add: Get-ExoOutput function and updated tests
This commit is contained in:
DrIOS
@@ -23,6 +23,33 @@ function Get-ExoOutput {
|
||||
|
||||
begin {
|
||||
# Begin Block #
|
||||
<#
|
||||
1.2.2
|
||||
1.3.3
|
||||
1.3.6
|
||||
2.1.1
|
||||
2.1.2
|
||||
2.1.3
|
||||
2.1.4
|
||||
2.1.5
|
||||
2.1.6
|
||||
2.1.7
|
||||
2.1.9
|
||||
3.1.1
|
||||
6.1.1
|
||||
6.1.2
|
||||
6.1.3
|
||||
6.2.1
|
||||
6.2.2
|
||||
6.2.3
|
||||
6.3.1
|
||||
6.5.1
|
||||
6.5.2
|
||||
6.5.3
|
||||
8.6.1
|
||||
|
||||
$testNumbers = @('1.2.2', '1.3.3', '1.3.6', '2.1.1', '2.1.2', '2.1.3', '2.1.4', '2.1.5', '2.1.6', '2.1.7', '2.1.9', '3.1.1', '6.1.1', '6.1.2', '6.1.3', '6.2.1', '6.2.2', '6.2.3', '6.3.1', '6.5.1', '6.5.2', '6.5.3', '8.6.1')
|
||||
#>
|
||||
}
|
||||
process {
|
||||
switch ($Rec) {
|
||||
@@ -94,25 +121,195 @@ function Get-ExoOutput {
|
||||
# [bool]
|
||||
return $result
|
||||
}
|
||||
'2.1.3' { Write-Output "Matched 2.1.3" }
|
||||
'2.1.4' { Write-Output "Matched 2.1.4" }
|
||||
'2.1.5' { Write-Output "Matched 2.1.5" }
|
||||
'2.1.6' { Write-Output "Matched 2.1.6" }
|
||||
'2.1.7' { Write-Output "Matched 2.1.7" }
|
||||
'2.1.9' { Write-Output "Matched 2.1.9" }
|
||||
'3.1.1' { Write-Output "Matched 3.1.1" }
|
||||
'6.1.1' { Write-Output "Matched 6.1.1" }
|
||||
'6.1.2' { Write-Output "Matched 6.1.2" }
|
||||
'6.1.3' { Write-Output "Matched 6.1.3" }
|
||||
'6.2.1' { Write-Output "Matched 6.2.1" }
|
||||
'6.2.2' { Write-Output "Matched 6.2.2" }
|
||||
'6.2.3' { Write-Output "Matched 6.2.3" }
|
||||
'6.3.1' { Write-Output "Matched 6.3.1" }
|
||||
'6.5.1' { Write-Output "Matched 6.5.1" }
|
||||
'6.5.2' { Write-Output "Matched 6.5.2" }
|
||||
'6.5.3' { Write-Output "Matched 6.5.3" }
|
||||
'8.6.1' { Write-Output "Matched 8.6.1" }
|
||||
default { Write-Output "No match found" }
|
||||
'2.1.3' {
|
||||
# Test-NotifyMalwareInternal.ps1
|
||||
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
|
||||
|
||||
# Retrieve all 'Custom' malware filter policies and check notification settings
|
||||
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
|
||||
# [object[]]
|
||||
return $malwareNotifications
|
||||
}
|
||||
'2.1.4' {
|
||||
# Test-SafeAttachmentsPolicy.ps1
|
||||
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
# Check if ErrorAction needed below
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
|
||||
# [object[]]
|
||||
return $safeAttachmentPolicies
|
||||
else {
|
||||
return 1
|
||||
}
|
||||
}
|
||||
}
|
||||
'2.1.5' {
|
||||
# Test-SafeAttachmentsTeams.ps1
|
||||
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
|
||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||
$atpPolicies = Get-AtpPolicyForO365
|
||||
# Check if the required ATP policies are enabled
|
||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||
$_.EnableSafeDocs -eq $true -and
|
||||
$_.AllowSafeDocsOpen -eq $false
|
||||
}
|
||||
# [psobject[]]
|
||||
return $atpPolicyResult
|
||||
}
|
||||
else {
|
||||
return 1
|
||||
}
|
||||
}
|
||||
'2.1.6' {
|
||||
# Test-SpamPolicyAdminNotify.ps1
|
||||
# Retrieve the default hosted outbound spam filter policy
|
||||
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
|
||||
return $hostedOutboundSpamFilterPolicy
|
||||
|
||||
}
|
||||
'2.1.7' {
|
||||
# Test-AntiPhishingPolicy.ps1
|
||||
# Condition A: Ensure that an anti-phishing policy has been created
|
||||
$antiPhishPolicies = Get-AntiPhishPolicy
|
||||
return $antiPhishPolicies
|
||||
}
|
||||
'2.1.9' {
|
||||
# Test-EnableDKIM.ps1
|
||||
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
|
||||
|
||||
# Retrieve DKIM configuration for all domains
|
||||
