docs: Comment conditions on each test
This commit is contained in:
DrIOS
@@ -12,15 +12,31 @@ function Test-AntiPhishingPolicy {
|
||||
# Initialization code, if needed
|
||||
#$auditResults = @()
|
||||
$recnum = "2.1.7"
|
||||
|
||||
<#
|
||||
Conditions for 2.1.7 (L1) Ensure that an anti-phishing policy has been created
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Verify that an anti-phishing policy exists in the Microsoft 365 Security Center.
|
||||
- Condition B: Using PowerShell, ensure the anti-phishing policy is configured with appropriate settings such as enabling impersonation protection and spoof intelligence.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: No anti-phishing policy exists in the Microsoft 365 Security Center.
|
||||
- Condition B: Using PowerShell, the anti-phishing policy is not configured with the required settings.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
try {
|
||||
# 2.1.7 Ensure that an anti-phishing policy has been created
|
||||
|
||||
# Retrieve and validate the anti-phishing policies
|
||||
# Condition A: Ensure that an anti-phishing policy has been created
|
||||
$antiPhishPolicies = Get-AntiPhishPolicy
|
||||
|
||||
# Condition B: Verify the anti-phishing policy settings using PowerShell
|
||||
$validatedPolicies = $antiPhishPolicies | Where-Object {
|
||||
$_.Enabled -eq $true -and
|
||||
$_.PhishThresholdLevel -ge 2 -and
|
||||
|
||||
@@ -9,32 +9,48 @@ function Test-AuditDisabledFalse {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Conditions for 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AuditDisabled` organizational setting is set to `False` in the Microsoft 365 admin center.
|
||||
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `False`.
|
||||
# - Condition C: Ensure mailbox auditing is enabled by default at the organizational level.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: The `AuditDisabled` organizational setting is set to `True` in the Microsoft 365 admin center.
|
||||
# - Condition B: Using PowerShell, the `AuditDisabled` property in the organization's configuration is set to `True`.
|
||||
# - Condition C: Mailbox auditing is not enabled by default at the organizational level.
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "6.1.1"
|
||||
}
|
||||
|
||||
process {
|
||||
|
||||
try {
|
||||
# 6.1.1 (L1) Ensure 'AuditDisabled' organizationally is set to 'False'
|
||||
|
||||
# Retrieve the AuditDisabled configuration
|
||||
# Retrieve the AuditDisabled configuration (Condition B)
|
||||
$auditDisabledConfig = Get-OrganizationConfig | Select-Object AuditDisabled
|
||||
$auditNotDisabled = -not $auditDisabledConfig.AuditDisabled
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $auditNotDisabled) {
|
||||
"AuditDisabled is set to True"
|
||||
"AuditDisabled is set to True" # Condition A Fail
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = if ($auditNotDisabled) {
|
||||
"Audit is not disabled organizationally"
|
||||
"Audit is not disabled organizationally" # Condition C Pass
|
||||
}
|
||||
else {
|
||||
"Audit is disabled organizationally"
|
||||
"Audit is disabled organizationally" # Condition C Fail
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -11,6 +11,24 @@ function Test-AuditLogSearch {
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
$recnum = "3.1.1"
|
||||
|
||||
<#
|
||||
Conditions for 3.1.1 (L1) Ensure Microsoft 365 audit log search is Enabled
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Audit log search is enabled in the Microsoft Purview compliance portal.
|
||||
- Condition B: The audit log retains user and admin activity for 90 days.
|
||||
- Condition C: Audit log search capabilities are functional (search results are displayed for activities within the past 30 days).
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Audit log search is not enabled in the Microsoft Purview compliance portal.
|
||||
- Condition B: The audit log does not retain user and admin activity for 90 days.
|
||||
- Condition C: Audit log search capabilities are non-functional (no search results are displayed for activities within the past 30 days).
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -24,6 +42,7 @@ function Test-AuditLogSearch {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $auditLogResult) {
|
||||
# Condition A (Fail): Audit log search is not enabled in the Microsoft Purview compliance portal
|
||||
"Audit log search is not enabled"
|
||||
}
|
||||
else {
|
||||
@@ -31,6 +50,7 @@ function Test-AuditLogSearch {
|
||||
}
|
||||
|
||||
$details = if ($auditLogResult) {
|
||||
# Condition A (Pass): Audit log search is enabled in the Microsoft Purview compliance portal
|
||||
"UnifiedAuditLogIngestionEnabled: True"
|
||||
}
|
||||
else {
|
||||
|
||||
@@ -10,6 +10,24 @@ function Test-BlockMailForwarding {
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
$recnum = "6.2.1"
|
||||
|
||||
<#
|
||||
Conditions for 6.2.1 (L1) Ensure all forms of mail forwarding are blocked and/or disabled
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Transport rules do not forward email to external domains.
