docs: Comment conditions on each test
This commit is contained in:
DrIOS
@@ -28,14 +28,14 @@
|
||||
27,Test-MailTipsEnabled.ps1,6.5.2,Ensure MailTips are enabled for end users,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,EXO
|
||||
28,Test-RestrictStorageProvidersOutlook.ps1,6.5.3,Ensure additional storage providers are restricted in Outlook on the web,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,EXO
|
||||
29,Test-ModernAuthSharePoint.ps1,7.2.1,Modern Authentication for SharePoint Applications,E3,L1,3.1,Encrypt Sensitive Data in Transit,FALSE,TRUE,TRUE,TRUE,SPO
|
||||
30,Test-SharePointAADB2B.ps1,7.2.2,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure external content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
37,Test-ReauthWithCode.ps1,7.2.10,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
30,Test-SharePointAADB2B.ps1,7.2.2,Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
31,Test-RestrictExternalSharing.ps1,7.2.3,Ensure external content sharing is restricted,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
32,Test-OneDriveContentRestrictions.ps1,7.2.4,Ensure OneDrive content sharing is restricted,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
33,Test-SharePointGuestsItemSharing.ps1,7.2.5,Ensure that SharePoint guest users cannot share items they don't own,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
34,Test-SharePointExternalSharingDomains.ps1,7.2.6,Ensure SharePoint external sharing is managed through domain whitelist/blacklists,E3,L2,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
35,Test-LinkSharingRestrictions.ps1,7.2.7,Ensure link sharing is restricted in SharePoint and OneDrive,E3,L1,3.3,Configure Data Access Control Lists,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
36,Test-GuestAccessExpiration.ps1,7.2.9,Ensure guest access to a site or OneDrive will expire automatically,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
37,Test-ReauthWithCode.ps1,7.2.10,Ensure reauthentication with verification code is restricted,E3,L1,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
38,Test-DisallowInfectedFilesDownload.ps1,7.3.1,Ensure Office 365 SharePoint infected files are disallowed for download,E5,L2,10.1,Deploy and Maintain Anti-Malware Software,TRUE,TRUE,TRUE,TRUE,SPO
|
||||
39,Test-OneDriveSyncRestrictions.ps1,7.3.2,Ensure OneDrive sync is restricted for unmanaged devices,E3,L2,0,Explicitly Not Mapped,FALSE,FALSE,FALSE,TRUE,SPO
|
||||
40,Test-RestrictCustomScripts.ps1,7.3.4,Ensure custom script execution is restricted on site collections,E3,L1,2.7,Allowlist Authorized Scripts,FALSE,FALSE,TRUE,TRUE,SPO
|
||||
|
||||
|
@@ -17,6 +17,20 @@ function Test-BlockChannelEmails {
|
||||
|
||||
try {
|
||||
# 8.1.2 (L1) Ensure users can't send emails to a channel email address
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is set to `False`.
|
||||
# - Condition B: The setting `Users can send emails to a channel email address` is set to `Off` in the Teams admin center.
|
||||
# - Condition C: Verification using PowerShell confirms that the `AllowEmailIntoChannel` setting is disabled.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowEmailIntoChannel` setting in Teams is not set to `False`.
|
||||
# - Condition B: The setting `Users can send emails to a channel email address` is not set to `Off` in the Teams admin center.
|
||||
# - Condition C: Verification using PowerShell indicates that the `AllowEmailIntoChannel` setting is enabled.
|
||||
|
||||
# Retrieve Teams client configuration
|
||||
$teamsClientConfig = Get-CsTeamsClientConfiguration -Identity Global
|
||||
@@ -24,17 +38,17 @@ function Test-BlockChannelEmails {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if ($allowEmailIntoChannel) {
|
||||
"Emails can be sent to a channel email address"
|
||||
"Emails can be sent to a channel email address" # Condition A Fail: AllowEmailIntoChannel is True
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
"N/A" # Condition A Pass: AllowEmailIntoChannel is False
|
||||
}
|
||||
|
||||
$details = if ($allowEmailIntoChannel) {
|
||||
"AllowEmailIntoChannel is set to True"
|
||||
"AllowEmailIntoChannel is set to True" # Condition B Fail: Emails are allowed
|
||||
}
|
||||
else {
|
||||
"AllowEmailIntoChannel is set to False"
|
||||
"AllowEmailIntoChannel is set to False" # Condition B Pass: Emails are blocked
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -17,6 +17,20 @@ function Test-DialInBypassLobby {
|
||||
|
||||
try {
|
||||
# 8.5.4 (L1) Ensure users dialing in can't bypass the lobby
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is set to `False`.
