Live@edu tenants: Better Security Reporting from MS

[Martin Manjak <mmanjak () ALBANY EDU>]

This is a query to those of you who have migrated all, or a portion, of
your email service to MS Live@edu cloud service and a request for your
comments to judge whether this issue should be elevated to the level of
a concern on the part of the .edu community with MS.

Case Study
If you have made the move, or are preparing to make the move, you will
know that provisioning AD accounts for your user population greatly
facilitates the accounts provisioning and management process for the
migration to Live.

Here's the concern I have: Our faculty, staff, and students will
continue to be subject to phishing attacks. MS employs a series of email
thresholds that are used to throttle accounts. It performs no
diagnostics and makes no distinction between abusive/ignorant account
holders and compromised accounts used to send spam.

In the past, in our environment, the damage an attacker could perpetrate
with compromised credentials was for the most part limited to our Unix
cluster. (That's where our students had their accounts/email service.) 
And we had good visibility into these incidents.

Now however, a compromised Live password mean a compromised AD account.
AD is used to manage access to a wide range of resources on our campus
(shares, calendars, VPN access, etc.)

MS does not send any kind of notice to the tenant institution when it
suspends a Live account for exceeding its mail limits, so we have no
visibility into these incidents.

So here's the hypothetical: A staff member has their account
compromised. MS suspends the ability to send mail from their Live
account for 24 hours. No notification of this is sent to the tenant. The
account owner won't know if they don't log in. The employee goes home
for the weekend. The AD account is still active within the domain. Now
there a set of compromised AD credentials in the possession of an
unauthorized individual or group, and neither the institution or the
owner are aware of this, and may not become aware of it for a few days
under certain circumstances (e.g., the owner doesn't try to send
messages during the 24 hour suspension period, so nothing appears to be
wrong from their perspective).

I'm hoping that MS will reconsider its lack of reporting of account
suspensions to tenant colleges and universities, but that depends to a
great extent on how much of a concern this it to its other .edu tenants.

So does this bother you as much as it bothers me?
Marty


-- 

Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password. Please ignore all such requests.