|
||||
- Condition B: Anti-spam outbound policy is configured to disable automatic email forwarding to external domains.
|
||||
- Condition C: No exceptions to the forwarding rules unless explicitly defined by organizational policy.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: One or more transport rules forward email to external domains.
|
||||
- Condition B: Anti-spam outbound policy does not disable automatic email forwarding to external domains.
|
||||
- Condition C: Unapproved exceptions to the forwarding rules are present.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -34,6 +52,7 @@ function Test-BlockMailForwarding {
|
||||
$details = @()
|
||||
|
||||
if ($transportRules.Count -gt 0) {
|
||||
# Fail Condition A
|
||||
$failureReasons += "Mail forwarding rules found: $($transportRules.Name -join ', ')"
|
||||
$details += "Transport Rules Details:`nRule Name|Redirects To"
|
||||
$details += $transportRules | ForEach-Object {
|
||||
@@ -43,6 +62,7 @@ function Test-BlockMailForwarding {
|
||||
}
|
||||
|
||||
if ($nonCompliantSpamPoliciesArray.Count -gt 0) {
|
||||
# Fail Condition B
|
||||
$failureReasons += "Outbound spam policies allowing automatic forwarding found."
|
||||
$details += "Outbound Spam Policies Details:`nPolicy|AutoForwardingMode"
|
||||
$details += $nonCompliantSpamPoliciesArray | ForEach-Object {
|
||||
|
||||
@@ -9,8 +9,25 @@ function Test-EnableDKIM {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "2.1.9"
|
||||
|
||||
<#
|
||||
Conditions for 2.1.9 (L1) Ensure DKIM is enabled for all Exchange Online Domains (Automated)
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: DKIM is enabled for all Exchange Online domains in the Microsoft 365 security center.
|
||||
- Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for each domain is set to `True`.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: DKIM is not enabled for one or more Exchange Online domains in the Microsoft 365 security center.
|
||||
- Condition B: Using the Exchange Online PowerShell Module, the `CnameConfiguration.Enabled` property for one or more domains is set to `False`.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -25,17 +42,17 @@ function Test-EnableDKIM {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $dkimResult) {
|
||||
"DKIM is not enabled for some domains"
|
||||
"DKIM is not enabled for some domains" # Condition A fail
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
$details = if ($dkimResult) {
|
||||
"All domains have DKIM enabled"
|
||||
"All domains have DKIM enabled" # Condition A pass
|
||||
}
|
||||
else {
|
||||
"DKIM not enabled for: $($dkimFailedDomains -join ', ')"
|
||||
"DKIM not enabled for: $($dkimFailedDomains -join ', ')" # Condition B fail
|
||||
}
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -12,6 +12,22 @@ function Test-IdentifyExternalEmail {
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "6.2.3"
|
||||
|
||||
# Conditions for 6.2.3 (L1) Ensure email from external senders is identified
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: External tagging is enabled using PowerShell for all identities.
|
||||
# - Condition B: The BypassAllowList only contains email addresses the organization has permitted to bypass external tagging.
|
||||
# - Condition C: External sender tag appears in email messages received from external sources.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: External tagging is not enabled using PowerShell for all identities.
|
||||
# - Condition B: The BypassAllowList contains unauthorized email addresses.
|
||||
# - Condition C: External sender tag does not appear in email messages received from external sources.
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -25,12 +41,14 @@ function Test-IdentifyExternalEmail {
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if (-not $externalTaggingEnabled) {
|
||||
# Condition A: External tagging is not enabled using PowerShell for all identities.
|
||||
"External sender tagging is disabled"
|
||||
}
|
||||
else {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Details for external tagging configuration
|
||||
$details = "Enabled: $($externalTaggingEnabled); AllowList: $($externalInOutlook.AllowList)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -13,6 +13,24 @@ function Test-MailTipsEnabled {
|
||||
|
||||
$auditResult = [CISAuditResult]::new()
|
||||
$recnum = "6.5.2"
|
||||
|
||||
# Conditions for 6.5.2 (L2) Ensure MailTips are enabled for end users
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: MailTipsAllTipsEnabled is set to True.
|
||||
# - Condition B: MailTipsExternalRecipientsTipsEnabled is set to True.
|
||||
# - Condition C: MailTipsGroupMetricsEnabled is set to True.
|
||||
# - Condition D: MailTipsLargeAudienceThreshold is set to an acceptable value (default is 25).
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: MailTipsAllTipsEnabled is not set to True.
