diff --git a/source/tests/Test-AntiPhishingPolicy.ps1 b/source/tests/Test-AntiPhishingPolicy.ps1 index 4e4de8c..24cb320 100644 --- a/source/tests/Test-AntiPhishingPolicy.ps1 +++ b/source/tests/Test-AntiPhishingPolicy.ps1 @@ -12,15 +12,31 @@ function Test-AntiPhishingPolicy { # Initialization code, if needed #$auditResults = @() $recnum = "2.1.7" + + <# + Conditions for 2.1.7 (L1) Ensure that an anti-phishing policy has been created + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: Verify that an anti-phishing policy exists in the Microsoft 365 Security Center. + - Condition B: Using PowerShell, ensure the anti-phishing policy is configured with appropriate settings such as enabling impersonation protection and spoof intelligence. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: No anti-phishing policy exists in the Microsoft 365 Security Center. + - Condition B: Using PowerShell, the anti-phishing policy is not configured with the required settings. + #> } process { try { - # 2.1.7 Ensure that an anti-phishing policy has been created - - # Retrieve and validate the anti-phishing policies + # Condition A: Ensure that an anti-phishing policy has been created $antiPhishPolicies = Get-AntiPhishPolicy + + # Condition B: Verify the anti-phishing policy settings using PowerShell $validatedPolicies = $antiPhishPolicies | Where-Object { $_.Enabled -eq $true -and $_.PhishThresholdLevel -ge 2 -and diff --git a/source/tests/Test-AuditDisabledFalse.ps1 b/source/tests/Test-AuditDisabledFalse.ps1 index 8a26323..263e929 100644 --- a/source/tests/Test-AuditDisabledFalse.ps1 +++ b/source/tests/Test-AuditDisabledFalse.ps1 @@ -9,32 +9,48 @@ function Test-AuditDisabledFalse { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + + # Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: The `AuditDisabled` organizational setting is set to `False` in the Microsoft 365 admin center. + # - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `False`. + # - Condition C: Ensure mailbox auditing is enabled by default at the organizational level. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center. + # - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`. + # - Condition C: Mailbox auditing is not enabled by default at the organizational level. + # Initialization code, if needed $recnum = "6.1.1" } process { - try { # 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False' - # Retrieve the AuditDisabled configuration + # Retrieve the AuditDisabled configuration (Condition B) $auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled $auditNotDisabled = -not $auditDisabledConfig.AuditDisabled # Prepare failure reasons and details based on compliance $failureReasons = if (-not $auditNotDisabled) { - "AuditDisabled is set to True" + "AuditDisabled is set to True" # Condition A Fail } else { "N/A" } $details = if ($auditNotDisabled) { - "Audit is not disabled organizationally" + "Audit is not disabled organizationally" # Condition C Pass } else { - "Audit is disabled organizationally" + "Audit is disabled organizationally" # Condition C Fail } # Create and populate the CISAuditResult object diff --git a/source/tests/Test-AuditLogSearch.ps1 b/source/tests/Test-AuditLogSearch.ps1 index bbedbca..90e828e 100644 --- a/source/tests/Test-AuditLogSearch.ps1 +++ b/source/tests/Test-AuditLogSearch.ps1 @@ -11,6 +11,24 @@ function Test-AuditLogSearch { #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "3.1.1" + + <# + Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: Audit log search is enabled in the Microsoft Purview compliance portal. + - Condition B: The audit log retains user and admin activity for 90 days. + - Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days). + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: Audit log search is not enabled in the Microsoft Purview compliance portal. + - Condition B: The audit log does not retain user and admin activity for 90 days. + - Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days). + #> } process { @@ -24,6 +42,7 @@ function Test-AuditLogSearch { # Prepare failure reasons and details based on compliance $failureReasons = if (-not $auditLogResult) { + # Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal "Audit log search is not enabled" } else { @@ -31,6 +50,7 @@ function Test-AuditLogSearch { } $details = if ($auditLogResult) { + # Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal "UnifiedAuditLogIngestionEnabled: True" } else { diff --git a/source/tests/Test-BlockMailForwarding.ps1 b/source/tests/Test-BlockMailForwarding.ps1 index 0ea1c1b..f0633ad 100644 --- a/source/tests/Test-BlockMailForwarding.ps1 +++ b/source/tests/Test-BlockMailForwarding.ps1 @@ -10,6 +10,24 @@ function Test-BlockMailForwarding { #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed $recnum = "6.2.1" + + <# + Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: Transport rules do not forward email to external domains. + - Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains. + - Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: One or more transport rules forward email to external domains. + - Condition B: Anti-spam outbound policy does not disable automatic email forwarding to external domains. + - Condition C: Unapproved exceptions to the forwarding rules are present. + #> } process { @@ -34,6 +52,7 @@ function Test-BlockMailForwarding { $details = @() if ($transportRules.Count -gt 0) { + # Fail Condition A $failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')" $details += "Transport Rules Details:`nRule Name|Redirects To" $details += $transportRules | ForEach-Object { @@ -43,6 +62,7 @@ function Test-BlockMailForwarding { } if ($nonCompliantSpamPoliciesArray.Count -gt 0) { + # Fail Condition B $failureReasons += "Outbound spam policies allowing automatic forwarding found." $details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode" $details += $nonCompliantSpamPoliciesArray | ForEach-Object { diff --git a/source/tests/Test-EnableDKIM.ps1 b/source/tests/Test-EnableDKIM.ps1 index a6662e1..e686dd7 100644 --- a/source/tests/Test-EnableDKIM.ps1 +++ b/source/tests/Test-EnableDKIM.ps1 @@ -9,44 +9,61 @@ function Test-EnableDKIM { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed $recnum = "2.1.9" + + <# + Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated) + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: DKIM is enabled for all Exchange Online domains in the Microsoft 365 security center. + - Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for each domain is set to `True`. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: DKIM is not enabled for one or more Exchange Online domains in the Microsoft 365 security center. + - Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for one or more domains is set to `False`. + #> } process { try { - # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains + # 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains - # Retrieve DKIM configuration for all domains - $dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled - $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false - $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain } + # Retrieve DKIM configuration for all domains + $dkimConfig = Get-DkimSigningConfig | Select-Object Domain, Enabled + $dkimResult = ($dkimConfig | ForEach-Object { $_.Enabled }) -notcontains $false + $dkimFailedDomains = $dkimConfig | Where-Object { -not $_.Enabled } | ForEach-Object { $_.Domain } - # Prepare failure reasons and details based on compliance - $failureReasons = if (-not $dkimResult) { - "DKIM is not enabled for some domains" - } - else { - "N/A" - } + # Prepare failure reasons and details based on compliance + $failureReasons = if (-not $dkimResult) { + "DKIM is not enabled for some domains" # Condition A fail + } + else { + "N/A" + } - $details = if ($dkimResult) { - "All domains have DKIM enabled" - } - else { - "DKIM not enabled for: $($dkimFailedDomains -join ', ')" - } + $details = if ($dkimResult) { + "All domains have DKIM enabled" # Condition A pass + } + else { + "DKIM not enabled for: $($dkimFailedDomains -join ', ')" # Condition B fail + } - # Create and populate the CISAuditResult object - $params = @{ - Rec = $recnum - Result = $dkimResult - Status = if ($dkimResult) { "Pass" } else { "Fail" } - Details = $details - FailureReason = $failureReasons - } - $auditResult = Initialize-CISAuditResult @params + # Create and populate the CISAuditResult object + $params = @{ + Rec = $recnum + Result = $dkimResult + Status = if ($dkimResult) { "Pass" } else { "Fail" } + Details = $details + FailureReason = $failureReasons + } + $auditResult = Initialize-CISAuditResult @params } catch { Write-Error "An error occurred during the test: $_" diff --git a/source/tests/Test-IdentifyExternalEmail.ps1 b/source/tests/Test-IdentifyExternalEmail.ps1 index 63bce34..21f96ca 100644 --- a/source/tests/Test-IdentifyExternalEmail.ps1 +++ b/source/tests/Test-IdentifyExternalEmail.ps1 @@ -12,6 +12,22 @@ function Test-IdentifyExternalEmail { # Initialization code, if needed $recnum = "6.2.3" + + # Conditions for 6.2.3 (L1) Ensure email from external senders is identified + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: External tagging is enabled using PowerShell for all identities. + # - Condition B: The BypassAllowList only contains email addresses the organization has permitted to bypass external tagging. + # - Condition C: External sender tag appears in email messages received from external sources. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: External tagging is not enabled using PowerShell for all identities. + # - Condition B: The BypassAllowList contains unauthorized email addresses. + # - Condition C: External sender tag does not appear in email messages received from external sources. } process { @@ -25,12 +41,14 @@ function Test-IdentifyExternalEmail { # Prepare failure reasons and details based on compliance $failureReasons = if (-not $externalTaggingEnabled) { + # Condition A: External tagging is not enabled using PowerShell for all identities. "External sender tagging is disabled" } else { "N/A" } + # Details for external tagging configuration $details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)" # Create and populate the CISAuditResult object diff --git a/source/tests/Test-MailTipsEnabled.ps1 b/source/tests/Test-MailTipsEnabled.ps1 index 2ccf106..4869fe8 100644 --- a/source/tests/Test-MailTipsEnabled.ps1 +++ b/source/tests/Test-MailTipsEnabled.ps1 @@ -13,6 +13,24 @@ function Test-MailTipsEnabled { $auditResult = [CISAuditResult]::new() $recnum = "6.5.2" + + # Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: MailTipsAllTipsEnabled is set to True. + # - Condition B: MailTipsExternalRecipientsTipsEnabled is set to True. + # - Condition C: MailTipsGroupMetricsEnabled is set to True. + # - Condition D: MailTipsLargeAudienceThreshold is set to an acceptable value (default is 25). + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: MailTipsAllTipsEnabled is not set to True. + # - Condition B: MailTipsExternalRecipientsTipsEnabled is not set to True. + # - Condition C: MailTipsGroupMetricsEnabled is not set to True. + # - Condition D: MailTipsLargeAudienceThreshold is not set to an acceptable value (default is 25). } process { @@ -21,6 +39,8 @@ function Test-MailTipsEnabled { # Retrieve organization configuration for MailTips settings $orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold + + # Check the MailTips settings (Conditions A, B, C, D) $allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25 $externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled diff --git a/source/tests/Test-MailboxAuditingE3.ps1 b/source/tests/Test-MailboxAuditingE3.ps1 index ca9efcd..010b049 100644 --- a/source/tests/Test-MailboxAuditingE3.ps1 +++ b/source/tests/Test-MailboxAuditingE3.ps1 @@ -6,6 +6,26 @@ function Test-MailboxAuditingE3 { ) begin { + <# + Conditions for 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: Mailbox audit logging is enabled for all user mailboxes. + - Condition B: The `AuditAdmin` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + - Condition C: The `AuditDelegate` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + - Condition D: The `AuditOwner` actions include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: Mailbox audit logging is not enabled for all user mailboxes. + - Condition B: The `AuditAdmin` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + - Condition C: The `AuditDelegate` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + - Condition D: The `AuditOwner` actions do not include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`. + #> + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 @@ -39,12 +59,15 @@ function Test-MailboxAuditingE3 { $missingActions = @() if ($mailbox.AuditEnabled) { foreach ($action in $AdminActions) { + # Condition B: Checking if the `AuditAdmin` actions include required actions if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } } foreach ($action in $DelegateActions) { + # Condition C: Checking if the `AuditDelegate` actions include required actions if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } } foreach ($action in $OwnerActions) { + # Condition D: Checking if the `AuditOwner` actions include required actions if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } } @@ -54,6 +77,7 @@ function Test-MailboxAuditingE3 { } } else { + # Condition A: Checking if mailbox audit logging is enabled $allFailures += "$userUPN|False|||" } diff --git a/source/tests/Test-MailboxAuditingE5.ps1 b/source/tests/Test-MailboxAuditingE5.ps1 index b21f6a2..f5c3891 100644 --- a/source/tests/Test-MailboxAuditingE5.ps1 +++ b/source/tests/Test-MailboxAuditingE5.ps1 @@ -9,6 +9,24 @@ function Test-MailboxAuditingE5 { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Conditions for 6.1.3 (L1) Ensure mailbox auditing for E5 users is Enabled + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Mailbox auditing is enabled for E5 users. + # - Condition B: AuditAdmin actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules. + # - Condition C: AuditDelegate actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules. + # - Condition D: AuditOwner actions include ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: Mailbox auditing is not enabled for E5 users. + # - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules. + # - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules. + # - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules. + $e5SkuPartNumbers = @("SPE_E5", "ENTERPRISEPREMIUM", "OFFICEE5") $AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules") $DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules") @@ -38,14 +56,17 @@ function Test-MailboxAuditingE5 { $missingActions = @() if ($mailbox.AuditEnabled) { + # Validate Admin actions foreach ($action in $AdminActions) { - if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } + if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } # Condition B } + # Validate Delegate actions foreach ($action in $DelegateActions) { - if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } + if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } # Condition C } + # Validate Owner actions foreach ($action in $OwnerActions) { - if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } + if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } # Condition D } if ($missingActions.Count -gt 0) { @@ -65,10 +86,10 @@ function Test-MailboxAuditingE5 { # Prepare failure reasons and details based on compliance $failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." } $details = if ($allFailures.Count -eq 0) { - "All Office E5 users have correct mailbox audit settings." + "All Office E5 users have correct mailbox audit settings." # Condition A for pass } else { - "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") + "UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") # Condition A for fail } # Populate the audit result diff --git a/source/tests/Test-ModernAuthExchangeOnline.ps1 b/source/tests/Test-ModernAuthExchangeOnline.ps1 index 8735fa4..e856abf 100644 --- a/source/tests/Test-ModernAuthExchangeOnline.ps1 +++ b/source/tests/Test-ModernAuthExchangeOnline.ps1 @@ -9,7 +9,23 @@ function Test-ModernAuthExchangeOnline { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 - # Initialization code, if needed + + # Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Modern authentication for Exchange Online is enabled. + # - Condition B: Exchange Online clients use modern authentication to log in to Microsoft 365 mailboxes. + # - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are no longer able to authenticate to Exchange using Basic Authentication. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: Modern authentication for Exchange Online is not enabled. + # - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes. + # - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication. + $recnum = "6.5.1" } @@ -18,6 +34,8 @@ function Test-ModernAuthExchangeOnline { # Ensuring the ExchangeOnlineManagement module is available # 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled + + # Check modern authentication setting in Exchange Online configuration (Condition A and B) $orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled # Prepare failure reasons and details based on compliance @@ -28,6 +46,7 @@ function Test-ModernAuthExchangeOnline { "N/A" } + # Details include the current setting (Condition A and B) $details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)" # Create and populate the CISAuditResult object diff --git a/source/tests/Test-NoWhitelistDomains.ps1 b/source/tests/Test-NoWhitelistDomains.ps1 index d51fdc1..b9c6d0b 100644 --- a/source/tests/Test-NoWhitelistDomains.ps1 +++ b/source/tests/Test-NoWhitelistDomains.ps1 @@ -9,8 +9,27 @@ function Test-NoWhitelistDomains { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed $recnum = "6.2.2" + + <# + Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated) + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: No mail transport rules whitelist any specific domains. + - Condition B: Verification of mail transport rules using PowerShell shows no domains are whitelisted. + - Condition C: Manual review in Exchange Online admin center confirms no whitelisted domains in transport rules. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: One or more mail transport rules whitelist specific domains. + - Condition B: Verification of mail transport rules using PowerShell shows one or more domains are whitelisted. + - Condition C: Manual review in Exchange Online admin center shows whitelisted domains in transport rules. + #> } process { @@ -18,9 +37,11 @@ function Test-NoWhitelistDomains { # 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains # Retrieve transport rules that whitelist specific domains + # Condition A: Checking for transport rules that whitelist specific domains $whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs } # Prepare failure reasons and details based on compliance + # Condition B: Prepare failure reasons based on the presence of whitelisted rules $failureReasons = if ($whitelistedRules) { "There are transport rules whitelisting specific domains." } @@ -28,6 +49,7 @@ function Test-NoWhitelistDomains { "N/A" } + # Condition C: Prepare details about the whitelisted rules if found $details = if ($whitelistedRules) { $ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') } "Whitelisted