Add-ins and Consent - WST

Continued advancement of programming knowledge is making it easier for just about anyone capable of understanding a programming language at a basic level to create applications. This includes add-ins meant to enhance browser or application functionality. Children are being taught at elementary school levels to use Integrated development environments (IDE) to build applications and at high grade levels students are being encouraged to build what they need to complete a task. Operating system and application developers are also encouraging these abilities by making it easier to customize or enhance applications; Microsoft has been doing this with Office applications for decades using Visual Basic.

For those users that are not able to develop their own solutions, applications and add-ins are increasingly available and delivered through the Google Play, Microsoft Store, and Apple App store. They are also available through the add-in managers in common browser applications and can be side-loaded directly from websites.

Although application publishers like Google, Microsoft, and Apple do their best to manage the applications they offer, sometimes malicious applications slip through their filters for a period of time that allows thousands, if not hundreds of thousands, or even millions of users the ability to download the application. Supply chain issues can also weaponize historically reputable services, such as CCleaner in 2019. Even now, there are applications that many consider malicious data gathering tools that are accepted by and considered legitimate even by these publishers. For example, Malwarebytes has published articles as recently as July 2022 stating that TikTok is an “unacceptable security risk” and should be removed immediately while publishers still offer the application for install.

Administrators should be wary of users’ ability to install seemingly innocuous applications or add-ins into the environment. Although you might have removed users’ ability to install applications using local administrator permissions or make changes to the operating system or applications, some software can still be installed. For example, Mobile Device Managers (MDM) or browser policies may not be configured adequately to prevent installations such as Microsoft Approved applications or add-ins that might later be discovered to be malware.

For every application that allows for the addition of software to enhance the application’s function, administrative policies should govern their installation, use, and permissions. These policies are applied through management tools such as Group Policy, Microsoft Intune, or additional administrative tools like MDM platforms. Group Policy can be enhanced to control applications through the installation and use of administrative (ADMX) templates. These ADMX templates are of great use when managing browsers, including Google Chrome, Mozilla Firefox, and Apple Safari.

On the subject of add-ins: Administrators should expressly approve all browser add-ins, to prevent users from installing malicious software from the online stores. Furthermore, firewalls and web filtering may be configured to block access to these online stores.

On the subject of malicious mobile apps (e.g., TikTok): In Microsoft 365 environments, policies should be in place to block users’ ability to allow application access to corporate data, preventing illicit consent grant attacks. Users have become accustomed to ignoring the warnings given by mobile devices when installing new software, approving all the “bothersome” access messages just so that they get on about their day. Furthermore, policies should be put into place to scan installed applications and consideration should be given to disallowing the installation of company applications or access to company data until these malicious applications are uninstalled.

On the subject of multi-factor authentication (MFA): This is loosely related to the subject at hand, but it’s likely the most important control that should be considered in addition to other security subjects. All authentication attempts should be made using MFA. And arguably, push notifications using SMS, phone call, or email, are no longer adequate, and push notifications or codes using mobile authenticators are becoming a concern. Number matching with location, or physical security tokens are the best options for MFA today.

When performing a Microsoft 365 Security Review, your auditor will typically gauge issues at an inherent risk level. There may be a myriad number of mitigating controls in place to ensure that inherent risks are addressed. However, a layered approach to dealing with risk means that the risk should be dealt with at the source as well as down the line. Thus, even if you have controls such as Conditional Access Policies or tertiary controls such as Endpoint Detect and Respond (EDR) agents in place that might stop a threat, it is always good practice to address the threat where it begins. That means disabling things like PowerShell Online for users that don’t need it, even if you have blocked all cloud apps in your CA policies or executed one of the custom PowerShell scripts offered by Microsoft on GitHub. Or managing the apps and add-ons that have access to corporate owned data.

Finally, test your controls on a defined, policy-driven schedule.

If you have questions about any of these subjects or concepts, please let us know. We’re here to help.

Authored by: Mike Smith, AWS CCP, CBISO