From 10471b4683b14befc8116b3d522cef2f42e42ac8 Mon Sep 17 00:00:00 2001 From: DrIOS <58635327+DrIOSX@users.noreply.github.com> Date: Wed, 12 Jun 2024 12:24:25 -0500 Subject: [PATCH] docs: Comment conditions on each test --- source/helper/TestDefinitions.csv | 16 ++--- source/tests/Test-BlockChannelEmails.ps1 | 66 +++++++++++-------- source/tests/Test-DialInBypassLobby.ps1 | 14 ++++ .../Test-DisallowInfectedFilesDownload.ps1 | 22 ++++++- source/tests/Test-GuestAccessExpiration.ps1 | 56 ++++++++++------ source/tests/Test-LinkSharingRestrictions.ps1 | 14 ++++ source/tests/Test-ModernAuthSharePoint.ps1 | 21 +++++- source/tests/Test-NoAnonymousMeetingJoin.ps1 | 14 ++++ source/tests/Test-NoAnonymousMeetingStart.ps1 | 19 +++++- .../Test-OneDriveContentRestrictions.ps1 | 16 +++++ .../tests/Test-OneDriveSyncRestrictions.ps1 | 18 ++++- source/tests/Test-OrgOnlyBypassLobby.ps1 | 17 +++++ source/tests/Test-ReauthWithCode.ps1 | 16 +++++ source/tests/Test-RestrictCustomScripts.ps1 | 17 ++++- source/tests/Test-RestrictExternalSharing.ps1 | 21 ++++++ .../Test-RestrictStorageProvidersOutlook.ps1 | 19 +++++- source/tests/Test-SharePointAADB2B.ps1 | 17 ++++- .../Test-SharePointExternalSharingDomains.ps1 | 19 +++++- .../Test-SharePointGuestsItemSharing.ps1 | 17 ++++- source/tests/Test-TeamsExternalAccess.ps1 | 16 ++++- .../tests/Test-TeamsExternalFileSharing.ps1 | 10 ++- 21 files changed, 370 insertions(+), 75 deletions(-) diff --git a/source/helper/TestDefinitions.csv b/source/helper/TestDefinitions.csv index d94e425..63434ec 100644 --- a/source/helper/TestDefinitions.csv +++ b/source/helper/TestDefinitions.csv @@ -28,14 +28,14 @@ 27,Test-MailTipsEnabled.ps1,6.5.2,Ensure MailTips are enabled for end users,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO 28,Test-RestrictStorageProvidersOutlook.ps1,6.5.3,Ensure additional storage providers are restricted in Outlook on the web,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,EXO 29,Test-ModernAuthSharePoint.ps1,7.2.1,Modern Authentication for SharePoint Applications,E3,L1,3.1,Encrypt Sensitive Data in Transit,FALSE,TRUE,TRUE,TRUE,SPO -30,Test-SharePointAADB2B.ps1,7.2.2,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO -31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,TRUE,TRUE,TRUE,TRUE,SPO -32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure external content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO -33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO -34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO -35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO -36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,FALSE,FALSE,FALSE,TRUE,SPO -37,Test-ReauthWithCode.ps1,7.2.10,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO +30,Test-SharePointAADB2B.ps1,7.2.2,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO +31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure external content sharing is restricted,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO +32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO +33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO +34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO +35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO +36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO +37,Test-ReauthWithCode.ps1,7.2.10,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO 38,Test-DisallowInfectedFilesDownload.ps1,7.3.1,Ensure Office 365 SharePoint infected files are disallowed for download,E5,L2,10.1,Deploy and Maintain Anti-Malware Software,TRUE,TRUE,TRUE,TRUE,SPO 39,Test-OneDriveSyncRestrictions.ps1,7.3.2,Ensure OneDrive sync is restricted for unmanaged devices,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO 40,Test-RestrictCustomScripts.ps1,7.3.4,Ensure custom script execution is restricted on site collections,E3,L1,2.7,Allowlist Authorized Scripts,FALSE,FALSE,TRUE,TRUE,SPO diff --git a/source/tests/Test-BlockChannelEmails.ps1 b/source/tests/Test-BlockChannelEmails.ps1 index 5165b61..a6f2827 100644 --- a/source/tests/Test-BlockChannelEmails.ps1 +++ b/source/tests/Test-BlockChannelEmails.ps1 @@ -16,36 +16,50 @@ function Test-BlockChannelEmails { process { try { - # 8.1.2 (L1) Ensure users can't send emails to a channel email address + # 8.1.2 (L1) Ensure users can't send emails to a channel email address + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`. + # - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center. + # - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`. + # - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center. + # - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled. - # Retrieve Teams client configuration - $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global - $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel + # Retrieve Teams client configuration + $teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global + $allowEmailIntoChannel = $teamsClientConfig.AllowEmailIntoChannel - # Prepare failure reasons and details based on compliance - $failureReasons = if ($allowEmailIntoChannel) { - "Emails can be sent to a channel email address" - } - else { - "N/A" - } + # Prepare failure reasons and details based on compliance + $failureReasons = if ($allowEmailIntoChannel) { + "Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True + } + else { + "N/A" # Condition A Pass: AllowEmailIntoChannel is False + } - $details = if ($allowEmailIntoChannel) { - "AllowEmailIntoChannel is set to True" - } - else { - "AllowEmailIntoChannel is set to False" - } + $details = if ($allowEmailIntoChannel) { + "AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed + } + else { + "AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked + } - # Create and populate the CISAuditResult object - $params = @{ - Rec = $recnum - Result = -not $allowEmailIntoChannel - Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons - } - $auditResult = Initialize-CISAuditResult @params + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = -not $allowEmailIntoChannel + Status = if (-not $allowEmailIntoChannel) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } catch { Write-Error "An error occurred during the test: $_" diff --git a/source/tests/Test-DialInBypassLobby.ps1 b/source/tests/Test-DialInBypassLobby.ps1 index b7088ee..52f7afd 100644 --- a/source/tests/Test-DialInBypassLobby.ps1 +++ b/source/tests/Test-DialInBypassLobby.ps1 @@ -17,6 +17,20 @@ function Test-DialInBypassLobby { try { # 8.5.4 (L1) Ensure users dialing in can't bypass the lobby + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`. + # - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`. + # - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`. + # - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`. + # - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby. # Retrieve Teams meeting policy for PSTN users $CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby diff --git a/source/tests/Test-DisallowInfectedFilesDownload.ps1 b/source/tests/Test-DisallowInfectedFilesDownload.ps1 index 514dda7..b9e72af 100644 --- a/source/tests/Test-DisallowInfectedFilesDownload.ps1 +++ b/source/tests/Test-DisallowInfectedFilesDownload.ps1 @@ -18,24 +18,40 @@ function Test-DisallowInfectedFilesDownload { try { # 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `DisallowInfectedFileDownload` setting is set to `True`. + # - Condition B: The setting prevents users from downloading infected files as detected by Defender for Office 365. + # - Condition C: Verification using the PowerShell command confirms that the setting is correctly configured. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `DisallowInfectedFileDownload` setting is not set to `True`. + # - Condition B: The setting does not prevent users from downloading infected files. + # - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured. # Retrieve the SharePoint tenant configuration $SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload + + # Condition A: The `DisallowInfectedFileDownload` setting is set to `True` $isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload # Prepare failure reasons and details based on compliance $failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) { - "Downloading infected files is not disallowed." + "Downloading infected files is not disallowed." # Condition B: The setting does not prevent users from downloading infected files } else { "N/A" } $details = if ($isDisallowInfectedFileDownloadEnabled) { - "DisallowInfectedFileDownload: True" + "DisallowInfectedFileDownload: True" # Condition C: Verification confirms the setting is correctly configured } else { - "DisallowInfectedFileDownload: False" + "DisallowInfectedFileDownload: False" # Condition C: Verification indicates the setting is incorrectly configured } # Create and populate the CISAuditResult object diff --git a/source/tests/Test-GuestAccessExpiration.ps1 b/source/tests/Test-GuestAccessExpiration.ps1 index 986c8d7..782b9d7 100644 --- a/source/tests/Test-GuestAccessExpiration.ps1 +++ b/source/tests/Test-GuestAccessExpiration.ps1 @@ -17,31 +17,45 @@ function Test-GuestAccessExpiration { process { try { - # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically + # 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The ExternalUserExpirationRequired setting in SharePoint is set to True. + # - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to 30 or less. + # - Condition C: Verification using the SharePoint Admin Center confirms that guest access will expire automatically after the specified number of days. