Perform Service Hardening



Minimize available services and control connectivity by disabling services as well as removing unnecessary accounts from systems. Configure the Office 365 service and the devices from which it is accessed to attempt to filter out and reduce the impact of attempted attacks.

Key Considerations


Exchange Online

Additional Considerations



  1. Directive on Security Management - Appendix B: Mandatory Procedures for Information Technology Security Control, subsections B.2.3.3, B.2.3.7
  2. SPIN 2017-01, subsection 6.2.3
  3. CSE Top 10 #3
  4. Refer to CCCS ITSP.30.031 V2 User Authentication Guidance for Information Technology Systems
  5. Refer to the Guidance on Cloud Authentication for the Government of Canada
  6. Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
  7. Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8