Since 2014, the National Institute of Standards and Technology (NIST), a U.S. federal agency, has issued guidelines for managing digital identities via Special Publication 800-63B. The latest revision (rev. 3) was released in 2017, and has been updated as recently as 2019. Revision 4 was made available for comment and review; however, revision 3 is still the standard as of the time of this blog post.
Section 5.1.1 – Memorized Secrets provides recommendations for requirements around how users may create new passwords or make password changes, including guidelines around issues such as password strength. Special Publication 800-63B also covers verifiers (software, websites, network directory services, etc.) that validate and handle passwords during authentication and other processes.
Not all organizations must adhere to NIST guidelines. However, many follow NIST password policy recommendations even if it’s not required because they provide a good foundation for sound digital identity management. Indeed, strong password security helps companies block many cybersecurity attacks, including hackers, brute force attacks like credential stuffing and dictionary attacks. In addition, mitigating identity-related security risks helps organizations ensure compliance with a wide range of regulations, such as HIPAA, FISMA and SOX.
Quick List of NIST Password Guidelines
This blog explain many NIST password guidelines in detail, but here’s a quick list:
User-generated passwords should be at least 8 characters in length.
Machine-generated passwords should be at least 6 characters in length.
Users should be able to create passwords at least 64 characters in length.
All ASCII/Unicode characters should be allowed, including emojis and spaces.
Stored passwords should be hashed and salted, and never truncated.
Prospective passwords should be compared against password breach databases and rejected if there’s a match.
Passwords should not expire.
Users should be prevented from using sequential characters (e.g., “1234”) or repeated characters (e.g., “aaaa”).
Two-factor authentication (2FA) should not use SMS for codes.
Knowledge-based authentication (KBA), such as “What was the name of your first pet?”, should not be used.
Users should be allowed 10 failed password attempts before being locked out of a system or service.
Passwords should not have hints.
Complexity requirements — like requiring special characters, numbers or uppercase letters — should not be used.
Context-specific words, such as the name of the service or the individual’s username, should not be permitted.
You probably notice that some of these recommendations represent a departure from previous assumptions and standards. For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements. Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers. Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.
NIST Guidelines
Now let’s explore the NIST guidelines in more detail.
Password length & processing
Length has long been considered a crucial factor for password security. NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it’s recommended to allow passwords to be at least 64 characters as a maximum length.
Verifiers should no longer truncate any passwords during processing. Passwords should be hashed and salted, with the full password hash stored.
Also the recommended NIST account lockout policy is to allow users at least 10 attempts at entering their password before being locked out.
Accepted characters
All ASCII characters, including the space character, should be supported in passwords. NIST specifies that Unicode characters, such as emojis, should be accepted as well.
Users should be prevented from using sequential characters (e.g., “1234”), repeated characters (e.g., “aaaa”) and simple dictionary words.
Commonly used & breached passwords
Passwords that are known to be commonly used or compromised should not be permitted. For example, you should disallow passwords in lists from breaches (such as the Have I Been Pwned? database, which contains 570+ million passwords from breaches), previously used passwords, well-known commonly used passwords, and context-specific passwords (e.g., the name of the service).
When a user attempts to use a password that fails this check, a message should be displayed asking them for a different password and providing an explanation for why their previous entry was rejected.
Reduced complexity & password expiration
As explained earlier in the blog, previous password complexity requirements have led to less secure human behavior, instead of the intended effect of tightening security. With that in mind, NIST recommends reduced complexity requirements, which includes removing requirements for special characters, numbers, uppercase characters, etc.
A related recommendation for reducing insecure human behavior is to eliminate password expiration.
No more hints or knowledge-based authentication (KBA)
Although password hints were intended to help users to create more complex passwords, users often choose hints that practically give away their passwords. Accordingly, NIST recommends not allowing password hints.
NIST also recommends not using knowledge-based authentication (KBA), such as questions like “What was the name of your first pet?”
To account for the growing popularity of password managers, users should be able to paste passwords.
SMS is no longer considered a secure option for 2FA. Instead, one-time code provider, such as Google Authenticator or Okta Verify, should be used.
How Netwrix Can Help
Netwrix offers several solutions specifically designed to streamline and strengthen access and password management:
Netwrix Password Policy Enforcer makes it easy to create strong yet flexible password policies that enhance security and compliance without hurting user productivity or burdening helpdesk and IT teams.
Netwrix Password Reset enables users to safely unlock their own accounts and reset or change their own passwords, right from their web browser. This self-service functionality dramatically reduces user frustration and productivity losses while slashing helpdesk call volume.
FAQ
What is NIST Special Publication 800-63B?
NIST’s Digital Identity Guidelines (Special Publication 800-63B) provides reliable recommendations for identity and access management, including effective password policies.
Why does NIST recommend reducing password complexity requirements?
While requiring complex passwords makes them more difficult for attackers to crack, it also makes passwords harder for users to remember. To avoid frustrating lockouts, users tend to respond with behaviors like writing down their credentials on a sticky note by their desk or choosing to periodically reuse the same (or nearly the same) password — which increase security risks. Accordingly, NIST now recommends less stringent complexity requirements.
Microsoft Active Directory (AD) is the central credential store for 90% of organizations worldwide. As the gatekeeper to business applications and data, it’s not just everywhere, it’s everything! Managing AD is a never-ending task, and securing it is even harder. At Netwrix, we talk to a lot of customers who are using our tools to manage and secure AD, and over the years, key strategies for tightening security and hardening AD to resist attacks have emerged. Here are 10 Active Directory security hardening tips that you can use in your environment:
Active Directory includes thousands of items and many moving elements to safeguard. A core method for increasing security is to decrease clutter by removing unused users, groups and machines. Stale AD objects may be abused by attackers, so deleting them reduces your attack surface.
You may also find seldom-used items. Use HR data and work with business stakeholders to determine their status; for example, for user accounts, determine the user’s manager. While this takes time, you’ll appreciate having it done during your next audit or compliance review.
Tip #2: Make it easy for users to choose secure passwords.
To prevent adversaries from compromising user credentials to enter your network and move laterally, passwords need to be hard to crack. But users simply cannot remember and manage multiple complex passwords on their own, so they resort to practices that weaken security, such as writing their passwords on sticky notes or simply incrementing a number at the end when they need to change them. That led security experts to weaken their recommendations concerning password complexity and resets.
However, with an enterprise password management solution, you can make it easy for users to create unique and highly secure passwords and manage them effectively, so you do not have to compromise on strong password requirements. A user needs to memorize just one strong password, and the tool manages all the others for them.
Tip #3: Don’t let employees have admin privileges on their workstations.
If an attacker gains control of a user account (which we all know happens quite a bit), their next step is often to install hacking software on the user’s workstation to help them move laterally and take over other accounts. If the compromised account has local admin rights, that task is easy.
But most business users do not actually need to install software or change settings very often, so you can reduce your risk by not giving them admin permissions. If they do need an additional application, they can ask the helpdesk to install it. Don’t forget to use Microsoft LAPS ensure all remaining local admin accounts have strong passwords and change them on a regular schedule.
Tip #4: Lock down service accounts.
Service accounts are used by applications to authenticate to AD. They are frequently targeted by attackers because they are rarely monitored, have elevated privileges and typically have passwords with no expirations. Accordingly, take a good look at your service accounts and restrict their permissions as much as possible. Sometimes service accounts are members of the Domain Admin’s group, but typically don’t need all of that access to function — you may need to check with the application vendor to find out the exact privileges needed.
It’s also important to change service account passwords periodically to make it even more difficult for attackers to exploit them. Doing this manually is difficult, so consider using the group managed service account (gMSA) feature, introduced in Windows Server 2016. When you use gMSAs, the operating system will automatically handle the password management of service accounts for you.
Tip #5: Eliminate permanent membership in security groups.
The Enterprise Admin, Schema Admin and Domain Admin security groups are the crown jewels of Active Directory, and attackers will do everything they can to get membership in them. If your admins have permanent membership in these groups, an attacker who compromises one of their accounts will have permanent elevated access in your domain.
To reduce this risk, strictly limit membership in all of these highly privileged group and, furthermore, make membership temporary. The Enterprise Admin and Schema Admin groups are not frequently used, so for these, this won’t be an issue. Domain Admin is needed much more, so a system for granting temporary membership will have to be set up.
Tip #6: Eliminate elevated permissions wherever possible.
There are three fairly common permissions that attackers need to execute attacks against AD: Reset Password, Change Group Membership and Replication. These permissions are harder to secure since they are so frequently used in daily operations.
Accordingly, you should monitor all changes to security group permissions or membership that would grant these rights to additional users. Even better, implement a privileged access management (PAM) solution that enables just-in-time temporary provisioning of these privileges.
Tip #7: Implement multifactor authentication (MFA)
MFA adds an extra layer of security by requiring users to verify their identity by providing at least two of the following types of authentication factors:
Something they know, such as a password, PIN or answer to a security question
Something they have, such as a code from a physical token or a smart card
Something they are, which means biometrics like a fingerprint, iris or face scan
Tip #8: Closely audit your Active Directory.
It is important to audit Active Directory for both non-secure settings and suspicious activity. In particular, you should perform regular risk assessment to mitigate security gaps, monitor for anomalous user activity, and promptly identify configuration drift in critical system files. It’s ideal to invest in tools that will automatically alert you to suspicious events and even respond automatically to block threats.
Tip #9: Secure DNS.
Securing DNS can help you to block a variety of attacks, including as domain hijacking and DNS spoofing. Steps to take include implementing DNSSEC, using a secure DNS server and regularly reviewing DNS settings.
Tip #10: Regularly back up Active Directory.
Having a recent backup of your Active Directory is crucial for recovery from cyber incidents, including ransomware attacks and natural disasters. Backups should be stored securely, tested regularly and be readily accessible to ensure your critical AD settings are recoverable in the event of a disaster.