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The ExternalUserExpirationRequired setting in SharePoint is not set to True. + # - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to more than 30 days. + # - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days. - # Retrieve SharePoint tenant settings related to guest access expiration - $SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays - $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30 + # Retrieve SharePoint tenant settings related to guest access expiration + $SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays + $isGuestAccessExpirationConfiguredCorrectly = $SPOTenantGuestAccess.ExternalUserExpirationRequired -and $SPOTenantGuestAccess.ExternalUserExpireInDays -le 30 - # Prepare failure reasons and details based on compliance - $failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) { - "Guest access expiration is not configured to automatically expire within 30 days or less." - } - else { - "N/A" - } + # Prepare failure reasons and details based on compliance + $failureReasons = if (-not $isGuestAccessExpirationConfiguredCorrectly) { + "Guest access expiration is not configured to automatically expire within 30 days or less." + } + else { + "N/A" + } - $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)" + $details = "ExternalUserExpirationRequired: $($SPOTenantGuestAccess.ExternalUserExpirationRequired); ExternalUserExpireInDays: $($SPOTenantGuestAccess.ExternalUserExpireInDays)" - # Create and populate the CISAuditResult object - $params = @{ - Rec = $recnum - Result = $isGuestAccessExpirationConfiguredCorrectly - Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons - } - $auditResult = Initialize-CISAuditResult @params + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $isGuestAccessExpirationConfiguredCorrectly + Status = if ($isGuestAccessExpirationConfiguredCorrectly) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } catch { Write-Error "An error occurred during the test: $_" diff --git a/source/tests/Test-LinkSharingRestrictions.ps1 b/source/tests/Test-LinkSharingRestrictions.ps1 index 24cd22b..5f41fe8 100644 --- a/source/tests/Test-LinkSharingRestrictions.ps1 +++ b/source/tests/Test-LinkSharingRestrictions.ps1 @@ -17,6 +17,20 @@ function Test-LinkSharingRestrictions { process { try { # 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is set to `Direct`. + # - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is set to `Specific people (only the people the user specifies)`. + # - Condition C: Verification using the UI confirms that the link sharing settings are configured as recommended. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is not set to `Direct`. + # - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is not set to `Specific people (only the people the user specifies)`. + # - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended. # Retrieve link sharing configuration for SharePoint and OneDrive $SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType diff --git a/source/tests/Test-ModernAuthSharePoint.ps1 b/source/tests/Test-ModernAuthSharePoint.ps1 index c56ef59..66d6614 100644 --- a/source/tests/Test-ModernAuthSharePoint.ps1 +++ b/source/tests/Test-ModernAuthSharePoint.ps1 @@ -9,8 +9,25 @@ function Test-ModernAuthSharePoint { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed $recnum = "7.2.1" + + <# + # Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required + + ## Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The setting "Apps that don't use modern authentication" is set to "Block access" in the SharePoint admin center. + # - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `False`. + + ## Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The setting "Apps that don't use modern authentication" is not set to "Block access" in the SharePoint admin center. + # - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `True`. + #> } process { @@ -21,13 +38,13 @@ function Test-ModernAuthSharePoint { # Prepare failure reasons and details based on compliance $failureReasons = if (-not $modernAuthForSPRequired) { - "Legacy authentication protocols are enabled" + "Legacy authentication protocols are enabled" # Fail Condition B } else { "N/A" } - $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" + $details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B # Create and populate the CISAuditResult object $params = @{ diff --git a/source/tests/Test-NoAnonymousMeetingJoin.ps1 b/source/tests/Test-NoAnonymousMeetingJoin.ps1 index e28ebdb..e859a53 100644 --- a/source/tests/Test-NoAnonymousMeetingJoin.ps1 +++ b/source/tests/Test-NoAnonymousMeetingJoin.ps1 @@ -16,6 +16,20 @@ function Test-NoAnonymousMeetingJoin { process { try { # 8.5.1 (L2) Ensure anonymous users can't join a meeting + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`. + # - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy. + # - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`. + # - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy. + # - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings. # Connect to Teams PowerShell using Connect-MicrosoftTeams diff --git a/source/tests/Test-NoAnonymousMeetingStart.ps1 b/source/tests/Test-NoAnonymousMeetingStart.ps1 index 5ffa6e2..0a9b2dc 100644 --- a/source/tests/Test-NoAnonymousMeetingStart.ps1 +++ b/source/tests/Test-NoAnonymousMeetingStart.ps1 @@ -16,9 +16,24 @@ function Test-NoAnonymousMeetingStart { process { try { # 