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
|
||||
# [object[]]
|
||||
return $dkimConfig
|
||||
}
|
||||
'3.1.1' {
|
||||
# Test-AuditLogSearch.ps1
|
||||
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
|
||||
|
||||
# Retrieve the audit log configuration
|
||||
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
|
||||
#
|
||||
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
|
||||
# [bool]
|
||||
return $auditLogResult
|
||||
}
|
||||
'6.1.1' {
|
||||
# Test-AuditDisabledFalse.ps1
|
||||
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
|
||||
|
||||
# Retrieve the AuditDisabled configuration (Condition B)
|
||||
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
|
||||
# [bool]
|
||||
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
|
||||
return $auditNotDisabled
|
||||
}
|
||||
'6.1.2' {
|
||||
# Test-MailboxAuditingE3.ps1
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
# [object[]]
|
||||
return $mailboxes
|
||||
}
|
||||
'6.1.3' {
|
||||
# Test-MailboxAuditingE5.ps1
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
# [object[]]
|
||||
return $mailboxes
|
||||
}
|
||||
'6.2.1' {
|
||||
# Test-BlockMailForwarding.ps1
|
||||
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
|
||||
# Step 1: Retrieve the transport rules that redirect messages
|
||||
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
|
||||
if ($null -eq $transportRules) {
|
||||
$transportRules = 1
|
||||
}
|
||||
# Step 2: Check all anti-spam outbound policies
|
||||
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
|
||||
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
|
||||
return $transportRules, $nonCompliantSpamPolicies
|
||||
|
||||
}
|
||||
'6.2.2' {
|
||||
# Test-NoWhitelistDomains.ps1
|
||||
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
|
||||
|
||||
# Retrieve transport rules that whitelist specific domains
|
||||
# Condition A: Checking for transport rules that whitelist specific domains
|
||||
# [object[]]
|
||||
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
|
||||
return $whitelistedRules
|
||||
}
|
||||
'6.2.3' {
|
||||
# Test-IdentifyExternalEmail.ps1
|
||||
# 6.2.3 (L1) Ensure email from external senders is identified
|
||||
|
||||
# Retrieve external sender tagging configuration
|
||||
# [object[]]
|
||||
$externalInOutlook = Get-ExternalInOutlook
|
||||
return $externalInOutlook
|
||||
}
|
||||
'6.3.1' {
|
||||
# Test-RestrictOutlookAddins.ps1
|
||||
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
|
||||
$customPolicyFailures = @()
|
||||
# Check all mailboxes for custom policies with unallowed add-ins
|
||||
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
|
||||
|
||||
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
|
||||
foreach ($policy in $roleAssignmentPolicies) {
|
||||
if ($policy.RoleAssignmentPolicy) {
|
||||
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
|
||||
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
|
||||
if ($foundRoles) {
|
||||
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
# Check Default Role Assignment Policy
|
||||
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
|
||||
return $customPolicyFailures, $defaultPolicy
|
||||
}
|
||||
'6.5.1' {
|
||||
# Test-ModernAuthExchangeOnline.ps1
|
||||
# Ensuring the ExchangeOnlineManagement module is available
|
||||
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
||||
|
||||
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
|
||||
return $orgConfig
|
||||
}
|
||||
'6.5.2' {
|
||||
# Test-MailTipsEnabled.ps1
|
||||
# 6.5.2 (L2) Ensure MailTips are enabled for end users
|
||||