Conclusion
Active Directory is an amazing system for controlling access. However, it’s only secure when it’s clean, understood, properly configured, closely monitored and tightly controlled. These tips are practical ways that you can tighten security and harden your Active Directory.
Frequently Asked Questions
What is hardening in Active Directory?
Hardening in Active Directory is the process of securing and strengthening the directory service to reduce the risk of data breaches and downtime. It involves controlling access to sensitive data, removing unnecessary objects, enforcing password policies and monitoring for suspicious activity.
What is domain controller hardening?
Domain controller hardening is the process of strengthening the servers that run Active Directory to reduce the risk of unauthorized access, data breaches and service disruption. It includes deactivating superfluous services, deploying security patches and updates, establishing firewall rules, and enforcing strong password practices.
What happens if a domain controller is compromised?
An adversary who compromises a domain controller can do significant damage, from accessing sensitive data to creating, modifying and deleting user accounts and other critical AD objects.
How do I secure Active Directory?
Securing Active Directory is an ongoing process that involves multiple layers of security controls. In particular, organizations need to implement strong password policies, limit user access, monitor for suspicious activity, keep machines patched and updated, secure domain controllers, use multifactor authentication (MFA) to add extra security, and educate employees on cybersecurity best practices and potential threats.
Active Directory security groups are used to grant users permissions to IT resources. Each security group is assigned a set of access rights, and then users are made members of the appropriate groups. Done right, this approach enables an accurate, role-based approach to user management and reduces IT workload.
Why should Security Groups Stay Secure?
Security groups should always be protected with clear security protocols because they govern user and computer access to resources that could be highly confidential, sensitive, and critical to the organization. Any oversight may result in security breaches and data theft with lasting consequences. Hence, you need to establish some best practices for using and managing security groups.
Key Best Practices
The following best practices can help you use security groups effectively.
Use Group Nesting to Simplify Access Management
Give each security group a unique, descriptive name
Limit each group’s permissions to the bare minimum
Make each user a member of only the required groups
Track group activity and changes to security groups
Pay attention to service accounts
Have group owners review their groups regularly, and remove groups that are no longer needed
Use privileged accounts only when required
Always create a recovery plan
Use Group Nesting to Simplify Access Management.
When we talk about group nesting, we refer to making an AD group a member of another group. This strategy enables us to give permissions across domains through universal groups. It works this way:
Give each security group a unique, descriptive name.
When security groups have unclear names, or multiple groups have similar names, such as ‘Sales Group 1’ and ‘Sales Group 2’, it’s difficult to ensure that they have the correct permissions and membership. To reduce risk, establish group naming standards that ensure consistency and uniqueness.
Limit each group’s permissions to the bare minimum.
The least privilege principle is the cornerstone of security. Make sure each security group is assigned only the permissions that its members need to complete their tasks. Granting excessive permissions to a group enables any group member — or an adversary who compromises their account — to abuse those rights.
Make each user a member of only the required groups.
Never add users to groups they do not need to be a part of. Moreover, remove them promptly from groups they no longer need to belong to, such as when they change roles within the organization. For example, when users change departments, remove them from the previous department’s groups and add them to the new department’s groups. That way, each user has access only to the resources they need, which reduces your organization’s attack surface area.
Track group activity and changes to security groups.
Any improper change to the permissions or membership of a security group puts the organization at increased risk of security incidents and business disruptions. Be especially vigilant about monitoring changes to highly privileged groups like Domain Admins and Enterprise Admins.
Look out for the following to detect suspicious behavior:
Unauthorized permission and membership changes
Unnecessary or unusual use of admin accounts
Failed password attempts
Locked out accounts
Disabled or removed antivirus software
At a minimum, log the events and regularly run reports to spot suspicious activity. Even better, use a tool that will alert you in real time to changes to critical security groups, or block those changes from happening in the first place.
Pay attention to service accounts.
A service account is a special user account created to run a particular application or service. Best practices for service accounts include the following:
Set secure passwords.
Do not make service accounts members of built-in privileged groups like Domain Admins.
Enforce least privilege by granting each service account the minimum access required to accomplish its tasks.
Have group owners review their groups regularly, and remove groups that are no longer needed.
Security groups are usually set up to provide access to resources for a particular project team— but when the project is over, the group is often not deleted. By requiring group owners to regularly review their groups, you can improve security by removing groups that are no longer needed.
As a best practice, disable or delete dormant accounts after about 45 days of inactivity. Set up a system to distinguish inactive accounts from active accounts, which would help in removing inactive accounts from security groups. Hackers can easily target unused accounts since no one keeps track of the account’s activities. And if that unused account is a member of multiple security groups, the implications could be devastating.
Use privileged accounts only when required.
Accounts that are members of privileged groups should be used only for performing administrative tasks that require elevated rights. For all other tasks, admins should use their regular user accounts. This strategy reduces the risk of attackers gaining control of an account that is a member of security groups with access to sensitive systems and data.
Always create a recovery plan.
Despite keeping security intact, data breaches may happen at times due to an error. As a proactive measure, have a recovery plan in place with due attention to recovering security groups. IT teams must be trained to handle such a situation with quick and intelligent decision-making.
Simplifying Security Group Management
Netwrix GroupID can help you effectively manage your Active Directory security groups. Here are some of the ways it can help you implement the best practices described above.
Establish and enforce standards for naming groups
Ensure the membership of security groups is accurate
Establish an attestation process for security groups
Set security groups to expire automatically
Set a default group approver
Establish and enforce standards for naming groups.
Netwrix GroupID helps you implement consistency and convention in group names with the following features:
Group name prefixes
Regular expressions
Templates for naming nested groups
Lists of blocked words
Ensure the membership of security groups is accurate.
Netwrix GroupID enables you to manage group membership with LDAP queries as an alternative to manually adding and removing users, thus ensuring that membership is always up to date.
Establish an attestation process for security groups.
Netwrix GroupID makes it easy for group owners to regularly review the attributes, membership, and permissions of their security groups, as well as whether the groups are still needed. This process helps maintain a check on groups.
Set security groups to expire automatically.
You can set an expiry date for a security group, such as a group created for a specific project. Netwrix GroupID sends an email notification to a group’s owner 30 days, 7 days and 1 day before the expiration date. If the group is not renewed, it is automatically deleted. Expired groups that have been deleted can be quickly restored if necessary.
You can easily exempt any security group from expiration, including the default security groups in Active Directory.
Set a default group approver.
You can designate a default approver for groups, who will receive expiry notifications for groups without owners.
Conclusion
Properly managing your Active Directory security groups is vital to protecting your IT systems and data. A solution like Netwrix GroupID can make it easy to implement the best practices detailed here.
How governments play a vital role in developing regulations, stopping supply chain attacks, and diminishing other threats to our way of life.
While new issues are always emerging in the world of cybersecurity, some have been present since the beginning, such as what role cybersecurity should play in government operations and, conversely, what role government should play in cybersecurity. The answer to this question continues to shift and evolve over time, but each new leap in technology introduces additional considerations. As we move into the AI era, how can government best keep citizens safe without constraining innovation and the free market — and how can the government use its defensive capabilities to retain an edge in the conflicts of tomorrow?
The day’s first session, “Cybersecurity and Military Defense in an Increasingly Digital World,” offered a deep dive into the latter question. Over the past 20 years, military conflicts have moved from involving just Land, Air and Sea to also being fought in Space and Cyber. While superior technology has given us an upper hand in previous conflicts, in some areas our allies — and our adversaries — are catching up or even surpassing us. In each great technological leap, companies and countries alike ascend and recede, and to keep our edge in the conflicts of the future, the U.S. will need to shed complacency, develop the right policies, move toward greater infrastructure security and tap the capabilities of the private sector.
SonicWall in particular is well-positioned to work with the federal government and the military. For years, we’ve helped secure federal agencies and defense deployments against enemies foreign and domestic, and have woked to shorten and simplify the acquisition and procurement process. Our list of certifications includes FIPS 140-2, Common Criteria, DoDIN APL, Commercial Solutions for Classified (CSfC), USGv6, IPv6 and TAA and others. And our wide range of certified solutions have been used in a number of government use cases, such as globally distributed networks in military deployments and federal agencies, tip-of-the-spear, hub-and-spoke, defense in-depth layered firewall strategies and more.
This new strategy was at the center of the day’s next session. In “The National Cyber Strategy as Roadmap to a Secure Cyber Future,” panelists outlined this strategic guidance, which was released just two months ago and offered a roadmap for how the U.S. should protect its digital ecosystem against malicious criminal and nation-state actors. The guidance consists of five pillars, all of which SonicWall is in accord with:
Pillar One: Defend Critical Infrastructure SonicWall offers several security solutions that align with Pillar One, including firewalls, intrusion prevention, VPN, advanced threat protection, email security, Zero-Trust network access and more. We’re also working to align with and conform to NIST SSDF and NIST Zero Trust Architecture standards.
Pillar Three: Shape Market Forces to Drive Security and Resilience
This pillar shifts liability from end users to software providers that ignore best practices, ship insecure or vulnerable products or integrate unvetted or unsafe third-party software. And as part of our efforts to aign with the NIST SSDF, we’re implementing a Software Bill of Materials (SBOM).
Pillar Four: Invest in a Resilient Future
Given CISA’s prominence in this guidance, any regulations created will likely include threat emulation testing, and will likely be mapped to threat techniques, such as MITRE ATT&CK. SonicWall Capture Client (our EDR solution) is powered by SentinelOne, which has been a participant in the MITRE ATT&CK evaluations since 2018 and was a top performer in the 2022 Evaluations.