|
||||
# - Condition B: Verification using the UI in the Microsoft Teams admin center confirms that "People dialing in can't bypass the lobby" is set to `Off`.
|
||||
# - Condition C: Ensure that individuals who dial in by phone must wait in the lobby until admitted by a meeting organizer, co-organizer, or presenter.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowPSTNUsersToBypassLobby` setting in the Global Teams meeting policy is not set to `False`.
|
||||
# - Condition B: Verification using the UI in the Microsoft Teams admin center shows that "People dialing in can't bypass the lobby" is not set to `Off`.
|
||||
# - Condition C: Individuals who dial in by phone are able to join the meeting directly without waiting in the lobby.
|
||||
|
||||
# Retrieve Teams meeting policy for PSTN users
|
||||
$CsTeamsMeetingPolicyPSTN = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowPSTNUsersToBypassLobby
|
||||
|
||||
@@ -18,24 +18,40 @@ function Test-DisallowInfectedFilesDownload {
|
||||
|
||||
try {
|
||||
# 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DisallowInfectedFileDownload` setting is set to `True`.
|
||||
# - Condition B: The setting prevents users from downloading infected files as detected by Defender for Office 365.
|
||||
# - Condition C: Verification using the PowerShell command confirms that the setting is correctly configured.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DisallowInfectedFileDownload` setting is not set to `True`.
|
||||
# - Condition B: The setting does not prevent users from downloading infected files.
|
||||
# - Condition C: Verification using the PowerShell command indicates that the setting is incorrectly configured.
|
||||
|
||||
# Retrieve the SharePoint tenant configuration
|
||||
$SPOTenantDisallowInfectedFileDownload = Get-SPOTenant | Select-Object DisallowInfectedFileDownload
|
||||
|
||||
# Condition A: The `DisallowInfectedFileDownload` setting is set to `True`
|
||||
$isDisallowInfectedFileDownloadEnabled = $SPOTenantDisallowInfectedFileDownload.DisallowInfectedFileDownload
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $isDisallowInfectedFileDownloadEnabled) {
|
||||
"Downloading infected files is not disallowed."
|
||||
"Downloading infected files is not disallowed." # Condition B: The setting does not prevent users from downloading infected files
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = if ($isDisallowInfectedFileDownloadEnabled) {
|
||||
"DisallowInfectedFileDownload: True"
|
||||
"DisallowInfectedFileDownload: True" # Condition C: Verification confirms the setting is correctly configured
|
||||
}
|
||||
else {
|
||||
"DisallowInfectedFileDownload: False"
|
||||
"DisallowInfectedFileDownload: False" # Condition C: Verification indicates the setting is incorrectly configured
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -18,6 +18,20 @@ function Test-GuestAccessExpiration {
|
||||
|
||||
try {
|
||||
# 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The ExternalUserExpirationRequired setting in SharePoint is set to True.
|
||||
# - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to 30 or less.
|
||||
# - Condition C: Verification using the SharePoint Admin Center confirms that guest access will expire automatically after the specified number of days.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The ExternalUserExpirationRequired setting in SharePoint is not set to True.
|
||||
# - Condition B: The ExternalUserExpireInDays setting in SharePoint is configured to more than 30 days.
|
||||
# - Condition C: Verification using the SharePoint Admin Center indicates that guest access is not set to expire automatically after the specified number of days.
|
||||
|
||||
# Retrieve SharePoint tenant settings related to guest access expiration
|
||||
$SPOTenantGuestAccess = Get-SPOTenant | Select-Object ExternalUserExpirationRequired, ExternalUserExpireInDays
|
||||
|
||||
@@ -17,6 +17,20 @@ function Test-LinkSharingRestrictions {
|
||||
process {
|
||||
try {
|
||||
# 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is set to `Direct`.
|
||||
# - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is set to `Specific people (only the people the user specifies)`.