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`. + # - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby. + # - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`. + # - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby. + # - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`. # Connect to Teams PowerShell using Connect-MicrosoftTeams + # Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings $CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting $anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting @@ -27,10 +42,10 @@ function Test-NoAnonymousMeetingStart { "N/A" } else { - "Anonymous users and dial-in callers can start a meeting" + "Anonymous users and dial-in callers can start a meeting" # Condition A and B } - $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" + $details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C # Create and populate the CISAuditResult object $params = @{ diff --git a/source/tests/Test-OneDriveContentRestrictions.ps1 b/source/tests/Test-OneDriveContentRestrictions.ps1 index 0043aa9..a87ffd1 100644 --- a/source/tests/Test-OneDriveContentRestrictions.ps1 +++ b/source/tests/Test-OneDriveContentRestrictions.ps1 @@ -7,6 +7,22 @@ function Test-OneDriveContentRestrictions { ) begin { + # 7.2.4 (L2) Ensure OneDrive content sharing is restricted + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The OneDriveSharingCapability setting is configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`. + # - Condition B: The OneDriveSharingCapability is set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive. + # - Condition C: OneDrive content sharing is not more permissive than SharePoint content sharing. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The OneDriveSharingCapability setting is not configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`. + # - Condition B: The OneDriveSharingCapability is not set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive. + # - Condition C: OneDrive content sharing is more permissive than SharePoint content sharing. + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed diff --git a/source/tests/Test-OneDriveSyncRestrictions.ps1 b/source/tests/Test-OneDriveSyncRestrictions.ps1 index 436899a..4a6d0fb 100644 --- a/source/tests/Test-OneDriveSyncRestrictions.ps1 +++ b/source/tests/Test-OneDriveSyncRestrictions.ps1 @@ -16,12 +16,27 @@ function Test-OneDriveSyncRestrictions { process { try { # 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Verify that "Allow syncing only on computers joined to specific domains" is enabled. + # - Condition B: Check that "TenantRestrictionEnabled" is set to True. + # - Condition C: Ensure that "AllowedDomainList" contains the trusted domain GUIDs from the on-premises environment. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: "Allow syncing only on computers joined to specific domains" is not enabled. + # - Condition B: "TenantRestrictionEnabled" is set to False. + # - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment. # Retrieve OneDrive sync client restriction settings $SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList $isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList - # Prepare failure reasons and details based on compliance + # Condition A: Check if TenantRestrictionEnabled is True + # Condition B: Ensure AllowedDomainList contains trusted domains GUIDs $failureReasons = if (-not $isSyncRestricted) { "OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs." } @@ -29,6 +44,7 @@ function Test-OneDriveSyncRestrictions { "N/A" } + # Condition C: Prepare details based on whether sync is restricted $details = if ($isSyncRestricted) { "OneDrive sync is restricted for unmanaged devices." } diff --git a/source/tests/Test-OrgOnlyBypassLobby.ps1 b/source/tests/Test-OrgOnlyBypassLobby.ps1 index 735c86d..b039c4d 100644 --- a/source/tests/Test-OrgOnlyBypassLobby.ps1 +++ b/source/tests/Test-OrgOnlyBypassLobby.ps1 @@ -16,6 +16,20 @@ function Test-OrgOnlyBypassLobby { process { try { # 8.5.3 (L1) Ensure only people in my org can bypass the lobby + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`. + # - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI. + # - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`. + # - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI. + # - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended. # Connect to Teams PowerShell using Connect-MicrosoftTeams @@ -25,6 +39,7 @@ function Test-OrgOnlyBypassLobby { # Prepare failure reasons and details based on compliance $failureReasons = if (-not $lobbyBypassRestricted) { + # Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`. "External participants can bypass the lobby" } else { @@ -32,9 +47,11 @@ function Test-OrgOnlyBypassLobby { } $details = if ($lobbyBypassRestricted) { + # Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI. "Only people in the organization can bypass the lobby." } else { + # Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended. "AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)" } diff --git a/source/tests/Test-ReauthWithCode.ps1 b/source/tests/Test-ReauthWithCode.ps1 index 6adfd31..feccb93 100644 --- a/source/tests/Test-ReauthWithCode.ps1 +++ b/source/tests/Test-ReauthWithCode.ps1 @@ -7,6 +7,22 @@ function Test-ReauthWithCode { ) begin { + <# + Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `EmailAttestationRequired` property is set to `True`. + # - Condition B: The `EmailAttestationReAuthDays` property is set to `15` or less. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `EmailAttestationRequired` property is set to `False`. + # - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`. + #> + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed diff --git a/source/tests/Test-RestrictCustomScripts.ps1 b/source/tests/Test-RestrictCustomScripts.ps1 index fea4a0f..f492085 100644 --- a/source/tests/Test-RestrictCustomScripts.ps1 +++ b/source/tests/Test-RestrictCustomScripts.ps1 @@ -14,14 +14,27 @@ function Test-RestrictCustomScripts { } process { - try { # 7.3.4 (L1) Ensure custom script execution is restricted on site collections + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `DenyAddAndCustomizePages` setting is set to `Enabled` for each site collection. + # - Condition B: The setting is validated through PowerShell commands ensuring the correct state. + # - Condition C: Verification using the SharePoint Admin Center confirms the `DenyAddAndCustomizePages` setting is enforced. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `DenyAddAndCustomizePages` setting is not set to `Enabled` for any site collection. + # - Condition B: The setting is not validated through PowerShell commands, indicating misconfiguration. + # - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced. # Retrieve all site collections and select necessary properties $SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages - # Replace 'sharepoint.com' with '' + # Process URLs to replace 'sharepoint.com' with '' $processedUrls = $SPOSitesCustomScript | ForEach-Object { $_.Url = $_.Url -replace 'sharepoint\.com', '' $_ diff --git a/source/tests/Test-RestrictExternalSharing.ps1 b/source/tests/Test-RestrictExternalSharing.ps1 index 04b00eb..dc9c016 100644 --- a/source/tests/Test-RestrictExternalSharing.ps1 +++ b/source/tests/Test-RestrictExternalSharing.ps1 @@ -7,6 +7,24 @@ function Test-RestrictExternalSharing { ) begin { + <# + Conditions for 7.2.3 (L1) Ensure external content sharing is restricted + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center. + - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled". + - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: The SharingCapability is set to "Anyone" or "ExternalUserAndGuestSharing" in the SharePoint admin center. + - Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing". + - Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings. + #> + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed @@ -22,6 +40,7 @@ function Test-RestrictExternalSharing { $isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled') # Prepare failure reasons and details based on compliance + # Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled". $failureReasons = if (-not $isRestricted) { "External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)" } @@ -29,6 +48,8 @@ function Test-RestrictExternalSharing { "N/A" } + # Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center. + # Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings. $details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)" # Create and populate the CISAuditResult object diff --git a/source/tests/Test-RestrictStorageProvidersOutlook.ps1 b/source/tests/Test-RestrictStorageProvidersOutlook.ps1 index fa7b256..820796d 100644 --- a/source/tests/Test-RestrictStorageProvidersOutlook.ps1 +++ b/source/tests/Test-RestrictStorageProvidersOutlook.ps1 @@ -7,6 +7,22 @@ function Test-RestrictStorageProvidersOutlook { ) begin { + <# + # 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is set to `False` in the OwaMailboxPolicy. + # - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` returns `False`. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is not set to `False` in the OwaMailboxPolicy. + # - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` does not return `False`. + #> + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed @@ -19,6 +35,7 @@ function Test-RestrictStorageProvidersOutlook { # Retrieve all OwaMailbox policies $owaPolicies = Get-OwaMailboxPolicy + # Condition A: Check if AdditionalStorageProvidersAvailable is set to False $nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable } # Determine compliance @@ -68,5 +85,3 @@ function Test-RestrictStorageProvidersOutlook { return $auditResult } } - -# Additional helper functions (if any) diff --git a/source/tests/Test-SharePointAADB2B.ps1 b/source/tests/Test-SharePointAADB2B.ps1 index c95e415..fa1f733 100644 --- a/source/tests/Test-SharePointAADB2B.ps1 +++ b/source/tests/Test-SharePointAADB2B.ps1 @@ -7,11 +7,26 @@ function Test-SharePointAADB2B { ) begin { + # Conditions for 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Ensure the `EnableAzureADB2BIntegration` property is set to `True` for the SharePoint tenant. + # - Condition B: Verify that the SharePoint and OneDrive integration with Azure AD B2B is active. + # - Condition C: Ensure that guest accounts are managed in Azure AD and subject to access policies. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `EnableAzureADB2BIntegration` property is set to `False` for the SharePoint tenant. + # - Condition B: The integration between SharePoint, OneDrive, and Azure AD B2B is not active. + # - Condition C: Guest accounts are not managed in Azure AD and are not subject to access policies. + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed - $auditResult = [CISAuditResult]::new() $recnum = "7.2.2" } diff --git a/source/tests/Test-SharePointExternalSharingDomains.ps1 b/source/tests/Test-SharePointExternalSharingDomains.ps1 index ee309d7..035dc29 100644 --- a/source/tests/Test-SharePointExternalSharingDomains.ps1 +++ b/source/tests/Test-SharePointExternalSharingDomains.ps1 @@ -9,10 +9,25 @@ function Test-SharePointExternalSharingDomains { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 - # Initialization code, if needed - $auditResult = [CISAuditResult]::new() + # Initialization code, if needed $recnum = "7.2.6" + + # Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The "Limit external sharing by domain" option is enabled in the SharePoint admin center. + # - Condition B: The "SharingDomainRestrictionMode" is set to "AllowList" using PowerShell. + # - Condition C: The "SharingAllowedDomainList" contains the domains trusted by the organization for external sharing. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The "Limit external sharing by domain" option is not enabled in the SharePoint admin center. + # - Condition B: The "SharingDomainRestrictionMode" is not set to "AllowList" using PowerShell. + # - Condition C: The "SharingAllowedDomainList" does not contain the domains trusted by the organization for external sharing. } process { diff --git a/source/tests/Test-SharePointGuestsItemSharing.ps1 b/source/tests/Test-SharePointGuestsItemSharing.ps1 index 75159b4..0ac33e2 100644 --- a/source/tests/Test-SharePointGuestsItemSharing.ps1 +++ b/source/tests/Test-SharePointGuestsItemSharing.ps1 @@ -11,8 +11,23 @@ function Test-SharePointGuestsItemSharing { #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed - $auditResult = [CISAuditResult]::new() $recnum = "7.2.5" + + # Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `True` using PowerShell. + # - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is unchecked. + # - Condition C: Ensure that external users cannot re-share items they don't own. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `False` using PowerShell. + # - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is checked. + # - Condition C: Ensure that external users can re-share items they don't own. } process { diff --git a/source/tests/Test-TeamsExternalAccess.ps1 b/source/tests/Test-TeamsExternalAccess.ps1 index aec7caa..a6d4bbb 100644 --- a/source/tests/Test-TeamsExternalAccess.ps1 +++ b/source/tests/Test-TeamsExternalAccess.ps1 @@ -8,7 +8,7 @@ function Test-TeamsExternalAccess { begin { # Dot source the class script if necessary - #. .\source\Classes\CISAuditResult.ps1 + # . .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $auditResult = [CISAuditResult]::new() @@ -18,6 +18,20 @@ function Test-TeamsExternalAccess { process { try { # 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AllowTeamsConsumer` setting is `False`. + # - Condition B: The `AllowPublicUsers` setting is `False`. + # - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AllowTeamsConsumer` setting is not `False`. + # - Condition B: The `AllowPublicUsers` setting is not `False`. + # - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly. # Connect to Teams PowerShell using Connect-MicrosoftTeams diff --git a/source/tests/Test-TeamsExternalFileSharing.ps1 b/source/tests/Test-TeamsExternalFileSharing.ps1 index 92ef78c..6502fa0 100644 --- a/source/tests/Test-TeamsExternalFileSharing.ps1 +++ b/source/tests/Test-TeamsExternalFileSharing.ps1 @@ -8,10 +8,8 @@ function Test-TeamsExternalFileSharing { begin { # Dot source the class script if necessary - #. .\source\Classes\CISAuditResult.ps1 + # . .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed - - $auditResult = [CISAuditResult]::new() $recnum = "8.1.1" } @@ -20,6 +18,12 @@ function Test-TeamsExternalFileSharing { # 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services # Connect to Teams PowerShell using Connect-MicrosoftTeams + # Condition A: The `AllowDropbox` setting is set to `False`. + # Condition B: The `AllowBox` setting is set to `False`. + # Condition C: The `AllowGoogleDrive` setting is set to `False`. + # Condition D: The `AllowShareFile` setting is set to `False`. + # Condition E: The `AllowEgnyte` setting is set to `False`. + # Assuming that 'approvedProviders' is a list of approved cloud storage service names # This list must be defined according to your organization's approved cloud storage services $approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")