Rules: $($ruleDetails -join '; ')" diff --git a/source/tests/Test-PasswordHashSync.ps1 b/source/tests/Test-PasswordHashSync.ps1 index 83e6d9d..1d8362e 100644 --- a/source/tests/Test-PasswordHashSync.ps1 +++ b/source/tests/Test-PasswordHashSync.ps1 @@ -7,6 +7,22 @@ function Test-PasswordHashSync { ) begin { + # Conditions for 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Password hash sync is enabled in the Azure AD Connect tool on the on-premises server. + # - Condition B: Password hash sync is verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center. + # - Condition C: Using Microsoft Graph PowerShell, the verification command returns the expected result indicating that password sync is enabled for the on-premises AD. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: Password hash sync is not enabled in the Azure AD Connect tool on the on-premises server. + # - Condition B: Password hash sync is not verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center. + # - Condition C: Using Microsoft Graph PowerShell, the verification command returns no result indicating that password sync is not enabled for the on-premises AD. + # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 # Initialization code, if needed @@ -16,9 +32,8 @@ function Test-PasswordHashSync { process { try { # 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments - # Pass if OnPremisesSyncEnabled is True. Fail otherwise. - # Retrieve password hash sync status + # Retrieve password hash sync status (Condition A and C) $passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled $hashSyncResult = $passwordHashSync diff --git a/source/tests/Test-RestrictOutlookAddins.ps1 b/source/tests/Test-RestrictOutlookAddins.ps1 index 39f1ae6..6b6eb20 100644 --- a/source/tests/Test-RestrictOutlookAddins.ps1 +++ b/source/tests/Test-RestrictOutlookAddins.ps1 @@ -9,11 +9,26 @@ function Test-RestrictOutlookAddins { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code $customPolicyFailures = @() $defaultPolicyFailureDetails = @() $relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps') $recnum = "6.3.1" + + # Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed + # + # Validate test for a pass: + # - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + # - Specific conditions to check: + # - Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles. + # - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users. + # + # Validate test for a fail: + # - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + # - Specific conditions to check: + # - Condition A: One or more of the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are checked under Other roles. + # - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are assigned to users. } process { @@ -28,6 +43,8 @@ function Test-RestrictOutlookAddins { if ($policy.RoleAssignmentPolicy) { $rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy $foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles } + + # Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users. if ($foundRoles) { $customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')" } @@ -38,6 +55,8 @@ function Test-RestrictOutlookAddins { # Check Default Role Assignment Policy $defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy" $defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles } + + # Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles. if ($defaultPolicyRoles) { $defaultPolicyFailureDetails = $defaultPolicyRoles } diff --git a/source/tests/Test-RestrictTenantCreation.ps1 b/source/tests/Test-RestrictTenantCreation.ps1 index ede53c4..6d3c314 100644 --- a/source/tests/Test-RestrictTenantCreation.ps1 +++ b/source/tests/Test-RestrictTenantCreation.ps1 @@ -9,8 +9,25 @@ function Test-RestrictTenantCreation { begin { # Dot source the class script if necessary #. .\source\Classes\CISAuditResult.ps1 + # Initialization code, if needed $recnum = "5.1.2.3" + + <# + Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes' + + Validate test for a pass: + - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark. + - Specific conditions to check: + - Condition A: Restrict non-admin users from creating tenants is set to 'Yes' in the Azure AD and Entra administration portal. + - Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is set to 'Yes'. + + Validate test for a fail: + - Confirm that the failure conditions in the automated test are consistent with the manual audit results. + - Specific conditions to check: + - Condition A: Restrict non-admin users from creating tenants is not set to 'Yes' in the Azure AD and Entra administration portal. + - Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is not set to 'Yes'. + #> } process { @@ -60,5 +77,3 @@ function Test-RestrictTenantCreation { return $auditResult } } - -# Additional helper functions (if any)