|
||||
# - Condition C: Verification using the UI confirms that the link sharing settings are configured as recommended.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DefaultSharingLinkType` setting in SharePoint and OneDrive is not set to `Direct`.
|
||||
# - Condition B: The setting `Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive` is not set to `Specific people (only the people the user specifies)`.
|
||||
# - Condition C: Verification using the UI indicates that the link sharing settings are not configured as recommended.
|
||||
|
||||
# Retrieve link sharing configuration for SharePoint and OneDrive
|
||||
$SPOTenantLinkSharing = Get-SPOTenant | Select-Object DefaultSharingLinkType
|
||||
|
||||
@@ -9,8 +9,25 @@ function Test-ModernAuthSharePoint {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.1"
|
||||
|
||||
<#
|
||||
# Conditions for 7.2.1 (L1) Ensure modern authentication for SharePoint applications is required
|
||||
|
||||
## Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The setting "Apps that don't use modern authentication" is set to "Block access" in the SharePoint admin center.
|
||||
# - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `False`.
|
||||
|
||||
## Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The setting "Apps that don't use modern authentication" is not set to "Block access" in the SharePoint admin center.
|
||||
# - Condition B: The PowerShell command `Get-SPOTenant | ft LegacyAuthProtocolsEnabled` returns `True`.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -21,13 +38,13 @@ function Test-ModernAuthSharePoint {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $modernAuthForSPRequired) {
|
||||
"Legacy authentication protocols are enabled"
|
||||
"Legacy authentication protocols are enabled" # Fail Condition B
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)"
|
||||
$details = "LegacyAuthProtocolsEnabled: $($SPOTenant.LegacyAuthProtocolsEnabled)" # Details for Condition B
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
|
||||
@@ -16,6 +16,20 @@ function Test-NoAnonymousMeetingJoin {
|
||||
process {
|
||||
try {
|
||||
# 8.5.1 (L2) Ensure anonymous users can't join a meeting
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is set to `False`.
|
||||
# - Condition B: Verification using the UI confirms that `Anonymous users can join a meeting` is set to `Off` in the Global meeting policy.
|
||||
# - Condition C: PowerShell command output indicates that anonymous users are not allowed to join meetings.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: `AllowAnonymousUsersToJoinMeeting` is not set to `False`.
|
||||
# - Condition B: Verification using the UI shows that `Anonymous users can join a meeting` is not set to `Off` in the Global meeting policy.
|
||||
# - Condition C: PowerShell command output indicates that anonymous users are allowed to join meetings.
|
||||
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
|
||||
@@ -16,9 +16,24 @@ function Test-NoAnonymousMeetingStart {
|
||||
process {
|
||||
try {
|
||||
# 8.5.2 (L1) Ensure anonymous users and dial-in callers can't start a meeting
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is set to `False`.
|
||||
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting is configured to ensure they must wait in the lobby.
|
||||
# - Condition C: Verification using the UI confirms that the setting `Anonymous users and dial-in callers can start a meeting` is set to `Off`.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowAnonymousUsersToStartMeeting` setting in the Teams admin center is not set to `False`.
|
||||
# - Condition B: The setting for anonymous users and dial-in callers starting a meeting allows them to bypass the lobby.
|
||||
# - Condition C: Verification using the UI indicates that the setting `Anonymous users and dial-in callers can start a meeting` is not set to `Off`.
|
||||
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
# Retrieve the Teams meeting policy for the global scope and check if anonymous users can start meetings
|
||||
$CsTeamsMeetingPolicyAnonymous = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowAnonymousUsersToStartMeeting
|
||||
$anonymousStartDisabled = -not $CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting
|
||||
|
||||
@@ -27,10 +42,10 @@ function Test-NoAnonymousMeetingStart {
|
||||
"N/A"
|
||||
}
|
||||
else {
|
||||
"Anonymous users and dial-in callers can start a meeting"
|
||||
"Anonymous users and dial-in callers can start a meeting" # Condition A and B
|
||||
}
|
||||
|
||||
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)"
|
||||
$details = "AllowAnonymousUsersToStartMeeting is set to $($CsTeamsMeetingPolicyAnonymous.AllowAnonymousUsersToStartMeeting)" # Condition C
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
$params = @{
|
||||
|
||||
@@ -7,6 +7,22 @@ function Test-OneDriveContentRestrictions {
|
||||
)
|
||||
|
||||
begin {
|
||||
# 7.2.4 (L2) Ensure OneDrive content sharing is restricted
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The OneDriveSharingCapability setting is configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`.