# Retrieve organization configuration for MailTips settings
|
||||
# [object]
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
|
||||
return $orgConfig
|
||||
}
|
||||
'6.5.3' {
|
||||
# Test-RestrictStorageProvidersOutlook.ps1
|
||||
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
|
||||
# Retrieve all OwaMailbox policies
|
||||
# [object[]]
|
||||
$owaPolicies = Get-OwaMailboxPolicy
|
||||
return $owaPolicies
|
||||
}
|
||||
'8.6.1' {
|
||||
# Test-ReportSecurityInTeams.ps1
|
||||
# 8.6.1 (L1) Ensure users can report security concerns in Teams
|
||||
|
||||
# Retrieve the necessary settings for Teams and Exchange Online
|
||||
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
|
||||
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
|
||||
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
|
||||
return $ReportSubmissionPolicy
|
||||
}
|
||||
default { throw "No match found for test: $Rec" }
|
||||
}
|
||||
}
|
||||
end {
|
||||
|
||||
@@ -34,7 +34,7 @@ function Test-AntiPhishingPolicy {
|
||||
|
||||
try {
|
||||
# Condition A: Ensure that an anti-phishing policy has been created
|
||||
$antiPhishPolicies = Get-AntiPhishPolicy
|
||||
$antiPhishPolicies = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Condition B: Verify the anti-phishing policy settings using PowerShell
|
||||
$validatedPolicies = $antiPhishPolicies | Where-Object {
|
||||
|
||||
@@ -35,8 +35,7 @@ function Test-AuditDisabledFalse {
|
||||
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
|
||||
|
||||
# Retrieve the AuditDisabled configuration (Condition B)
|
||||
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
|
||||
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
|
||||
$auditNotDisabled = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $auditNotDisabled) {
|
||||
|
||||
@@ -36,9 +36,7 @@ function Test-AuditLogSearch {
|
||||
try {
|
||||
# 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
|
||||
|
||||
# Retrieve the audit log configuration
|
||||
$auditLogConfig = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
|
||||
$auditLogResult = $auditLogConfig.UnifiedAuditLogIngestionEnabled
|
||||
$auditLogResult = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $auditLogResult) {
|
||||
|
||||
@@ -35,12 +35,10 @@ function Test-BlockMailForwarding {
|
||||
# 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
|
||||
|
||||
# Step 1: Retrieve the transport rules that redirect messages
|
||||
$transportRules = Get-TransportRule | Where-Object { $null -ne $_.RedirectMessageTo }
|
||||
$transportRules,$nonCompliantSpamPolicies = Get-ExoOutput -Rec $recnum
|
||||
$transportForwardingBlocked = $transportRules.Count -eq 0
|
||||
|
||||
# Step 2: Check all anti-spam outbound policies
|
||||
$outboundSpamPolicies = Get-HostedOutboundSpamFilterPolicy
|
||||
$nonCompliantSpamPolicies = $outboundSpamPolicies | Where-Object { $_.AutoForwardingMode -ne 'Off' }
|
||||
$nonCompliantSpamPoliciesArray = @($nonCompliantSpamPolicies)
|
||||
$spamForwardingBlocked = $nonCompliantSpamPoliciesArray.Count -eq 0
|
||||
|
||||
@@ -51,7 +49,7 @@ function Test-BlockMailForwarding {
|
||||
$failureReasons = @()
|
||||
$details = @()
|
||||
|
||||
if ($transportRules.Count -gt 0) {
|
||||
if ($transportRules -ne 1) {
|
||||
# Fail Condition A
|
||||
$failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
|
||||
$details += "Transport Rules Details:`nRule Name|Redirects To"
|
||||
|
||||
@@ -38,8 +38,7 @@ function Test-CommonAttachmentFilter {
|
||||
# Condition B: Using Exchange Online PowerShell, verify that the `EnableFileFilter` property of the default malware filter policy is set to `True`.