Pillar Five: Forge International Partnerships to Pursue Shared Goals
An international company, SonicWall recognizes the importance of international partnerships and works to comply with global regulations such as GDPR, HIPAA, PCI-DSS and more. By sharing threat intelligence and collaborating no mitigation strategies, we work with governments and the rest of the cybersecurity community to pursue shared cybersecurity goals.
And with the continued rise in cybercrime, realizing these goals has never been more important. In “The State of Cybersecurity: Year in Review,” Mandiant CEO Kevin Mandia summarized findings from the 1,163 intrusions his company investigated in 2022. The good news, Mandia said, is that we’re detecting threats faster. In just ten years, we’ve gone from averaging 200 days to notice there’s a problem, to just 16 days currently — but at the same time, an increase in the global median dwell time for ransomware shows there’s still work to be done.
Mandia also outined the evolution of how cybercriminals are entering networks, from Unix platforms, to Windows-based attacks, and from phishing, to spearphishing to vulnerabilities — bringing patch management once again to the fore.
Deep within the RSAC Sandbox, where today’s defenders learn, play and test their skills, panelists convened to discuss how to stop attackers’ relentless attempts to shift left. “Software Supply Chain: Panel on Threat Intel, Trends, Mitigation Strategies” explained that while the use of third-party components increases agility, it comes with tremendous risk. More than 96% of software organizations rely on third-party code, 90% of which consists of open source—but the developers of this software are frequently single individuals or small groups who may not have time to incorporate proper security, or even know how. Our current strategy of signing at the end isn’t enough, panelists argued—to truly ensure safety, signing should be done throughout the process (otherwise known as “sign at the station”).
Israel provides an example of how a country can approach the issue of software supply chain vulnerability — among other things, the country has created a GitHub and browser extension allowing developers to check packages for malicious code — but much work would need to be done to implement the Israel model in the U.S. AI also provides some hope, but given its current inability to reliably detect malicious code, we’re still a long way from being able to rely on it. In the meantime, organizations will need to rely on tried-and-true solutions such as SBOMs to help guard against supply chain attacks in the near future.
But while AI has tremendous potential to help defenders, it also has terrible potential to aid attackers. In “ChatGPT: A New Generation of Dynamic Machine-Based Attacks,” the speakers highlighted ways that attackers are using the new generation of AI technology to dramatically improve social engineering attempts, expand their efforts to targets in new areas, and even write ransomware and other malicious code. In real time, the speakers demonstrated the difference between previous phishing emails and phishing generated by ChatGPT, including the use of more natural language, the ability to instantly access details about the target and the ability to imitate a leader or colleague trusted by the victim with a minimum of effort. These advancements will lead to a sharp increase in victims of phishing attacks, as well as things like Business Email Compromise.
And while there are guardrails in place to help prevent ChatGPT from being used maliciously, they can be circumvented with breathtaking ease. With the simple adjustment of a prompt, the speakers demonstrated, ransomware and other malicious code can be generated. While this code isn’t functional on its own, it’s just one or two simple adjustments away — and this capability could be used to rapidly increase the speed with which attacks are launched.
These capabilities are especially concerning given the rise in state-sponsored attacks. In “State of the Hack 2023: NSA’s Perspective,” NSA Director of Cybersecurity Rob Joyce addressed a packed house regarding the NSA’s work to prevent the increasing wave of nation-state threats. The two biggest nation-state threats to U.S. cybersecurity continue to be Russia and China, with much of the Russian effort centering around the U.S.’ assistance in the Russia/Ukraine conflict.
As we detailed in our SonicWall 2023 Cyber Threat Report, since the beginning of the conflict, attacks by Russia’s military and associated groups have driven a massive spike in cybercrime in Ukraine. The good news, Joyce said, is that Russia is currently in intelligence-gathering mode when it comes to the U.S., and is specifically taking care not to release large-scale NotPetya-type attacks. But Russia also appears to be playing the long game, and is showing no signs of slowing or scaling back their efforts.
China also appears to be biding its time — but unlike Russia, whose efforts appear to be focused around traditional military dominance, China is seeking technological dominance. Exploitation by China has increased so much that we’ve become numb to it, Joyce argued. And since these nation-state sponsored attackers don’t incur much reputational damage for their misdeeds, they’ve become increasingly brazen in their attacks, going so far as to require any citizen who finds a zero-day to pass details to the government and hosting competitions for building exploits and finding vulnerabilities. And the country is also making efforts to influence international tech standards in an attempt to tip scales in their favor for years to come.
The 2023 RSA Conference has offered a wealth of information on a wide variety of topics, but it will soon draw to a close. Thursday is the last day to visit the SonicWall booth (#N-5585 in Moscone North) and enjoy demos and presentations on all of our latest technology. Don’t head home without stopping by — and don’t forget to check back for the conclusion of our RSAC 2023 coverage!
Microsoft Edge Windows 11 Windows 10 Office for business
Microsoft is always striving to improve and streamline our product experiences—offering a new way to use the classic Microsoft Outlook app on Windows and the Microsoft Edge web browser.
If you have a Microsoft 365 Personal or Family subscription, browser links from the Outlook app will open in Microsoft Edge by default, right alongside the email they’re from in the Microsoft Edge sidebar pane. This allows you to easily access, read, and respond to the message using your matching authenticated profile. No more disruptive switching—just your email and the web content you need to reference, in a single, side-by-side view. And we’re always optimizing the sidebar in Microsoft Edge to give you useful content and tools while you’re browsing so you don’t have to toggle back and forth between windows or even other tabs—whether you’re shopping online or working in a Microsoft 365 web app.
In the future, links from your Microsoft Teams messages will also open in Microsoft Edge by default to help you stay engaged in conversations as you browse the web.
Ultimately though, if this experience isn’t right for you, you can turn off this feature the first time it launches in Microsoft Edge, and then in Outlook settings at any time after that.
FAQ
Why is Microsoft making this change?
To improve your experience between email and browsing—letting you see them both at the same time, in the same place. No more switching back and forth between apps.
To provide a unique experience—at Microsoft, we strive to create the best customer experience across our products.
To reduce task switching and improve workflow and focus—by opening browser links in Microsoft Edge, the original message in Outlook can be viewed alongside web content to easily access, read, and respond to the message, using the matching authenticated profile.
Will this replace my default browser setting in Windows?
No, this only impacts links opened from Microsoft Outlook on Windows and you have the option to turn off this feature in Outlook settings.
I want to open links with the browser set as the default in Windows Settings. How do I do that?
You can choose your preferred browser for opening links from Outlook the first time it launches in Microsoft Edge. After that you can change this setting in Outlook at any time—select File > Options > Advanced > Link handling and choose your preferred browser from the dropdown menu.
In Outlook, go to File.
Select Options.
Select Advanced > Link handling and choose your preferred browser from the dropdown menu.
Will this change affect me if I’m using a Mac?
No, this change will only be applied to Windows 10 and Windows 11 devices.
Send us feedback
Please let us know what you think about the new experience in one of two ways:
In Microsoft Edge, go to Settings and more > Help and feedback > Send feedback. Follow the on-screen instructions and select Send.
Press Alt + Shift + I on your keyboard. Follow the on-screen instructions and select Send.
The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. It’s commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This vulnerability has led to many new standards being created to increase security for sending and receiving email, one of those standards being DNS-based Authentication of Named Entities (DANE).
DANE for SMTP RFC 7672 uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain’s DNS record set to signal a domain and its mail server(s) support DANE. If there’s no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This authentication makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records aren’t tampered with and are authentic.
Once the MX, A/AAAA and DNSSEC-related resource records for a domain are returned to the DNS recursive resolver as DNSSEC authentic, the sending mail server will ask for the TLSA record corresponding to the MX host entry or entries. If the TLSA record is present and proven authentic using another DNSSEC check, the DNS recursive resolver will return the TLSA record to the sending mail server.
After the authentic TLSA record is received, the sending mail server establishes an SMTP connection to the MX host associated with the authentic TLSA record. The sending mail server will try to set up TLS and compare the server’s TLS certificate with the data in the TLSA record to validate that the destination mail server connected to the sender is the legitimate receiving mail server. The message will be transmitted (using TLS) if authentication succeeds. When authentication fails or if TLS isn’t supported by the destination server, Exchange Online will retry the entire validation process beginning with a DNS query for the same destination domain again after 15 minutes, then 15 minutes after that, then every hour for the next 24 hours. If authentication continues to fail after 24 hours of retrying, the message will expire, and an NDR with error details will be generated and sent to the sender.
Tip
If you’re not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
What are the components of DANE?
TLSA Resource Record
The TLS Authentication (TLSA) record is used to associate a server’s X.509 certificate or public key value with the domain name that contains the record. TLSA records can only be trusted if DNSSEC is enabled on your domain. If you’re using a DNS provider to host your domain, the DNSSEC may be a setting offered when configuring a domain with them. To learn more about DNSSEC zone signing, visit this link: Overview of DNSSEC | Microsoft Docs.
Example TLSA record:
There are four configurable fields unique to the TLSA record type:
Certificate Usage Field: Specifies how the sending email server should verify the destination email server’s certificate.
Value
Acronym
Description
01
PKIX-TA
Certificate used is the trust-anchor Public CA from the X.509 trust-chain.
11
PKIX-EE
Certificate checked is the destination server; DNSSEC checks must verify its authenticity.
2
DANE-TA
Use server’s private key from the X.509 tree that must be validated by a trust anchor in the chain of trust. The TLSA record specifies the trust anchor to be used for validating the TLS certificates for the domain.
3
DANE-EE
Only match against the destination server’s certificate.
