diff --git a/source/tests/Test-ExternalNoControl.ps1 b/source/tests/Test-ExternalNoControl.ps1 index 1a8c82d..462bb43 100644 --- a/source/tests/Test-ExternalNoControl.ps1 +++ b/source/tests/Test-ExternalNoControl.ps1 @@ -8,7 +8,7 @@ function Test-ExternalNoControl { begin { # Dot source the class script if necessary - #. .\source\Classes\CISAuditResult.ps1 + # . .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "8.5.7" @@ -17,36 +17,50 @@ function Test-ExternalNoControl { process { try { - # 8.5.7 (L1) Ensure external participants can't give or request control + # 8.5.7 (L1) Ensure external participants can't give or request control + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Ensure the `AllowExternalParticipantGiveRequestControl` setting in Teams is set to `False`. + # - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command. + # - Condition C: Verification using the UI confirms that external participants are unable to give or request control. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AllowExternalParticipantGiveRequestControl` setting in Teams is not set to `False`. + # - Condition B: The setting is verified through the Microsoft Teams admin center or via PowerShell command. + # - Condition C: Verification using the UI indicates that external participants can give or request control. - # Retrieve Teams meeting policy for external participant control - $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl - $externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl + # Retrieve Teams meeting policy for external participant control + $CsTeamsMeetingPolicyControl = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property AllowExternalParticipantGiveRequestControl + $externalControlRestricted = -not $CsTeamsMeetingPolicyControl.AllowExternalParticipantGiveRequestControl - # Prepare failure reasons and details based on compliance - $failureReasons = if (-not $externalControlRestricted) { - "External participants can give or request control" - } - else { - "N/A" - } + # Prepare failure reasons and details based on compliance + $failureReasons = if (-not $externalControlRestricted) { + "External participants can give or request control" + } + else { + "N/A" + } - $details = if ($externalControlRestricted) { - "AllowExternalParticipantGiveRequestControl is set to False" - } - else { - "AllowExternalParticipantGiveRequestControl is set to True" - } + $details = if ($externalControlRestricted) { + "AllowExternalParticipantGiveRequestControl is set to False" + } + else { + "AllowExternalParticipantGiveRequestControl is set to True" + } - # Create and populate the CISAuditResult object - $params = @{ - Rec = $recnum - Result = $externalControlRestricted - Status = if ($externalControlRestricted) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons - } - $auditResult = Initialize-CISAuditResult @params + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $externalControlRestricted + Status = if ($externalControlRestricted) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } catch { Write-Error "An error occurred during the test: $_" diff --git a/source/tests/Test-MeetingChatNoAnonymous.ps1 b/source/tests/Test-MeetingChatNoAnonymous.ps1 index 3524c6b..25b9367 100644 --- a/source/tests/Test-MeetingChatNoAnonymous.ps1 +++ b/source/tests/Test-MeetingChatNoAnonymous.ps1 @@ -16,11 +16,24 @@ function Test-MeetingChatNoAnonymous { process { try { # 8.5.5 (L2) Ensure meeting chat does not allow anonymous users - - # Connect to Teams PowerShell using Connect-MicrosoftTeams + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `MeetingChatEnabledType` setting in Teams is set to `EnabledExceptAnonymous`. + # - Condition B: The setting for meeting chat is configured to allow chat for everyone except anonymous users. + # - Condition C: Verification using the Teams Admin Center confirms that the meeting chat settings are configured as recommended. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `MeetingChatEnabledType` setting in Teams is not set to `EnabledExceptAnonymous`. + # - Condition B: The setting for meeting chat allows chat for anonymous users. + # - Condition C: Verification using the Teams Admin Center indicates that the meeting chat settings are not configured as recommended. # Retrieve the Teams meeting policy for meeting chat $CsTeamsMeetingPolicyChat = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property MeetingChatEnabledType + # Condition A: Check if the MeetingChatEnabledType is set to 'EnabledExceptAnonymous' $chatAnonDisabled = $CsTeamsMeetingPolicyChat.MeetingChatEnabledType -eq 'EnabledExceptAnonymous' # Prepare failure reasons and details based on compliance diff --git a/source/tests/Test-OrganizersPresent.ps1 b/source/tests/Test-OrganizersPresent.ps1 index 014d13d..c57ad39 100644 --- a/source/tests/Test-OrganizersPresent.ps1 +++ b/source/tests/Test-OrganizersPresent.ps1 @@ -16,8 +16,20 @@ function Test-OrganizersPresent { process { try { # 8.5.6 (L2) Ensure only organizers and co-organizers can present - - # Connect to Teams PowerShell using Connect-MicrosoftTeams + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is set to `OrganizerOnlyUserOverride`. + # - Condition B: Verification using the Teams admin center confirms that the setting "Who can present" is configured to "Only organizers and co-organizers". + # - Condition C: Verification using PowerShell confirms that the `DesignatedPresenterRoleMode` is set to `OrganizerOnlyUserOverride`. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `DesignatedPresenterRoleMode` setting in the Teams meeting policy is not set to `OrganizerOnlyUserOverride`. + # - Condition B: Verification using the Teams admin center indicates that the setting "Who can present" is not configured to "Only organizers and co-organizers". + # - Condition C: Verification using PowerShell indicates that the `DesignatedPresenterRoleMode` is not set to `OrganizerOnlyUserOverride`. # Retrieve the Teams meeting policy for presenters $CsTeamsMeetingPolicyPresenters = Get-CsTeamsMeetingPolicy -Identity Global | Select-Object -Property DesignatedPresenterRoleMode diff --git a/source/tests/Test-ReportSecurityInTeams.ps1 b/source/tests/Test-ReportSecurityInTeams.ps1 index 9c889dd..23b1c47 100644 --- a/source/tests/Test-ReportSecurityInTeams.ps1 +++ b/source/tests/Test-ReportSecurityInTeams.ps1 @@ -9,6 +9,7 @@ function Test-ReportSecurityInTeams { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed $recnum = "8.6.1" } @@ -18,9 +19,14 @@ function Test-ReportSecurityInTeams { # 8.6.1 (L1) Ensure users can report security concerns in Teams # Retrieve the necessary settings for Teams and Exchange Online + # Condition A: Ensure the 'Report a security concern' setting in the Teams admin center is set to 'On'. $CsTeamsMessagingPolicy = Get-CsTeamsMessagingPolicy -Identity Global | Select-Object -Property AllowSecurityEndUserReporting + + # Condition B: Verify that 'Monitor reported messages in Microsoft Teams' is checked in the Microsoft 365 Defender portal. + # Condition C: Ensure the 'Send reported messages to' setting in the Microsoft 365 Defender portal is set to 'My reporting mailbox only' with the correct report email addresses. $ReportSubmissionPolicy = Get-ReportSubmissionPolicy | Select-Object -Property ReportJunkToCustomizedAddress, ReportNotJunkToCustomizedAddress, ReportPhishToCustomizedAddress, ReportChatMessageToCustomizedAddressEnabled + # Check if all the required settings are enabled $securityReportEnabled = $CsTeamsMessagingPolicy.AllowSecurityEndUserReporting -and $ReportSubmissionPolicy.ReportJunkToCustomizedAddress -and $ReportSubmissionPolicy.ReportNotJunkToCustomizedAddress -and @@ -66,7 +72,7 @@ function Test-ReportSecurityInTeams { } end { - # Return auditResult + # Return the audit result return $auditResult } }