M365 + Endpoint Hardening

Enable Defender for Office 365 — Safe Attachments + Safe Links

Security & Compliance Center → Threat policies → Safe Attachments (Block on malware) + Safe Links (Rewrite all URLs, block known bad). Requires M365 Business Premium or Defender add-on.

Configure anti-phishing policy with impersonation protection

Threat policies → Anti-phishing → Enable mailbox intelligence, impersonation protection for key users (CEO, finance, project leads) and your domain.

Set up SPF, DKIM, and DMARC on the domain

SPF: v=spf1 include:spf.protection.outlook.com -all. Enable DKIM in Exchange admin. DMARC: start with p=none monitoring, move to p=reject within 30 days.

Enable anti-spam and bulk mail filtering

Threat policies → Anti-spam. Set bulk complaint level (BCL) threshold to 6 or lower. Mark high-confidence spam as quarantine, not junk.

Block auto-forwarding to external addresses

Exchange Admin → Remote domains → Default → Uncheck "Allow automatic forwarding." Also create a mail flow rule to block forwarding. This stops exfiltration via compromised inboxes.

Add external email warning banner

Mail flow rule: prepend "⚠️ EXTERNAL EMAIL" to subject or body when sender is outside the org. Simple phishing awareness tool.

Enable Purview Information Protection (sensitivity labels)

Create labels: Internal, FCI — Confidential, FCI — Restricted. Train users to apply labels to emails/attachments containing FCI. Labels can enforce encryption.

Create DLP policy to detect and block FCI data leaving

Purview → Data Loss Prevention → Policy for contract numbers, CAGE codes, or sensitive keywords. Alert or block sending externally.

Enable litigation hold or retention policies on mailboxes with FCI

Exchange Admin → Mailboxes → Litigation hold. Or Purview → Retention policies. Keeps email evidence available for audit.

Disable "Anyone with a link" sharing tenant-wide

SharePoint Admin Center → Policies → Sharing → Set to "Only people in your organization" or "Specific people." No anonymous links — ever.

Create a dedicated FCI SharePoint site — restricted membership

Separate site from general company SharePoint. Only users who need FCI access are members. Evidence repo lives here. Private site, no public access.

Block external sharing on the FCI site specifically

Site Settings → Sharing → change to "Only people in your org." Even if tenant allows some external sharing, the FCI site must be locked.

Enable versioning on all document libraries

Library Settings → Versioning → Enable major versions, keep at least 50. Provides ransomware recovery and change history for evidence.

Restrict OneDrive sync to managed devices only

SharePoint Admin → Settings → Sync → Allow sync only on PCs joined to specific domain or Intune-compliant. Stops syncing FCI to personal laptops.

Enable SharePoint audit logging

Purview → Audit → Confirm SharePoint file access, edit, delete, share events are captured. Retention min 90 days, ideally 1 year.

Disable or restrict external/guest access in Teams

Teams Admin Center → Org-wide settings → External access and Guest access. If guests are needed, restrict to specific domains only. FCI must never pass through channels with guest access.

Disable third-party app installs in Teams

Teams Admin → Teams apps → Permission policies → Block all third-party and custom apps unless specifically approved. Unknown apps = unknown data flows.

Apply sensitivity labels to Teams containing FCI

Teams tied to M365 Groups can inherit sensitivity labels. Label FCI-related Teams as Confidential to enforce guest blocking and external sharing restrictions automatically.

Enroll ALL devices accessing FCI into Intune

Windows: Autopilot or manual Entra Join + Intune enrollment. Mac: ADE enrollment via Apple Business Manager. No unmanaged device should touch FCI.

Create compliance policies — enforce them via CA

Intune → Compliance → Windows policy: require BitLocker, require AV, min OS version, no jailbreak. Mark non-compliant devices as blocked via Conditional Access.

Deploy Windows Update for Business — enforce patching

Intune → Update rings: security updates within 7 days, feature updates within 30. No device older than 30 days behind on patches. This maps directly to SI.1.210.

Enable BitLocker encryption on all Windows devices

Intune → Endpoint security → Disk encryption → BitLocker policy. Require encryption on OS and fixed drives. Store recovery keys in Entra ID. This protects FCI at rest on endpoints.

Configure device lock / screen timeout policy

Intune → Configuration profile: screen lock after 5–15 min idle, require PIN/password to unlock. Applies to PE.1.131 (limit physical access to systems).

Enable remote wipe capability

Intune enrolled devices can be wiped remotely. Document the process. Applies when a device is lost, stolen, or employee is terminated.

Deploy Microsoft Defender Antivirus via Intune

Intune → Endpoint security → Antivirus → Windows Defender policy. Enable real-time protection, cloud-delivered protection, and auto sample submission. Maps to SI.1.211 and SI.1.212.

Verify AV definitions update automatically — daily minimum

Policy: signature update interval every 4–8 hours. Verify via Intune compliance report. Capture a screenshot of definition version report for evidence (SI.1.212).

Enable scheduled scans + real-time scan on file download

Defender policy: weekly full scan Sunday night, real-time protection always on, scan USB/removable drives, scan email attachments. Covers SI.1.213.

Enable Microsoft Defender for Endpoint (MDE) if licensed

Included in M365 Business Premium. Provides EDR, threat & vulnerability management, attack surface reduction. Goes far beyond basic AV — critical for any serious CMMC posture.