1 Exchange Online follows RFC implementation guidance that Certificate Usage Field values of 0 or 1 shouldn’t be used when DANE is implemented with SMTP. When a TLSA record that has a Certificate Usage field value of 0 or 1 is returned to Exchange Online, Exchange Online will treat it as not usable. If all TLSA records are found unusable, Exchange Online won’t perform the DANE validation steps for 0 or 1 when sending the email. Instead, because of the presence of a TLSA record, Exchange Online will enforce the use of TLS for sending the email, sending the email if the destination email server supports TLS or dropping the email and generating an NDR if the destination email server doesn’t support TLS.
In the example TLSA record, the Certificate Usage Field is set to ‘3’, so the Certificate Association Data (‘abc123…xyz789’) would be matched against the destination server’s certificate only.
Selector field: Indicates which parts of the destination server’s certificate should be checked.
Value
Acronym
Description
0
Cert
Use full certificate.
1
SPKI (Subject Public Key Info)
Use certificate’s public key and the algorithm with which the public key is identified to use.
In the example TLSA record, the Selector Field is set to ‘1’ so the Certificate Association Data would be matched using the destination server certificate’s public key and the algorithm with which the public key is identified to use.
Matching Type Field: Indicates the format the certificate will be represented in the TLSA record.
Value
Acronym
Description
0
Full
The data in the TSLA record is the full certificate or SPKI.
1
SHA-256
The data in the TSLA record is an SHA-256 hash of either the certificate or the SPKI.
2
SHA-512
The data in the TSLA record is an SHA-512 hash of either the certificate or the SPKI.
In the example TLSA record, the Matching Type Field is set to ‘1’ so the Certificate Association Data is an SHA-256 hash of the Subject Public Key Info from the destination server certificate
Certificate Association Data: Specifies the certificate data that is used for matching against the destination server certificate. This data depends on the Selector Field value and the Matching Type Value.
In the example TLSA record, the Certificate Association data is set to ‘abc123..xyz789’. Since the Selector Field value in the example is set to ‘1’, it would reference the destination server certificate’s public key and the algorithm that’s identified to be used with it. And since the Matching Type field value in the example is set to ‘1’, it would reference the SHA-256 hash of the Subject Public Key Info from the destination server certificate.
How can Exchange Online customers use SMTP DANE Outbound?
As an Exchange Online customer, there isn’t anything you need to do to configure this enhanced email security for your outbound email. This enhanced email security is something we have built for you and it’s ON by default for all Exchange Online customers and is used when the destination domain advertises support for DANE. To reap the benefits of sending email with DNSSEC and DANE checks, communicate to your business partners with whom you exchange email that they need to implement DNSSEC and DANE so they can receive email using these standards.
How can Exchange Online customers use SMTP DANE inbound?
Currently, inbound SMTP DANE isn’t supported for Exchange Online. Support for inbound SMTP DANE will be available in the near future.
What is the recommended TLSA record configuration?
Per RFC implementation guidance for SMTP DANE, a TLSA record composed of the Certificate Usage field set to 3, the Selector field set to 1, and the Matching Type field set to 1 is recommended.
Exchange Online Mail Flow with SMTP DANE
The mail flow process for Exchange Online with SMTP DANE, shown in the flow chart below, validates domain and resource record security through DNSSEC, TLS support on the destination mail server, and that the destination mail server’s certificate matches what is expected based on its associated TLSA record.
There are only two scenarios where an SMTP DANE failure will result in the email being blocked:
The destination domain signaled DNSSEC support but one or more records were returned as inauthentic.
All MX records for the destination domain have TLSA records and none of the destination server’s certificates match what was expected per the TSLA record data, or a TLS connection isn’t supported by the destination server.
Related Technologies
Technology
Additional Information
Mail Transfer Agent – Strict Transport Security (MTA-STS) helps thwart downgrade and Man-in-the-Middle attacks by providing a mechanism for setting domain policies that specify whether the destination email server supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.
More information about Exchange Online’s upcoming support for inbound and outbound MTA-STS will be published later this year.
DomainKeys Identified Mail (DKIM) uses X.509 certificate information to ensure that destination email systems trust messages sent outbound from your custom domain.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) works with Sender Policy Framework and DomainKeys Identified Mail to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.
Currently, there are four error codes for DANE when sending emails with Exchange Online. Microsoft is actively updating this error code list. The errors will be visible in:
The Exchange Admin Center portal through the Message Trace Details view.
NDRs generated when a message isn’t sent due to a DANE or DNSSEC failure.
starttls-not-supported: Destination mail server must support TLS to receive mail.
4/5.7.322
certificate-expired: Destination mail server’s certificate is expired.
4/5.7.323
tlsa-invalid: The domain failed DANE validation.
4/5.7.324
dnssec-invalid: Destination domain returned invalid DNSSEC records.
Note
Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error:
4/5.4.312 DNS query failed
We are actively working to remedy this known limitation. If you receive this error statement, navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue or a different DNS issue.
Troubleshooting 4/5.7.321 starttls-not-supported
This error usually indicates an issue with the destination mail server. After receiving the message:
Check that the destination email address was entered correctly.
Alert the destination email administrator that you received this error code so they can determine if the destination server is configured correctly to receive messages using TLS.
Retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.322 certificate-expired
A valid X.509 certificate that hasn’t expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
Alert the destination email administrator that you received this error code and provide the error code string.
Allow time for the destination server certificate to be renewed and the TLSA record to be updated to reference the new certificate. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.323 tlsa-invalid
This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TLSA record has been returned. There are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:
The destination mail server’s certificate doesn’t match with what is expected per the authentic TLSA record.
Authentic TLSA record is misconfigured.
The destination domain is being attacked.
Any other DANE failure.
After receiving the message:
Alert the destination email administrator that you received this error code and provide them the error code string.
Allow time for the destination email admin to review their DANE configuration and email server certificate validity. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting 4/5.7.324 dnssec-invalid
This error code is generated when the destination domain indicated it was DNSSEC-authentic but Exchange Online wasn’t able to verify it as DNSSEC-authentic.
After receiving the message:
Alert the destination email administrator that you received this error code and provide them the error code string.
Allow time for the destination email admin to review their domain’s DNSSEC configuration. Then, retry sending the email and review the Message Trace Details for the message in the Exchange Admin Center portal.
Troubleshooting Receiving Emails with SMTP DANE
Currently, there are two methods an admin of a receiving domain can use to validate and troubleshoot their DNSSEC and DANE configuration to receive email from Exchange Online using these standards.
Adopt SMTP TLS-RPT (Transport Layer Security Reporting) introduced in RFC8460
TLS-RPT https://datatracker.ietf.org/doc/html/rfc8460 is a reporting mechanism for senders to provide details to destination domain administrators about DANE and MTA-STS successes and failures with those respective destination domains. To receive TLS-RPT reports, you only need to add a TXT record in your domain’s DNS records that includes the email address or URI you would like the reports to be sent to. Exchange Online will send TLS-RPT reports in JSON format.
Example record:
The second method is to use the Remote Connectivity Analyzer Microsoft Remote Connectivity Analyzer, which can do the same DNSSEC and DANE checks against your DNS configuration that Exchange Online will do when sending email outside the service. This method is the most direct way of troubleshooting errors in your configuration to receive email from Exchange Online using these standards.
When errors are being troubleshooted, the below error codes may be generated:
NDR Code
Description
4/5.7.321
starttls-not-supported: Destination mail server must support TLS to receive mail.
4/5.7.322
certificate-expired: Destination mail server’s certificate has expired.
4/5.7.323
tlsa-invalid: The domain failed DANE validation.
4/5.7.324
dnssec-invalid: Destination domain returned invalid DNSSEC records.
Note
Currently, when a domain signals that it supports DNSSEC but fails DNSSEC checks, Exchange Online does not generate the 4/5.7.324 dnssec-invalid error. It generates a generic DNS error:
4/5.4.312 DNS query failed
We are actively working to remedy this known limitation. If you receive this error statement, navigate to the Microsoft Remote Connectivity Analyzer and perform the DANE validation test against the domain that generated the 4/5.4.312 error. The results will show if it is a DNSSEC issue or a different DNS issue.
Troubleshooting 4/5.7.321 starttls-not-supported
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error usually indicates an issue with the destination mail server. The mail server that the Remote Connectivity Analyzer is testing connecting with. There are generally two scenarios that generate this code:
The destination mail server doesn’t support secure communication at all, and plain, non-encrypted communication must be used.
The destination server is configured improperly and ignores the STARTTLS command.
After receiving the message:
Check the email address.
Locate the IP address that is associated with the error statement so you can identify the mail server the statement is associated with.
Check your mail server’s setting to make sure it’s configured to listen for SMTP traffic (commonly ports 25 and 587).
Wait a few minutes, then retry the test with the Remote Connectivity Analyzer tool.
If it still fails, then try removing the TLSA record and run the test with the Remote Connectivity Analyzer tool again.
If there are no failures, this message may indicate the mail server you’re using to receive mail doesn’t support STARTTLS and you may need to upgrade to one that does in order to use DANE.
Troubleshooting 4/5.7.322 certificate-expired
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
A valid X.509 certificate that hasn’t expired must be presented to the sending email server. X.509 certificates must be renewed after their expiration, commonly annually. After receiving the message:
Check the IP that is associated with the error statement, so you can identify the mail server it’s associated with. Locate the expired certificate on the email server you identified.
Sign in to your certificate provider’s website.
Select the expired certificate and follow the instructions to renew and to pay for the renewal.
After your provider has verified the purchase, you may download a new certificate.
Install the renewed certificate into its associated mail server.
Update the mail server’s associated TLSA record with the new certificate’s data.
After waiting an appropriate amount of time, retry the test with the Remote Connectivity Analyzer tool.
Troubleshooting 4/5.7.323 tlsa-invalid
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error code is related to a TLSA record misconfiguration and can only be generated after a DNSSEC-authentic TSLA record has been returned. But, there are many scenarios during the DANE validation that occur after the record has been returned that can result in the code being generated. Microsoft is actively working on the scenarios that are covered by this error code, so that each scenario has a specific code. Currently, one or more of these scenarios could cause the generation of the error code:
Authentic TLSA record is misconfigured.