|
||||
|
||||
# Retrieve the attachment filter policy
|
||||
$attachmentFilter = Get-MalwareFilterPolicy -Identity Default | Select-Object EnableFileFilter
|
||||
$result = $attachmentFilter.EnableFileFilter
|
||||
$result = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $result) {
|
||||
|
||||
@@ -36,7 +36,7 @@ function Test-EnableDKIM {
|
||||
# 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains
|
||||
|
||||
# Retrieve DKIM configuration for all domains
|
||||
$dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled
|
||||
$dkimConfig = Get-ExoOutput -Rec $recnum
|
||||
$dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false
|
||||
$dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain }
|
||||
|
||||
|
||||
@@ -36,7 +36,7 @@ function Test-IdentifyExternalEmail {
|
||||
# 6.2.3 (L1) Ensure email from external senders is identified
|
||||
|
||||
# Retrieve external sender tagging configuration
|
||||
$externalInOutlook = Get-ExternalInOutlook
|
||||
$externalInOutlook = Get-ExoOutput -Rec $recnum
|
||||
$externalTaggingEnabled = ($externalInOutlook | ForEach-Object { $_.Enabled }) -contains $true
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
|
||||
@@ -38,7 +38,7 @@ function Test-MailTipsEnabled {
|
||||
# 6.5.2 (L2) Ensure MailTips are enabled for end users
|
||||
|
||||
# Retrieve organization configuration for MailTips settings
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
|
||||
$orgConfig = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Check the MailTips settings (Conditions A, B, C, D)
|
||||
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
|
||||
|
||||
@@ -45,7 +45,7 @@ function Test-MailboxAuditingE3 {
|
||||
|
||||
process {
|
||||
if ($null -ne $allUsers) {
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
$mailboxes = Get-ExoOutput -Rec $recnum
|
||||
try {
|
||||
foreach ($user in $allUsers) {
|
||||
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
|
||||
|
||||
@@ -40,7 +40,7 @@ function Test-MailboxAuditingE5 {
|
||||
|
||||
process {
|
||||
if ($null -ne $allUsers) {
|
||||
$mailboxes = Get-EXOMailbox -PropertySets Audit
|
||||
$mailboxes = Get-ExoOutput -Rec $recnum
|
||||
try {
|
||||
foreach ($user in $allUsers) {
|
||||
if ($processedUsers.ContainsKey($user.UserPrincipalName)) {
|
||||
|
||||
@@ -31,12 +31,10 @@ function Test-ModernAuthExchangeOnline {
|
||||
|
||||
process {
|
||||
try {
|
||||
# Ensuring the ExchangeOnlineManagement module is available
|
||||
|
||||
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
||||
|
||||
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
|
||||
$orgConfig = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $orgConfig.OAuth2ClientProfileEnabled) {
|
||||
|
||||
@@ -38,8 +38,7 @@ function Test-NoWhitelistDomains {
|
||||
|
||||
# Retrieve transport rules that whitelist specific domains
|
||||
# Condition A: Checking for transport rules that whitelist specific domains
|
||||
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
|
||||
|
||||
$whitelistedRules = Get-ExoOutput -Rec $recnum
|
||||
# Prepare failure reasons and details based on compliance
|
||||
# Condition B: Prepare failure reasons based on the presence of whitelisted rules
|
||||
$failureReasons = if ($whitelistedRules) {
|
||||
|
||||
@@ -34,7 +34,7 @@ function Test-NotifyMalwareInternal {
|
||||
# 2.1.3 Ensure notifications for internal users sending malware is Enabled
|
||||
|
||||
# Retrieve all 'Custom' malware filter policies and check notification settings
|
||||
$malwareNotifications = Get-MalwareFilterPolicy | Where-Object { $_.RecommendedPolicyType -eq 'Custom' }
|
||||
$malwareNotifications = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Condition B: Using PowerShell, the `NotifyInternal` property in the anti-malware policy is set to `True` and includes at least one valid email address for notifications.
|
||||
$policiesToReport = @()
|
||||
|
||||
@@ -16,16 +16,15 @@ function Test-ReportSecurityInTeams {
|
||||
|
||||
process {
|
||||
try {
|
||||
# Test-ReportSecurityInTeams.ps1
|
||||
# 8.6.1 (L1) Ensure users can report security concerns in Teams
|
||||
|
||||
# Retrieve the necessary settings for Teams and Exchange Online
|
||||
# Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'.
|
||||
$CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting
|
||||
|
||||
# Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal.
|
||||
# Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses.