|
||||
# - Condition B: The OneDriveSharingCapability is set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive.
|
||||
# - Condition C: OneDrive content sharing is not more permissive than SharePoint content sharing.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The OneDriveSharingCapability setting is not configured to "Disabled" using the PowerShell cmdlet `Get-SPOTenant | fl OneDriveSharingCapability`.
|
||||
# - Condition B: The OneDriveSharingCapability is not set to "Only people in your organization" in the SharePoint admin center under Policies > Sharing > OneDrive.
|
||||
# - Condition C: OneDrive content sharing is more permissive than SharePoint content sharing.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
@@ -16,12 +16,27 @@ function Test-OneDriveSyncRestrictions {
|
||||
process {
|
||||
try {
|
||||
# 7.3.2 (L2) Ensure OneDrive sync is restricted for unmanaged devices
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Verify that "Allow syncing only on computers joined to specific domains" is enabled.
|
||||
# - Condition B: Check that "TenantRestrictionEnabled" is set to True.
|
||||
# - Condition C: Ensure that "AllowedDomainList" contains the trusted domain GUIDs from the on-premises environment.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: "Allow syncing only on computers joined to specific domains" is not enabled.
|
||||
# - Condition B: "TenantRestrictionEnabled" is set to False.
|
||||
# - Condition C: "AllowedDomainList" does not contain the trusted domain GUIDs from the on-premises environment.
|
||||
|
||||
# Retrieve OneDrive sync client restriction settings
|
||||
$SPOTenantSyncClientRestriction = Get-SPOTenantSyncClientRestriction | Select-Object TenantRestrictionEnabled, AllowedDomainList
|
||||
$isSyncRestricted = $SPOTenantSyncClientRestriction.TenantRestrictionEnabled -and $SPOTenantSyncClientRestriction.AllowedDomainList
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
# Condition A: Check if TenantRestrictionEnabled is True
|
||||
# Condition B: Ensure AllowedDomainList contains trusted domains GUIDs
|
||||
$failureReasons = if (-not $isSyncRestricted) {
|
||||
"OneDrive sync is not restricted to managed devices. TenantRestrictionEnabled should be True and AllowedDomainList should contain trusted domains GUIDs."
|
||||
}
|
||||
@@ -29,6 +44,7 @@ function Test-OneDriveSyncRestrictions {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Condition C: Prepare details based on whether sync is restricted
|
||||
$details = if ($isSyncRestricted) {
|
||||
"OneDrive sync is restricted for unmanaged devices."
|
||||
}
|
||||
|
||||
@@ -16,6 +16,20 @@ function Test-OrgOnlyBypassLobby {
|
||||
process {
|
||||
try {
|
||||
# 8.5.3 (L1) Ensure only people in my org can bypass the lobby
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is set to `EveryoneInCompanyExcludingGuests`.
|
||||
# - Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
|
||||
# - Condition C: Verification using the Microsoft Teams admin center confirms that the meeting join & lobby settings are configured as recommended.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
|
||||
# - Condition B: The setting for "Who can bypass the lobby" is not configured to "People in my org" using the UI.
|
||||
# - Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
|
||||
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
@@ -25,6 +39,7 @@ function Test-OrgOnlyBypassLobby {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $lobbyBypassRestricted) {
|
||||
# Condition A: The `AutoAdmittedUsers` setting in the Teams meeting policy is not set to `EveryoneInCompanyExcludingGuests`.
|
||||
"External participants can bypass the lobby"
|
||||
}
|
||||
else {
|
||||
@@ -32,9 +47,11 @@ function Test-OrgOnlyBypassLobby {
|
||||
}
|
||||
|
||||
$details = if ($lobbyBypassRestricted) {
|
||||
# Condition B: The setting for "Who can bypass the lobby" is configured to "People in my org" using the UI.
|
||||
"Only people in the organization can bypass the lobby."
|
||||
}
|
||||
else {
|
||||
# Condition C: Verification using the Microsoft Teams admin center indicates that the meeting join & lobby settings are not configured as recommended.