The certificate isn’t yet time valid/configured for a future time window.
Destination domain is being attacked.
Any other DANE failure.
After receiving the message:
Check the IP that is associated with the error statement to identify the mail server it’s associated with.
Identify the TLSA record that is associated with the identified mail server.
Verify the configuration of the TLSA record to ensure that it signals the sender to perform the preferred DANE checks and that the correct certificate data has been included in the TLSA record.
If you have to make any updates to the record for discrepancies, then wait a few minutes then rerun the test with the Remote Connectivity Analyzer tool.
Locate the certificate on the identified mail server.
Check the time window for which the certificate is valid. If it’s set to start validity at a future date, it needs to be renewed for the current date.
Sign in to your certificate provider’s website.
Select the expired certificate and follow the instructions to renew and to pay for the renewal.
After your provider has verified the purchase, you may download a new certificate.
Install the renewed certificate into its associated mail server.
Troubleshooting 4/5.7.324 dnssec-invalid
Note
These steps are for email administrators troubleshooting receiving email from Exchange Online using SMTP DANE.
This error code is generated when the destination domain indicated it’s DNSSEC-authentic but Exchange Online isn’t able to verify it as DNSSEC-authentic. This section won’t be comprehensive for troubleshooting DNSSEC issues and focuses on scenarios where domains previously passed DNSSEC authentication but not now.
After receiving the message:
If you’re using a DNS provider, for example GoDaddy, alert your DNS provider of the error so they can work on the troubleshooting and configuration change.
If you’re managing your own DNSSEC infrastructure, there are many DNSSEC misconfigurations that may generate this error message. Some common problems to check for if your zone was previously passing DNSSEC authentication:
Broken trust chain, when the parent zone holds a set of DS records that point to something that doesn’t exist in the child zone. Such pointers by DS records can result in the child zone being marked as bogus by validating resolvers.
Resolve by reviewing the child domains RRSIG key IDs and ensuring that they match with the key IDs in the DS records published in the parent zone.
RRSIG resource record for the domain isn’t time valid, it has either expired or its validity period hasn’t begun.
Resolve by generating new signatures for the domain using valid timespans.
Note
This error code is also generated if Exchange Online receives SERVFAIL response from DNS server on TLSA query for the destination domain.
When an outbound email is being sent, if the receiving domain has DNSSEC enabled, we query for TLSA records associated with MX entries in the domain. If no TLSA record is published, the response to the TLSA lookup must be NOERROR (no records of requested type for this domain) or NXDOMAIN (there’s no such domain). DNSSEC requires this response if no TLSA record is published; otherwise, Exchange Online interprets the lack of response as a SERVFAIL error. As per RFC 7672, a SERVFAIL response is untrustworthy; so, the destination domain fails DNSSEC validation. This email is then deferred with the following error:
450 4.7.324 dnssec-invalid: Destination domain returned invalid DNSSEC records
If the email sender reports receipt of the message
If you’re using a DNS provider, for example, GoDaddy, alert your DNS provider of the error so that they can troubleshoot the DNS response. If you’re managing your own DNSSEC infrastructure, it could be an issue with the DNS server itself or with the network.
Frequently Asked Questions
As an Exchange Online customer, can I opt out of using DNSSEC and/or DANE?
We strongly believe DNSSEC and DANE will significantly increase the security position of our service and benefit all of our customers. We’ve worked diligently over the last year to reduce the risk and severity of the potential impact this deployment might have for Microsoft 365 customers. We’ll be actively monitoring and tracking the deployment to ensure negative impact is minimized as it rolls out. Because of this, tenant-level exceptions or opt-out won’t be available. If you experience any issues related to the enablement of DNSSEC and/or DANE, the different methods for investigating failures noted in this document will help you identify the source of the error. In most cases, the issue will be with the external destination party and you’ll need to communicate to these business partners that they need to correctly configure DNSSEC and DANE in order to receive email from Exchange Online using these standards.
How does DNSSEC relate to DANE?
DNSSEC adds a layer of trust into DNS resolution by applying the public key infrastructure to ensure the records returned in response to a DNS query are authentic. DANE ensures that the receiving mail server is the legitimate and expected mail server for the authentic MX record.
What is the difference between MTA-STS and DANE for SMTP?
DANE and MTA-STS serve the same purpose, but DANE requires DNSSEC for DNS authentication while MTA-STS relies on certificate authorities.
Why isn’t Opportunistic TLS sufficient?
Opportunistic TLS will encrypt communication between two endpoints if both agree to support it. However, even if TLS encrypts the transmission, a domain could be spoofed during DNS resolution such that it points to a malicious actor’s endpoint instead of the real endpoint for the domain. This spoof is a gap in email security that is addressed by implementing MTA-STS and/or SMTP DANE with DNSSEC.
Why isn’t DNSSEC sufficient?
DNSSEC isn’t fully resistant to Man-in-the-Middle attacks and downgrade (from TLS to clear text) attacks for mail flow scenarios. The addition of MTA-STS and DANE along with DNSSEC provides a comprehensive security method to thwart both MITM and downgrade attacks.
Here are three of the worst breaches, attacker tactics and techniques of 2022, and the security controls that can provide effective, enterprise security protection for them.
Ransomware as a service is a type of attack in which the ransomware software and infrastructure are leased out to the attackers. These ransomware services can be purchased on the dark web from other threat actors and ransomware gangs. Common purchasing plans include buying the entire tool, using the existing infrastructure while paying per infection, or letting other attackers perform the service while sharing revenue with them.
In this attack, the threat actor consists of one of the most prevalent ransomware groups, specializing in access via third parties, while the targeted company is a medium-sized retailer with dozens of sites in the United States.
The threat actors used ransomware as a service to breach the victim’s network. They were able to exploit third-party credentials to gain initial access, progress laterally, and ransom the company, all within mere minutes.
The swiftness of this attack was unusual. In most RaaS cases, attackers usually stay in the networks for weeks and months before demanding ransom. What is particularly interesting about this attack is that the company was ransomed in minutes, with no need for discovery or weeks of lateral movement.
A log investigation revealed that the attackers targeted servers that did not exist in this system. As it turns out, the victim was initially breached and ransomed 13 months before this second ransomware attack. Subsequently, the first attacker group monetized the first attack not only through the ransom they obtained, but also by selling the company’s network information to the second ransomware group.
In the 13 months between the two attacks, the victim changed its network and removed servers, but the new attackers were not aware of these architectural modifications. The scripts they developed were designed for the previous network map. This also explains how they were able to attack so quickly – they had plenty of information about the network. The main lesson here is that ransomware attacks can be repeated by different groups, especially if the victim pays well.
“RaaS attacks such as this one are a good example of how full visibility allows for early alerting. A global, converged, cloud-native SASE platform that supports all edges, like Cato Networks provides complete network visibility into network events that are invisible to other providers or may go under the radar as benign events. And, being able to fully contextualize the events allows for early detection and remediation.
#2: The Critical Infrastructure Attack on Radiation Alert Networks#
Attacks on critical infrastructure are becoming more common and more dangerous. Breaches of water supply plants, sewage systems and other such infrastructures could put millions of residents at risk of a human crisis. These infrastructures are also becoming more vulnerable, and attack surface management tools for OSINT like Shodan and Censys allow security teams to find such vulnerabilities with ease.
In 2021, two hackers were suspected of targeting radiation alert networks. Their attack relied on two insiders that worked for a third party. These insiders disabled the radiation alert systems, significantly debilitating their ability to monitor radiation attacks. The attackers were then able to delete critical software and disable radiation gauges (which is part of the infrastructure itself).
“Unfortunately, scanning for vulnerable systems in critical infrastructure is easier than ever. While many such organizations have multiple layers of security, they are still using point solutions to try and defend their infrastructure rather than one system that can look holistically at the full attack lifecycle. Breaches are never just a phishing problem, or a credentials problem, or a vulnerable system problem – they are always a combination of multiple compromises performed by the threat actor,” said Etay Maor, Sr. Director of Security Strategy at Cato Networks.
#3: The Three-Step Ransomware Attack That Started with Phishing#
The third attack is also a ransomware attack. This time, it consisted of three steps:
1. Infiltration – The attacker was able to gain access to the network through a phishing attack. The victim clicked on a link that generated a connection to an external site, which resulted in the download of the payload.
2. Network activity – In the second phase, the attacker progressed laterally in the network for two weeks. During this time, it collected admin passwords and used in-memory fileless malware. Then on New Year’s Eve, it performed the encryption. This date was chosen since it was (rightfully) assumed the security team would be off on vacation.
3. Exfiltration – Finally, the attackers uploaded the data out of the network.
In addition to these three main steps, additional sub-techniques were employed during the attack and the victim’s point security solutions were not able to block this attack.
“A multiple choke point approach, one that looks horizontally (so to speak) at the attack rather than as a set of vertical, disjointed issues, is the way to enhance detection, mitigation and prevention of such threats. Opposed to popular belief, the attacker needs to be right many times and the defenders only need to be right just once. The underlying technologies to implement a multiple choke point approach are full network visibility via a cloud-native backbone, and a single pass security stack that’s based on ZTNA.” said Etay Maor, Sr. Director of Security Strategy at Cato Networks.
It is common for security professionals to succumb to the “single point of failure fallacy”. However, cyber-attacks are sophisticated events that rarely involve just one tactic or technique which is the cause of the breach. Therefore, an all-encompassing outlook is required to successfully mitigate cyber-attacks. Security point solutions are a solution for single points of failure. These tools can identify risks, but they will not connect the dots, which could and has led to a breach.
