now redirected to a protective shell, which alerts her about the classification of that URL. The policy is selective enough to remove only malicious links. Even within a single email with both safe and malicious links, only the malicious links will be removed. Within that same message about cheap flights, Lidia clicks the link in the signature line and navigates to as expected.NOTE: The Cheap Flights message from Alex Wilber’s Yahoo account may be in the Spam or Junk Email folder.In Outlook, click the Cheap Flights message from Alex.In the message body, click the site link.Point to the protective shell tab that opens, indicating that the website has been classified as malicious.Within that protective shell, click Close this page and, if prompted, click Yes to confirm closing the tab.In the same Cheap Flights email from Alex, in the message body, click the Bing link.Point to the Bing tab that opens.URL TraceSpeaker ScriptClick StepsNote to presenter:The URL trace query may show no results. It is recommended you test the query before a live demo; if no results are displayed, show how to provision the search variables, but do not click search.URL TraceBack in the Exchange admin center, administrators can review a report that tracks individual user clicks of malicious URLs in email messages. The report contains URL traces from the previous seven days. These traces can be filtered by date and time, by recipients, or by a list of exact URLs. The administrator filters Lidia as the recipient to see her recent trace activities, which includes the URLs that were rewritten.Maximize the browser session logged in as the administrator in the Security & Compliance Center.Click App Launcher, and then select Admin.In the Admin center left navigation, click Admin centers, and then select Exchange.In the Exchange admin center left navigation, click mail flow, and then in the top navigation, click the url trace.Point to the date, time, recipient, and URL filters.In the Recipient area, click add recipient.Double-click Lidia Holloway, and then click OK.In the lower right, click search.In the Url Trace Results page, point to the list of activities, if available.ConclusionSpeaker ScriptClick StepsAs shown in this demo, Microsoft has made great investments in the Exchange admin center to expand threat protection in Office 365.Reset InstructionsAdvanced Threat Protection This demo has no reset steps.Post-Install StepsAdvanced Threat Protection Complete the following post-install steps once for your demo environment:Create default policy for Safe Attachments:Log into the Office 365 tenant as the administrator (alias admin).Click App Launcher, and then click Admin.If prompted to update your admin contact info, click cancel.In the left navigation, click Admin Centers, then click Exchange.In the Exchange admin center, in the left navigation, click advanced threats.At the top, ensure the safe attachments link is highlighted.Click + icon to create a new policy.In the Name field, type Safe Attachment Policy – Block.Under Safe attachments unknown malware response, select Replace – Block the attachments with detected malware, continue to deliver the message.Under Redirect attachment on detection, check the box next to Enable redirect.In the redirect email address field, type the tenant admin account (admin@<Tenant>.).Ensure that the box next to Apply the above selection if malware scanning is checked.Under Applied to (you may need to scroll down), in the If drop-down, select The recipient domain is.In the window that appears, ensure the tenant domain is selected and then click add - >.Click OK.Click Save.Create default policy for Safe Links:While still in the advanced threats section of Exchange admin center, at the top, click safe links.Click the + icon to create a new policy.In the Name field, type Safe Link Policy.Under Select the action…, select On – URLs will be rewritten and checked against a list of known malicious links when user clicks on the link.Check the box next to Do not allow users to click through to the original URL.Under Applied to, in the If drop-down, select The recipient domain is.In the window that appears, ensure the tenant domain is selected and then click add - >.Click OK.Click Save.Create email message from AlexW to LidiaH with a malicious attachment:NOTE: You must create the policies above before sending any emails or Exchange will not flag the malicious attachments and links.To create the attachment:Download SonarBadMaker.exe from : You must have a Microsoft Internal Account to download the SonarBadMaker.exe.Open a command prompt.Change the directory to where you stored the file by entering cd and the path to the executable.Example: If you downloaded the SonarBadMaker.exe to your desktop: cd C:\Users\<USERNAME>\desktopAt the next prompt, type SonarBadMaker.exe Litware_SOW.doc.NOTE: Entering the file name (in the example, “Litware_SOW.doc”) is crucial here. You will need to create a new file (with a new name) each time you run the demo so that Safe Attachments will continue to see it as a new threat.Log in to the Office 365 tenant as Alex Wilber (alias AlexW).Click App Launcher, and then click Mail.Click New.In the To: field, type Lidia and when the name resolves, select Lidia Holloway.Click Add a subject and type Litware Statement of Work.Click Add a message and type Here is the SOW file.At the top, click Attach.In the left navigation, click Computer.Navigate to and select the file Litware_SOW.doc.Click Open.Click Attach as a copy.Click Send.Create an email message from Alex Wilber’s Yahoo account to LidiaH with both a malicious link and a benign link:In a browser session, navigate to and if necessary, sign up for a new account for Alex Wilber. If you’ve already signed up for an account, sign in to Yahoo with the correct account. In Yahoo, navigate to Mail.In Mail, click Compose.In the To: field, type LidiaH@<Tenant>..In the Subject field, type Cheap Flights.In the body, copy and paste the following text (the links should paste as well):Hello Lidia,Someone forwarded me?this site. It looks like we can book all our flights for the next few months here.Cheers,AlexI?Bing?do you...Click Send. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download