Configure Attack Surface Reduction (ASR) rules

Intune → Endpoint security → Attack surface reduction. Enable rules: block Office macros from child processes, block credential stealing from LSASS, block JS/VBS launching executables. Start in Audit mode, then Enforce.

Block USB / removable storage on FCI-handling devices

Intune → Configuration profile → Device restrictions → Block removable storage. Or use MDE Device Control. Covers MP.1.118 (media protection) — no FCI leaving on a thumb drive.

Deploy security baseline via Intune

Intune → Endpoint security → Security baselines → Windows 365 Security Baseline. Microsoft-curated 200+ settings aligned to CIS/NIST. Apply to all managed devices.

Disable local administrator accounts on endpoints

Enable LAPS (Local Administrator Password Solution) via Intune. Randomizes local admin passwords per machine. Prevents lateral movement if one endpoint is compromised.

Enable Windows Firewall — all profiles (Domain, Private, Public)

Intune → Endpoint security → Firewall → Windows Firewall policy. Block inbound by default, allow outbound. Log dropped packets. Maps to SC.1.175.

Disable unneeded Windows features and services

Via Intune config profile or GPO: disable PowerShell 2.0, disable SMBv1, disable Remote Registry, disable Telnet. Reduces attack surface.

Enforce application control (allowlisting)

MDE → App & browser control, or Windows Defender Application Control (WDAC). Only approved apps can run. This is advanced — start with ASR rules first, move to WDAC when ready.

Business-grade firewall — not a consumer router

Meraki MX, Fortinet, Palo Alto, or equivalent. Must have stateful inspection, application awareness, and logging. Consumer routers have no audit trail.

Block inbound traffic by default — allowlist only what's needed

Firewall rules: default deny inbound, explicit allow for business services only. Document every open inbound port and why it exists.

DNS filtering / protective DNS

Deploy Cisco Umbrella, Cloudflare Gateway, or MS Defender for DNS. Blocks malicious domains, C2 traffic, phishing sites at the DNS layer — before the connection is made.

Separate guest Wi-Fi from corporate network

Guest SSID must be on a separate VLAN with no access to internal resources. Visitors, personal devices, and IoT on guest only.

Network segmentation — isolate FCI systems

If servers or NAS devices hold FCI locally, place them on a separate VLAN. Only authorized workstations can route to that VLAN. Maps to SC.1.176.

Remote access via VPN or Zero Trust (not open RDP)

Never expose RDP directly to internet. Use MFA-protected VPN (Meraki Client VPN, FortiClient, etc.) or Azure AD Application Proxy / ZTNA solution for remote access.

Enable firewall logging — retain 90 days minimum

Forward firewall logs to syslog or SIEM. At minimum, log denied inbound, allowed inbound, and VPN connections. This is your boundary audit trail.

Confirm Unified Audit Log (UAL) is turned ON

Purview → Audit → Verify audit logging is active. Should be on by default for most M365 plans — confirm and document. Captures sign-ins, file access, admin actions, mail events.

Set audit log retention to 1 year minimum

Default UAL retention is 90 days (E3) or 1 year (E5/Business Premium). If on lower plan, export logs monthly to the evidence SharePoint or use a SIEM to extend retention.

Enable Entra ID sign-in and audit logs

Entra ID → Monitoring → Sign-in logs + Audit logs. Enable Diagnostic Settings → export to Log Analytics or storage account for long-term retention. Default retention is only 7–30 days in portal.

Set up alerts for suspicious activity

Purview → Alert policies. Enable: mass file download, impossible travel sign-in, new admin role assigned, mail forwarding rule created. Route alerts to MSP + customer security contact.

Review Microsoft Secure Score monthly

security.microsoft.com → Secure Score. Track score over time, action recommended improvements. Screenshot monthly score for evidence of ongoing monitoring.

Document a written Incident Response plan

Doesn't need to be complex — 1–2 pages: what counts as an incident, who to call (MSP, legal, DoD POC if FCI is involved), steps to contain, steps to document. Store in evidence repo.

Know your DoD incident reporting obligation

If FCI is compromised, contractors may have reporting obligations to the contracting agency. Check contract language. Some require reporting within 72 hours.

Disable Microsoft 365 app self-service purchases

M365 Admin → Settings → Org settings → Self-service purchases → Block. Prevents users from buying and connecting unapproved apps that could receive FCI.

Control which third-party apps can connect to M365

Entra ID → Enterprise Applications → User consent settings → Disable user consent for third-party apps. Require admin approval. Review existing connected apps and remove unknown ones.

Review and restrict M365 Groups / Teams creation

Limit who can create M365 Groups and Teams to IT or specific roles. Prevents sprawl of unmanaged workspaces where FCI could land.

Disable or restrict macro execution in Office apps

Intune → Configuration profile → Office policy: block macros from files downloaded from the internet. If macros are business-required, allow only from trusted locations with digital signatures.

Conduct security awareness training annually (minimum)

Use Microsoft Attack Simulator (included in Business Premium) for phishing simulations. Keep training completion records in the evidence repo. Document date, participants, and topic covered.

Backup M365 data with a third-party backup tool

Microsoft's recycle bin is NOT a backup. Use Veeam, Datto SaaS Protection, or Acronis to backup Exchange, SharePoint, OneDrive, and Teams. Test restore quarterly. Document the test.

Document everything — system inventory + network diagram

Maintain a list of all systems, devices, and users in scope. Include make/model, OS version, Intune enrollment status. Your SSP needs this. Update it whenever things change.