According to ongoing security research conducted by Cato Networks Security Team, they have identified two additional vulnerabilities and exploit attempts that they recommend including in your upcoming security plans:
While Log4j made its debut as early as December of 2021, the noise its making hasn’t died down. Log4j is still being used by attackers to exploit systems, as not all organizations have been able to patch their Log4j vulnerabilities or detect Log4j attacks, in what is known as “virtual patching”. They recommend prioritizing Log4j mitigation.
Security solutions like firewalls and VPNs have become access points for attackers. Patching them has become increasingly difficult, especially in the era of architecture cloudification and remote work. It is recommended to pay close attention to these components as they are increasingly vulnerable.
How to Minimize Your Attack Surface and Gain Visibility into the Network#
To reduce the attack surface, security professionals need visibility into their networks. Visibility relies on three pillars:
Actionable information – that can be used to mitigate attacks
Reliable information – that minimizes the number of false positives
Timely information – to ensure mitigation happens before the attack has an impact
Once an organization has complete visibility to the activity on their network they can contextualize the data, decide whether the activity witnessed should be allowed, denied, monitored, restricted (or any other action) and then have the ability to enforce this decision. All these elements must be applied to every entity, be it a user, device, cloud app etc. All the time everywhere. That is what SASE is all about.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Any organization that handles sensitive data must be diligent in its security efforts, which include regular pen testing. Even a small data breach can result in significant damage to an organization’s reputation and bottom line.
There are two main reasons why regular pen testing is necessary for secure web application development:
Security: Web applications are constantly evolving, and new vulnerabilities are being discovered all the time. Pen testing helps identify vulnerabilities that could be exploited by hackers and allows you to fix them before they can do any damage.
Compliance: Depending on your industry and the type of data you handle, you may be required to comply with certain security standards (e.g., PCI DSS, NIST, HIPAA). Regular pen testing can help you verify that your web applications meet these standards and avoid penalties for non-compliance.
Many organizations, big and small, have once a year pen testing cycle. But what’s the best frequency for pen testing? Is once a year enough, or do you need to be more frequent?
The answer depends on several factors, including the type of development cycle you have, the criticality of your web applications, and the industry you’re in.
Agile development cycles are characterized by short release cycles and rapid iterations. This can make it difficult to keep track of changes made to the codebase and makes it more likely that security vulnerabilities will be introduced.
If you’re only testing once a year, there’s a good chance that vulnerabilities will go undetected for long periods of time. This could leave your organization open to attack.
To mitigate this risk, pen testing cycles should align with the organization’s development cycle. For static web applications, testing every 4-6 months should be sufficient. But for web applications that are updated frequently, you may need to test more often, such as monthly or even weekly.
Any system that is essential to your organization’s operations should be given extra attention when it comes to security. This is because a breach of these systems could have a devastating impact on your business. If your organization relies heavily on its web applications to do business, any downtime could result in significant financial losses.
For example, imagine that your organization’s e-commerce site went down for an hour due to a DDoS attack. Not only would you lose out on potential sales, but you would also have to deal with the cost of the attack and the negative publicity.
To avoid this scenario, it’s important to ensure that your web applications are always available and secure.
Non-critical web applications can usually get away with being tested once a year, but business-critical web applications should be tested more frequently to ensure they are not at risk of a major outage or data loss.
If all your web applications are internal, you may be able to get away with pen testing less frequently. However, if your web applications are accessible to the public, you must be extra diligent in your security efforts.
Web applications accessible to external traffic are more likely to be targeted by attackers. This is because there is a greater pool of attack vectors and more potential entry points for an attacker to exploit.
Customer-facing web applications also tend to have more users, which means that any security vulnerabilities will be exploited more quickly. For example, a cross-site scripting (XSS) vulnerability in an external web application with millions of users could be exploited within hours of being discovered.
To protect against these threats, it’s important to pen test customer-facing web applications more frequently than internal ones. Depending on the size and complexity of the application, you may need to pen test every month or even every week.
Certain industries are more likely to be targeted by hackers due to the sensitive nature of their data. Healthcare organizations, for example, are often targeted because of the protected health information (PHI) they hold.
If your organization is in a high-risk industry, you should consider conducting pen testing more frequently to ensure that your systems are secure and meet regulatory compliance. This will help protect your data and reduce the chances of a costly security incident.
You Don’t Have Internal Security Operations or a Pen testing Team#
This might sound counterintuitive, but if you don’t have an internal security team, you may need to conduct pen testing more frequently.
Organizations that don’t have dedicated security staff are more likely to be vulnerable to attacks.
Without an internal security team, you will need to rely on external pen testers to assess your organization’s security posture.
Depending on the size and complexity of your organization, you may need to pen test every month or even every week.
During a merger or acquisition, there is often a lot of confusion and chaos. This can make it difficult to keep track of all the systems and data that need to be secured. As a result, it’s important to conduct pen testing more frequently during these times to ensure that all systems are secure.
M&A also means that you are adding new web applications to your organization’s infrastructure. These new applications may have unknown security vulnerabilities that could put your entire organization at risk.
In 2016, Marriott acquired Starwood without being aware that hackers had exploited a flaw in Starwood’s reservation system two years earlier. Over 500 million customer records were compromised. This placed Marriott in hot water with the British watchdog ICO, resulting in 18.4 million pounds in fines in the UK. According to Bloomberg, there is more trouble ahead, as the hotel giant could “face up to $1 billion in regulatory fines and litigation costs.”
To protect against these threats, it’s important to conduct pen testing before and after an acquisition. This will help you identify potential security issues so they can be fixed before the transition is complete.
While periodic pen testing is important, it is no longer enough in today’s world. As businesses rely more on their web applications, continuous pen testing becomes increasingly important.
There are two main types of pen testing: time-boxed and continuous.
Traditional pen testing is done on a set schedule, such as once a year. This type of pen testing is no longer enough in today’s world, as businesses rely more on their web applications.
Continuous pen testing is the process of continuously scanning your systems for vulnerabilities. This allows you to identify and fix vulnerabilities before they can be exploited by attackers. Continuous pen testing allows you to find and fix security issues as they happen instead of waiting for a periodic assessment.
Continuous pen testing is especially important for organizations that have an agile development cycle. Since new code is deployed frequently, there is a greater chance for security vulnerabilities to be introduced.
Pen testing as a service models is where continuous pen testing shine. Outpost24’s PTaaS (Penetration-Testing-as-a-Service) platform enables businesses to conduct continuous pen testing with ease. The Outpost24 platform is always up-to-date with an organization’s latest security threats and vulnerabilities, so you can be confident that your web applications are secure.
Manual and automated pen testing: Outpost24’s PTaaS platform combines manual and automated pen testing to give you the best of both worlds. This means you can find and fix vulnerabilities faster while still getting the benefits of expert analysis.
Provides comprehensive coverage: Outpost24’s platform covers all OWASP Top 10 vulnerabilities and more. This means that you can be confident that your web applications are secure against the latest threats.
Is cost-effective: With Outpost24, you only pay for the services you need. This makes it more affordable to conduct continuous pen testing, even for small businesses.
Regular pen testing is essential for secure web application development. Depending on your organization’s size, industry, and development cycle, you may need to revise your pen testing schedule.
Once-a-year pen testing cycle may be enough for some organizations, but for most, it is not. For business-critical, customer-facing, or high-traffic web applications, you should consider continuous pen testing.
Outpost24’s PTaaS platform makes it easy and cost-effective to conduct continuous pen testing. Contact us today to learn more about our platform and how we can help you secure your web applications.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The premise of this article’s headline is nonsense, sure, but it isn’t clickbait—I promise.
You’re almost certainly here because you searched for “best productivity apps.” I understand that impulse. You want to get more done in less time, which is about as universal a feeling as humans can have at work. The problem: productivity is deeply personal, and the words “productivity tools” mean a lot of different things to different people. What works for you may or may not work for me, which is why—after over a decade of writing about productivity software—I don’t really believe there are objectively “best” productivity apps.
I do, however, think there are categories of tools that can help you become a better version of yourself. Some of them work better for more people than others, and not everyone needs an app from every category. Knowing what kinds of apps exist, and what you should look for in an app, is more important than knowing what the “best” app in that category is.
Having said that, you’re here for software recommendations, not my personal reflections on the nature of productivity. So I’m going to go over the main kinds of productivity apps I think most humans who use electronic devices at work should know about. I’ll explain why I think each category is important, point to an app or two that I think will work well for most people, then offer links to other options if you want to learn more.
Just remember: the specific app doesn’t matter. The best productivity app is the one that works best for you. The most important thing is having a system. Sound good? Let’s jump in.
All of our best apps roundups are written by humans who’ve spent much of their careers using, testing, and writing about software. We spend dozens of hours researching and testing apps, using each app as it’s intended to be used and evaluating it against the criteria we set for the category. We’re never paid for placement in our articles from any app or for links to any site—we value the trust readers put in us to offer authentic evaluations of the categories and apps we review. For more details on our process, read the full rundown of how we select apps to feature on the Zapier blog.
We all have things we need to do—at work and in the rest of our lives. The worst place you could store those things, in my opinion, is in your mind. It’s just stressful: you’ll remember, at random moments, that there’s something you were supposed to be doing, and that memory will result in panic. Writing down everything you need to do allows you to make a plan, and (crucially) means you don’t have to panic.
Not everyone benefits from a dedicated to-do list app—some of the most productive people I know prefer sticky notes, email inboxes, or even spreadsheets. I think that’s great, so long as you have some place to record the things you need to do.
I think that Todoist, shown above, is a great to-do list app for most people. It’s easy to use but also offers a lot of features. It can also be installed on basically any device you can imagine, meaning your to-do list is always available. It allows you to assign due dates to tasks, sort tasks by project, or even view a project using a Kanban board. You don’t have to worry about those features if you don’t want to, though, which is why I think it’s a great starting point for someone who needs a to-do list.