|
||||
$ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled
|
||||
|
||||
$ReportSubmissionPolicy = Get-ExoOutput -Rec $recnum
|
||||
# Check if all the required settings are enabled
|
||||
$securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and
|
||||
$ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and
|
||||
|
||||
@@ -11,7 +11,6 @@ function Test-RestrictOutlookAddins {
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code
|
||||
$customPolicyFailures = @()
|
||||
$defaultPolicyFailureDetails = @()
|
||||
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
|
||||
$recnum = "6.3.1"
|
||||
@@ -36,24 +35,8 @@ function Test-RestrictOutlookAddins {
|
||||
# 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
|
||||
|
||||
# Check all mailboxes for custom policies with unallowed add-ins
|
||||
$roleAssignmentPolicies = Get-EXOMailbox | Select-Object -Unique RoleAssignmentPolicy
|
||||
|
||||
if ($roleAssignmentPolicies.RoleAssignmentPolicy) {
|
||||
foreach ($policy in $roleAssignmentPolicies) {
|
||||
if ($policy.RoleAssignmentPolicy) {
|
||||
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
|
||||
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
|
||||
if ($foundRoles) {
|
||||
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check Default Role Assignment Policy
|
||||
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
|
||||
$customPolicyFailures, $defaultPolicy = Get-ExoOutput -Rec $recnum
|
||||
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
|
||||
|
||||
@@ -34,7 +34,7 @@ function Test-RestrictStorageProvidersOutlook {
|
||||
# 6.5.3 (L2) Ensure additional storage providers are restricted in Outlook on the web
|
||||
|
||||
# Retrieve all OwaMailbox policies
|
||||
$owaPolicies = Get-OwaMailboxPolicy
|
||||
$owaPolicies = Get-ExoOutput -Rec $recnum
|
||||
# Condition A: Check if AdditionalStorageProvidersAvailable is set to False
|
||||
$nonCompliantPolicies = $owaPolicies | Where-Object { $_.AdditionalStorageProvidersAvailable }
|
||||
|
||||
|
||||
@@ -28,10 +28,9 @@ function Test-SafeAttachmentsPolicy {
|
||||
}
|
||||
|
||||
process {
|
||||
if (Get-Command Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue) {
|
||||
$safeAttachmentPolicies = Get-ExoOutput -Rec $recnum
|
||||
if ($safeAttachmentPolicies -ne 1) {
|
||||
try {
|
||||
# Retrieve all Safe Attachment policies where Enable is set to True
|
||||
$safeAttachmentPolicies = Get-SafeAttachmentPolicy -ErrorAction SilentlyContinue | Where-Object { $_.Enable -eq $true }
|
||||
# Check if any Safe Attachments policy is enabled (Condition A)
|
||||
$result = $null -ne $safeAttachmentPolicies -and $safeAttachmentPolicies.Count -gt 0
|
||||
|
||||
|
||||
@@ -31,18 +31,9 @@ function Test-SafeAttachmentsTeams {
|
||||
}
|
||||
|
||||
process {
|
||||
if (Get-Command Get-AtpPolicyForO365 -ErrorAction SilentlyContinue) {
|
||||
$atpPolicyResult = Get-ExoOutput -Rec $recnum
|
||||
if ($atpPolicyResult -ne 1) {
|
||||
try {
|
||||
# 2.1.5 (L2) Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
|
||||
# Retrieve the ATP policies for Office 365 and check Safe Attachments settings
|
||||
$atpPolicies = Get-AtpPolicyForO365
|
||||
# Check if the required ATP policies are enabled
|
||||
$atpPolicyResult = $atpPolicies | Where-Object {
|
||||
$_.EnableATPForSPOTeamsODB -eq $true -and
|
||||
$_.EnableSafeDocs -eq $true -and
|
||||
$_.AllowSafeDocsOpen -eq $false
|
||||
}
|
||||
|
||||
# Condition A: Check Safe Attachments for SharePoint
|
||||
# Condition B: Check Safe Attachments for OneDrive
|
||||
# Condition C: Check Safe Attachments for Microsoft Teams
|
||||
|
||||
@@ -38,7 +38,7 @@ function Test-SpamPolicyAdminNotify {
|
||||
# 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
|
||||
|
||||
# Retrieve the default hosted outbound spam filter policy
|
||||
$hostedOutboundSpamFilterPolicy = Get-HostedOutboundSpamFilterPolicy | Where-Object { $_.IsDefault -eq $true }
|
||||
$hostedOutboundSpamFilterPolicy = Get-ExoOutput -Rec $recnum
|
||||
|
||||
# Check if both settings are enabled (Condition A and Condition B for pass)
|
||||
$bccSuspiciousOutboundMailEnabled = $hostedOutboundSpamFilterPolicy.BccSuspiciousOutboundMail
|
||||
|
||||
Reference in New Issue
Block a user