|
||||
"AutoAdmittedUsers is set to $($CsTeamsMeetingPolicyLobby.AutoAdmittedUsers)"
|
||||
}
|
||||
|
||||
|
||||
@@ -7,6 +7,22 @@ function Test-ReauthWithCode {
|
||||
)
|
||||
|
||||
begin {
|
||||
<#
|
||||
Conditions for 7.2.10 (L1) Ensure reauthentication with verification code is restricted
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `EmailAttestationRequired` property is set to `True`.
|
||||
# - Condition B: The `EmailAttestationReAuthDays` property is set to `15` or less.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `EmailAttestationRequired` property is set to `False`.
|
||||
# - Condition B: The `EmailAttestationReAuthDays` property is set to more than `15`.
|
||||
#>
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
@@ -14,14 +14,27 @@ function Test-RestrictCustomScripts {
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
try {
|
||||
# 7.3.4 (L1) Ensure custom script execution is restricted on site collections
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DenyAddAndCustomizePages` setting is set to `Enabled` for each site collection.
|
||||
# - Condition B: The setting is validated through PowerShell commands ensuring the correct state.
|
||||
# - Condition C: Verification using the SharePoint Admin Center confirms the `DenyAddAndCustomizePages` setting is enforced.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `DenyAddAndCustomizePages` setting is not set to `Enabled` for any site collection.
|
||||
# - Condition B: The setting is not validated through PowerShell commands, indicating misconfiguration.
|
||||
# - Condition C: Verification using the SharePoint Admin Center indicates that the `DenyAddAndCustomizePages` setting is not enforced.
|
||||
|
||||
# Retrieve all site collections and select necessary properties
|
||||
$SPOSitesCustomScript = Get-SPOSite -Limit All | Select-Object Title, Url, DenyAddAndCustomizePages
|
||||
|
||||
# Replace 'sharepoint.com' with '<SPUrl>'
|
||||
# Process URLs to replace 'sharepoint.com' with '<SPUrl>'
|
||||
$processedUrls = $SPOSitesCustomScript | ForEach-Object {
|
||||
$_.Url = $_.Url -replace 'sharepoint\.com', '<SPUrl>'
|
||||
$_
|
||||
|
||||
@@ -7,6 +7,24 @@ function Test-RestrictExternalSharing {
|
||||
)
|
||||
|
||||
begin {
|
||||
<#
|
||||
Conditions for 7.2.3 (L1) Ensure external content sharing is restricted
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: The SharingCapability is set to "Anyone" or "ExternalUserAndGuestSharing" in the SharePoint admin center.
|
||||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing".
|
||||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings.
|
||||
#>
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
@@ -22,6 +40,7 @@ function Test-RestrictExternalSharing {
|
||||
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
# Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||||
$failureReasons = if (-not $isRestricted) {
|
||||
"External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)"
|
||||
}
|
||||
@@ -29,6 +48,8 @@ function Test-RestrictExternalSharing {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||||
# Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||||
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -7,6 +7,22 @@ function Test-RestrictStorageProvidersOutlook {
|
||||
)
|
||||
|
||||
begin {
|
||||
<#
|
||||
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is set to `False` in the OwaMailboxPolicy.
|
||||
# - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` returns `False`.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Using PowerShell, verify that `AdditionalStorageProvidersAvailable` is not set to `False` in the OwaMailboxPolicy.
|
||||
# - Condition B: Ensure that the command `Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable` does not return `False`.
|
||||
#>
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
@@ -19,6 +35,7 @@ function Test-RestrictStorageProvidersOutlook {
|
||||
|
||||
# Retrieve all OwaMailbox policies
|
||||
$owaPolicies = Get-OwaMailboxPolicy
|
||||
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False
|
||||
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
|
||||
|
||||
# Determine compliance
|
||||
@@ -68,5 +85,3 @@ function Test-RestrictStorageProvidersOutlook {
|
||||
return $auditResult
|
||||
}
|
||||
}
|
||||
|
||||
# Additional helper functions (if any)
|
||||
|
||||
@@ -7,11 +7,26 @@ function Test-SharePointAADB2B {
|
||||
)
|
||||
|
||||
begin {
|
||||
# Conditions for 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Ensure the `EnableAzureADB2BIntegration` property is set to `True` for the SharePoint tenant.