If Todoist doesn’t work for you, though, check out our list of the best to-do list apps—it’s got a wide variety of recommendations. I, personally, use TickTick because I like how easy it is to add tasks, and I also can’t stop saying good things about Things for sheer simplicity on Apple devices. Find a tool you like—and that you remember to actually open. There’s nothing less useful than an app full of tasks you never look at.
Once you’ve picked your to-do list app, make the most of it with automation, so you can easily add tasks that come in by email, team chat apps, project management tools, or notes. Read more about automating your to-do list.
There are only so many hours in the day, unfortunately, which means you have to budget them. A calendar is how you do that. You could use a paper wall calendar, sure, but a calendar app lets you invite other people to an event. Also, in a world where so many meetings are virtual, calendar apps give you a useful place to store the link to your Zoom call.
I think that Google Calendar, shown above, is the right calendar app for most people—particularly people who already use Gmail. Google Calendar is easy to load on any device, lets you see your calendar in several different views, and makes it easy to invite anyone else to any event or meeting you happen to plan. I could writemultiplearticlesonGoogle Calendar features (and I have). This app does everything any other app can do, and more, all while being pretty easy to use.
If Google Calendar doesn’t work for you, though, check out our list of the best calendar apps for more options. Microsoft Outlook is a solid alternative, as is the Calendar app that comes with all Apple devices.
I’d also consider looking into some kind of meeting scheduling app. These apps let anyone sign up for appointments with you, which is particularly useful if you have a meeting-heavy calendar. Calendly, shown below, is a solid option, with a lot of customizability and the ability to sync with Google Calendar. You can check out our list of the best meeting schedulers for a more complete rundown of Calendly and other options.
Once you choose a calendar app, take it to the next level. With automation, you can do things like automatically turn calendar events into tasks on your to-do list or use forms to create calendar events. Here’s how you can bring context to your calendar by connecting other apps.
I’m constantly taking notes: before and during meetings; while researching an article; while brewing beer. And I think most people have some class of information they’ll need to reference later that doesn’t quite meet the threshold of a “document.” Who wants a sprawling series of folders with all of that information?
This, to me, is what note-taking apps are for: quickly writing things down so you can read them later and (hopefully) follow up. They also work well as a personal journal, or a place to store files related to a particular project.
OneNote, above, is probably the note-taking app most people should try first. It’s free—so long as you don’t run out of OneDrive storage—and it gives you all kinds of ways to organize notes, from notebooks to sections to sub-headers. It also has powerful search, which includes the scanned contents of any images or PDFs you might drop in a note.
But OneNote isn’t the only option. You should check out our list of the best note-taking apps for more choices. If you loved Evernote back in the day, you should check out Joplin, which is a completely free and open source replacement for that app. And I personally love Obsidian, which turns your notes into an entire database, complete with internal links and an extensive plugin collection. There are a lot of good choices out there—find something that lets you write things down and dig them up later.
I’ve never tried to work in the middle of an amusement park, but I imagine it would be distracting. The internet is worse. Everything you could possibly imagine is available, all delivered by brilliant engineers who are doing everything they can to keep you looking at more and more and more of it. It’s understandable if you have trouble getting stuff done in that context, which is why apps that block distractions are so helpful.
Freedom is a great tool for the job. It runs on every platform and can block distractions—both websites and apps—on all of your devices. That means you can’t, for example, block Twitter on your computer only to pick up your phone and look at it there. With Freedom, you can set up multiple block lists, then start timers for any of them.
I personally love Serene, which combines distraction blocking with a sort of to-do list. You say what you want to do and how long it will take, then you start a distraction-free session to work on it. There’s also Cold Turkey Blocker, which can optionally prevent you from changing the time settings on your computer as a way of working around the block you set up. You’ve got more choices, though, particularly if you’re a Mac user. Check out our list of the best distraction blockers to learn more.
Remember: the internet is distracting on purpose. There’s no shame in using a tool to build discipline.
My dentist tells me I should brush my teeth twice a day, and I believe him, but I tended to only brush at night. I used a habit tracker to change that.
These applications might sound similar to a to-do list, but they’re very different. You can’t add individual tasks to a habit tracker—only recurring ones. The idea is to set an intention to do something regularly, then keep track of how often you regularly do it. Eventually, you have a streak going, which psychologically motivates you to keep it up until the habit becomes second nature. Don’t laugh—it works.
We recommend checking out Streaks, shown above, for iPhone and HabitNow, below, for Android. These apps both live on your phone, which is the place you’re most likely to look. They both let you create a list of habits you’d like to build, then remind you about that intention. They also both show you your progress in various ways.
They’re not the only options, however; check out our list of the best habit tracker apps for more ideas. Also keep in mind that some to-do lists have habit-tracking capabilities built right in. I, personally, use TickTick‘s built-in habit tracker—I love it. And some people use a paper calendar for tracking a simple habit—just add an X every day you stick to your habit.
I’d love to read articles or watch YouTube videos all day. We all would. Sometimes, though, you have to do something else—even though your friend just sent you a really, really interesting article. That’s where read-it-later apps come in. They let you quickly save something you intend to read, so that you can come back to it when you have time.
I think that Pocket, above, is the app of choice in this class. It’s free to use, offers extensions for every major browser, and also has great mobile versions that sync your articles for offline reading. There’s even built-in support for highlighting, then reviewing your highlights later.
Instapaper is a close second, and it even lets you send articles to your Kindle. These aren’t your only choices, though—check out our list of the best read-it-later apps for some more options. It’s also worth noting that some people use bookmarking apps or even note-taking apps for the same purpose, and that’s great—they both make it easy to save things for future reference.
Automate the process of saving articles by connecting your read-it-later app to Zapier. Here are some ideas to get you started.
Whether it’s for a quick presentation or troubleshooting a problem, sometimes recording what’s on your screen and sharing it just makes life easier. Screen recording tools are perfect for this, allowing you to quickly record your screen, your voice, and even your face if you have a webcam.
Loom is a great first tool to check out in this category. It’s easy to set up, works on all major platforms, and makes it really simple to share recordings. You can even add your face, via a webcam, to the recording.
I personally use Zappy, which was originally an internal tool used by Zapier. It’s honestly the best screenshot tool I’ve ever used, and it’s free—if you use a Mac, it’s worth a try. Check out our list of the best screen recording tools for more options, and keep in mind you can actually record your screen without any software, if you don’t mind managing the file yourself.
Want to share your screen in real-time? You need a screen sharing tool (Zoom works pretty well, surprisingly).
Other productivity tools worth checking out
This article could go on forever. There’s no end to great software out there, and I love writing about it. I think the above categories should save you all kinds of time—and take up plenty of your time to set up—but here are a few other suggestions if you’re feeling particularly motivated.
Password managers, like LastPass or 1Password, help you generate random passwords for all of your different services without the need for memorization. This is great for security, but it also makes logging in to stuff faster. Here’s a list of the best password managers.
Mobile scanning apps, like Microsoft Lens, let you scan documents using your phone while also digitizing any text using optical character recognition (OCR). Check out our list of the best mobile scanning OCR apps for more choices.
Time tracking apps, like Toggl Track, are great for keeping track of how long projects take and making sure you’re not spending too much time on the wrong things. Take a look at our list of the best time tracking apps to find the right one for you.
Mind mapping software, like Coggle, helps you map the connections between different ideas while you’re brainstorming. Here are our picks for the best mind mapping software.
AI software, like OpenAI, could make all kinds of tasks easier in the future. It’s early, granted, but I already find it useful when I’m in the brainstorming phase of a project—I can ask the bot to generate ideas.
Once you have apps set up in some of these categories, you can take the whole productivity thing even further. Automation software like ours at Zapier connects all the other apps you use, with workflows you can build yourself—no code required. Like the tools above, Zapier won’t solve every problem you have, but it’s a great way to connect tools that otherwise don’t integrate well—which means you can use the best tools for you, as opposed to the tools that happen to play nice together. And it’s not limited to productivity—eventually, you’ll find yourself automating even your most business-critical workflows.
Plus, if you sign up for Zapier, we’ll be able to write more useful articles like this one. Here are five things you should automate today to get started.
This post was originally published in September 2018 by Matthew Guay. The most recent update was in December 2022.
There are too many to-do list apps. Trying them all would be a massive task, and I know because I did.
Why are there so many apps for something easily done on sticky notes? Because managing tasks is an intensely personal thing. People will reject anything that doesn’t feel right. That’s a good instinct, but it makes it hard to find the right app.
To that end, we’ve been hard at work researching the best to-do apps, trying to find the right ones for various use cases. Research for these pieces was exhaustive. We started by finding the best apps for every platform: Android, Windows, macOS, and iPhone/iPad. We then tried the top-rated apps in every respective app store, and spent way too much time migrating our personal to-do lists from one app to another.
And now I’m offering you what I feel is the cream of the crop. Whatever you’re looking for, one of these apps is going to be right for you. Click on any app to learn more about why I chose it, or keep reading for more context on to-do list apps.
Other options, including project management software, note-taking apps, and other tools that can do the job
What makes the best to-do list app?
How we evaluate and test apps
All of our best apps roundups are written by humans who’ve spent much of their careers using, testing, and writing about software. We spend dozens of hours researching and testing apps, using each app as it’s intended to be used and evaluating it against the criteria we set for the category. We’re never paid for placement in our articles from any app or for links to any site—we value the trust readers put in us to offer authentic evaluations of the categories and apps we review. For more details on our process, read the full rundown of how we select apps to feature on the Zapier blog.
I’ve written about technology in general, and productivity specifically, since 2009. In that time, I’ve personally tried basically every to-do list app that has come out, and I’m usually depending on at least one of them to function.
Of course, when it comes to managing a to-do list online, everyone has different criteria. I kept this in mind as I tested, and I noticed a few features that made certain apps stand out.
The best to-do list apps:
Make it fast to add and organize tasks. Ideally, a task is added and categorized in a couple taps or keystrokes.
Offer multiple ways to organize your tasks. Tags, lists, projects, and due dates are all helpful, and the best to-do apps offer at least a few categories like this.
Remind you about self-imposed deadlines. Notifications, widgets, emails—if you’re using an online to-do list, it should help you track what needs to happen when.
Offer clean user interfaces. The best to-do app fits into your workflow so you can get back to what you’re supposed to be doing.
Sync between every platform you use. Which platforms will depend on what you personally use, but I didn’t consider anything that doesn’t sync between desktop and mobile.
I tried to find the task list apps that balance these things in various ways. None of these options will be right for everyone, but hopefully one of them is right for you. Let’s dive in.
Make 2023 your most efficient year yet
Start the year off right with our five-email course that helps you streamline work across your whole business.
Todoist isn’t the most powerful to-do list website out there. It’s also not the simplest. That’s kind of the point: this app balances power with simplicity, and it does so while running on basically every platform that exists. That’s a strong selling point—which is probably why Todoist is one of the most popular to-do lists right now.
Adding tasks was quick on every platform in my tests, thanks in part to natural language processing (type “buy milk Monday” and the task “buy milk” will be added with the next Monday set as your due date). You can put new tasks in your Inbox and then move them to relevant projects; you can also set due dates. Paid users can create custom filters and labels, and there are also some basic collaboration features.
Todoist is flexible enough to adapt to most workflows but not so complicated as to overwhelm. And it adds new features regularly: you can view projects as a Kanban board, for example, and navigating the app by keyboard is much smoother after recent updates. Overall, this is a great first to-do list app to try out, especially if you don’t know where to start.
Todoist also integrates with Zapier, which means you can automatically create tasks in Todoist whenever something happens in one of your favorite apps. Here are some examples.
Add new Google Calendar events to Todoist as tasks
Best to-do list app with embedded calendars and timers
TickTick(Web, Android, Windows, macOS, iPhone and iPad)
TickTick is a fast-growing task list app that offers a wide array of features on just about every platform you can imagine. Adding tasks is quick thanks to natural language processing. There’s also a universal keyboard shortcut offered on the desktop versions and pinned notifications and widgets on mobile, which makes it quick to add a task before getting back to what you’re doing. Tasks can be organized using lists, tags, and due dates, and there’s also the ability to add subtasks to any task.
TickTick offers all of this with apps that feel native—the macOS version is distinct from the Windows version, for example, in ways that make sense given the differences between those two systems. TickTick also offers a few features that are above and beyond what other apps offer.
First, there’s a built-in Pomodoro timer, allowing you to start a 25-minute work session for any of your tasks (complete with numerous white noise options, if you want). Second, there’s integration with various third-party calendars, allowing you to see your tasks and your appointments in one place, and even do some time blocking. There’s also a built-in habit-tracking tool, allowing you to review how many days you did or didn’t stick to your exercise and diet commitments. And an Eisenhower Matrix view allows you to prioritize your tasks based on what’s urgent and what’s important. It’s a great collection of features, unlike anything else on the market.
With TickTick’s Zapier integration, you can connect TickTick to the other tools in your tech stack to automatically create tasks whenever you get new leads, deals, or emails.
In 2015, Microsoft bought Wunderlist and put that team to work on a new to-do list app. Microsoft To Do is the result of that, and you can find Wunderlist’s DNA throughout the project. The main interface is clean and friendly, adding tasks is quick, but there’s a lot of flexibility below the surface.
But the real standout feature here is the deep integration with Microsoft’s ecosystem. Any email flagged in Outlook, for example, shows up as a task. Outlook users can also sync their tasks from that app over to Microsoft To Do, meaning there’s finally a way to sync Outlook tasks to mobile. Windows users can add tasks using Cortana or by typing in the Start menu. For example, you can type “add rice to my shopping list,” and rice will be added to a list called “shopping.” If you’re a Windows user and an Outlook user, this is the app for you.
This is also the prettiest to-do list app on the market, in my opinion. You can set custom background images for every one of your lists, allowing you to tell at a glance which list you’re looking at. You’re going to be looking at your task list all day—it might as well look good.
Microsoft To Do integrates with Zapier, which means you can make sure Microsoft To Do is talking to all the other apps you use, not just the Microsoft ones. Here are some examples to get started.
Create Workboard action items from new tasks in Microsoft To-Do
To-do list apps tend to fall into two categories: the complex and the minimalist. Things is somehow both.
That’s about the highest praise I can give a to-do list app. This is an app with no shortage of features, and yet it always feels simple to use. Adding tasks is quick and so is organizing them, but there’s seemingly no end of variation in ways to organize them. Areas can contain tasks or projects; projects can contain tasks or headers that can also contain tasks; and tasks can contain subtasks if you want. It sounds confusing, but it isn’t, which really speaks to how well Things is designed.
Other apps offer these features, but Things does it in a way that never feels cluttered, meaning you can quickly be done with looking at your to-do list and get back to whatever it is you’re doing. Combine this blend of functionality and beauty with features like a system-wide tool for quickly adding tasks, integration with your calendar so you can see your appointments while planning your day, intuitive keyboard shortcuts, reminders with native notifications, and syncing to an iPhone and iPad app.
The only downside here is the complete lack of versions for Windows and Android, though this decision is probably part of what allows the team to focus on making such a clean product. If you’re an Apple user, you owe it to yourself to try out Things.
You can automatically add to-dos to Things from your other apps with Things’ integrations on Zapier. Here’s some inspiration.
OmniFocus is nothing if not flexible. This Apple-exclusive application is built around the Getting Things Done (GTD) philosophy trademarked by David Allen, but an array of features means it can be used for just about any organizational system you can imagine. There are three different kinds of projects you can set up, for example, depending on whether you need to do tasks in a specific order or not. There are six main views by default, allowing you to organize your tasks by things like due date, projects, and tags. You can even add more views, assuming you have the Pro version.
You get the idea. OmniFocus is a power user’s dream, with more features than anyone can hope to incorporate into a workflow, which is kind of the point: if there’s a feature you want, OmniFocus has it, so you can organize your tasks basically any way you can imagine.
Syncing is offered only between Apple devices. There’s a web version that’s intended for occasional usage away from your Apple machines, but non-Apple users should probably look elsewhere.
You can connect OmniFocus to your other favorite apps with OmniFocus’s Zapier integration. Whenever something happens in another app that you want to keep track of in OmniFocus, Zapier will automatically send it there.
Create OmniFocus tasks from new saved Slack messages
OmniFocus price: From $99.99/year for the recurring plan, which includes all apps and the web version. Also available as a one-time purchase from $49.99 (14-day free trial).
Games are fantastic at motivating mundane activity—how else can you explain all that time you’ve spent on mindless fetch quests? Habitica, formerly known as HabitRPG, tries to use principles from game design to motivate you to get things done, and it’s remarkably effective. You can add tasks, daily activities, and habits to a list. You also have a character, who levels up when you get things done and takes damage when you put things off. You can also earn in-game currency for buying offline rewards, such as a snack, or in-game items like weapons or even silly hats.
This is even better when you join a few friends and start a party. You can all fight bosses together, but be careful: fail to finish some tasks on time and your friends will take damage. If that doesn’t motivate you, nothing will.
What’s the downside? Habitica isn’t a great to-do list for managing long-term projects, so you might need something else for that. But if motivation is your problem, Habitica is well worth a spin.
Habitica price: Free version available; paid version from $5/month.
If you live in Gmail and Google Calendar, Google Tasks is an obvious free to-do list app to try out. That’s because it lives right in the sidebar of those two apps, and offers more than a few integrations. Plus, there’s a dedicated mobile app.
The app itself is spartan. Adding tasks is quick, particularly if you spend a lot of time in Gmail anyway, but there’s not a lot of organizational offerings. There are due dates, lists, descriptions, subtasks, and the ability to “Star” tasks. There’s not much beyond that, which is ok. On the desktop, the integration with Gmail is a key selling point. You can drag an email to Google Tasks to turn it into a task, for example. You also can see your tasks on your Google Calendar, if you want.
The best to-do app is one that’s always handy. If you’re the kind of person who always has Gmail open on your computer, it’s hard for any app to be handier than Google Tasks. The mobile versions make those tasks accessible on the go.
You can automatically move information between Google Tasks and your other apps with Google Tasks’ integration on Zapier. Here are a few examples of workflows you can automate, so you can stop manually moving your tasks.
Any.do offers a really slick mobile app that makes it quick to add tasks, organize them into lists, and add due dates. But where it really shines is with its daily “Plan my Day” feature, which forces you to schedule when you’ll accomplish your various tasks, so that you remember to actually do things. Any.do also integrates nicely with Google and Outlook calendars, allowing you to see your appointments and your tasks in one place. This is exactly what you need if you’re the kind of person who adds things to a list and forgets about them.
The desktop version isn’t quite as slick as the mobile version—it feels cluttered and is more than a little confusing. Still, Any.do’s mobile version alone makes a compelling reason to give it a shot, especially if that’s where you do most of your task management.
Any.do integrates with Zapier, so you can automatically add tasks to Any.do whenever there’s a new calendar event, note, or task in your other apps.
Any.do price: Free version available; paid version from $2.99/month.
Other to-do list options
We focused on dedicated to-do list apps in this roundup, but plenty of other software can fulfill the same function. Here are a few ideas if none of the above quite fit what you’re looking for:
Project management apps like Trello and Asana can be used as to-do lists, especially if you already use them to manage your other work.
Note-taking apps like Evernote, OneNote, and Google Keep also have to-do list features, if you want to combine your to-do lists and notes.