|
||||
# - Condition B: Verify that the SharePoint and OneDrive integration with Azure AD B2B is active.
|
||||
# - Condition C: Ensure that guest accounts are managed in Azure AD and subject to access policies.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `EnableAzureADB2BIntegration` property is set to `False` for the SharePoint tenant.
|
||||
# - Condition B: The integration between SharePoint, OneDrive, and Azure AD B2B is not active.
|
||||
# - Condition C: Guest accounts are not managed in Azure AD and are not subject to access policies.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
$recnum = "7.2.2"
|
||||
}
|
||||
|
||||
|
||||
@@ -9,10 +9,25 @@ function Test-SharePointExternalSharingDomains {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
# Initialization code, if needed
|
||||
$recnum = "7.2.6"
|
||||
|
||||
# Conditions for 7.2.6 (L2) Ensure SharePoint external sharing is managed through domain whitelist/blacklists
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The "Limit external sharing by domain" option is enabled in the SharePoint admin center.
|
||||
# - Condition B: The "SharingDomainRestrictionMode" is set to "AllowList" using PowerShell.
|
||||
# - Condition C: The "SharingAllowedDomainList" contains the domains trusted by the organization for external sharing.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The "Limit external sharing by domain" option is not enabled in the SharePoint admin center.
|
||||
# - Condition B: The "SharingDomainRestrictionMode" is not set to "AllowList" using PowerShell.
|
||||
# - Condition C: The "SharingAllowedDomainList" does not contain the domains trusted by the organization for external sharing.
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
@@ -11,8 +11,23 @@ function Test-SharePointGuestsItemSharing {
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
$recnum = "7.2.5"
|
||||
|
||||
# Conditions for 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `True` using PowerShell.
|
||||
# - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is unchecked.
|
||||
# - Condition C: Ensure that external users cannot re-share items they don't own.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The SharePoint setting "PreventExternalUsersFromResharing" is set to `False` using PowerShell.
|
||||
# - Condition B: The SharePoint admin center setting "Allow guests to share items they don't own" is checked.
|
||||
# - Condition C: Ensure that external users can re-share items they don't own.
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
@@ -8,7 +8,7 @@ function Test-TeamsExternalAccess {
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# . .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
@@ -18,6 +18,20 @@ function Test-TeamsExternalAccess {
|
||||
process {
|
||||
try {
|
||||
# 8.2.1 (L1) Ensure 'external access' is restricted in the Teams admin center
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowTeamsConsumer` setting is `False`.
|
||||
# - Condition B: The `AllowPublicUsers` setting is `False`.
|
||||
# - Condition C: The `AllowFederatedUsers` setting is `False` or, if `True`, the `AllowedDomains` contains only authorized domain names.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AllowTeamsConsumer` setting is not `False`.
|
||||
# - Condition B: The `AllowPublicUsers` setting is not `False`.
|
||||
# - Condition C: The `AllowFederatedUsers` setting is `True` and the `AllowedDomains` contains unauthorized domain names or is not configured correctly.
|
||||
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
|
||||
@@ -8,10 +8,8 @@ function Test-TeamsExternalFileSharing {
|
||||
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# . .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
$recnum = "8.1.1"
|
||||
}
|
||||
|
||||
@@ -20,6 +18,12 @@ function Test-TeamsExternalFileSharing {
|
||||
# 8.1.1 (L2) Ensure external file sharing in Teams is enabled for only approved cloud storage services
|
||||
# Connect to Teams PowerShell using Connect-MicrosoftTeams
|
||||
|
||||
# Condition A: The `AllowDropbox` setting is set to `False`.
|
||||
# Condition B: The `AllowBox` setting is set to `False`.
|
||||
# Condition C: The `AllowGoogleDrive` setting is set to `False`.
|
||||
# Condition D: The `AllowShareFile` setting is set to `False`.
|
||||
# Condition E: The `AllowEgnyte` setting is set to `False`.
|
||||
|
||||
# Assuming that 'approvedProviders' is a list of approved cloud storage service names
|
||||
# This list must be defined according to your organization's approved cloud storage services
|
||||
$approvedProviders = @("AllowDropBox", "AllowBox", "AllowGoogleDrive", "AllowShareFile", "AllowEgnyte")
|
||||
|
||||
Reference in New Issue
Block a user