|
||||
# - Condition B: MailTipsExternalRecipientsTipsEnabled is not set to True.
|
||||
# - Condition C: MailTipsGroupMetricsEnabled is not set to True.
|
||||
# - Condition D: MailTipsLargeAudienceThreshold is not set to an acceptable value (default is 25).
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -21,6 +39,8 @@ function Test-MailTipsEnabled {
|
||||
|
||||
# Retrieve organization configuration for MailTips settings
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object MailTipsAllTipsEnabled, MailTipsExternalRecipientsTipsEnabled, MailTipsGroupMetricsEnabled, MailTipsLargeAudienceThreshold
|
||||
|
||||
# Check the MailTips settings (Conditions A, B, C, D)
|
||||
$allTipsEnabled = $orgConfig.MailTipsAllTipsEnabled -and $orgConfig.MailTipsGroupMetricsEnabled -and $orgConfig.MailTipsLargeAudienceThreshold -eq 25
|
||||
$externalRecipientsTipsEnabled = $orgConfig.MailTipsExternalRecipientsTipsEnabled
|
||||
|
||||
|
||||
@@ -6,6 +6,26 @@ function Test-MailboxAuditingE3 {
|
||||
)
|
||||
|
||||
begin {
|
||||
<#
|
||||
Conditions for 6.1.2 (L1) Ensure mailbox auditing for E3 users is Enabled
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Mailbox audit logging is enabled for all user mailboxes.
|
||||
- Condition B: The `AuditAdmin` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
- Condition C: The `AuditDelegate` actions include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
- Condition D: The `AuditOwner` actions include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Mailbox audit logging is not enabled for all user mailboxes.
|
||||
- Condition B: The `AuditAdmin` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
- Condition C: The `AuditDelegate` actions do not include `ApplyRecord`, `Create`, `HardDelete`, `MoveToDeletedItems`, `SendAs`, `SendOnBehalf`, `SoftDelete`, `Update`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
- Condition D: The `AuditOwner` actions do not include `ApplyRecord`, `HardDelete`, `MoveToDeletedItems`, `SoftDelete`, `Update`, `UpdateCalendarDelegation`, `UpdateFolderPermissions`, and `UpdateInboxRules`.
|
||||
#>
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
@@ -39,12 +59,15 @@ function Test-MailboxAuditingE3 {
|
||||
$missingActions = @()
|
||||
if ($mailbox.AuditEnabled) {
|
||||
foreach ($action in $AdminActions) {
|
||||
# Condition B: Checking if the `AuditAdmin` actions include required actions
|
||||
if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" }
|
||||
}
|
||||
foreach ($action in $DelegateActions) {
|
||||
# Condition C: Checking if the `AuditDelegate` actions include required actions
|
||||
if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" }
|
||||
}
|
||||
foreach ($action in $OwnerActions) {
|
||||
# Condition D: Checking if the `AuditOwner` actions include required actions
|
||||
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
|
||||
}
|
||||
|
||||
@@ -54,6 +77,7 @@ function Test-MailboxAuditingE3 {
|
||||
}
|
||||
}
|
||||
else {
|
||||
# Condition A: Checking if mailbox audit logging is enabled
|
||||
$allFailures += "$userUPN|False|||"
|
||||
}
|
||||
|
||||
|
||||
@@ -9,6 +9,24 @@ function Test-MailboxAuditingE5 {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Conditions for 6.1.3 (L1) Ensure mailbox auditing for E5 users is Enabled
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Mailbox auditing is enabled for E5 users.
|
||||
# - Condition B: AuditAdmin actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
|
||||
# - Condition C: AuditDelegate actions include ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
|
||||
# - Condition D: AuditOwner actions include ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Mailbox auditing is not enabled for E5 users.
|
||||
# - Condition B: AuditAdmin actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
|
||||
# - Condition C: AuditDelegate actions do not include all of the following: ApplyRecord, Create, HardDelete, MailItemsAccessed, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules.
|
||||
# - Condition D: AuditOwner actions do not include all of the following: ApplyRecord, HardDelete, MailItemsAccessed, MoveToDeletedItems, Send, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules.
|
||||
|
||||
$e5SkuPartNumbers = @("SPE_E5", "ENTERPRISEPREMIUM", "OFFICEE5")
|
||||
$AdminActions = @("ApplyRecord", "Copy", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "Send", "SoftDelete", "Update", "UpdateCalendarDelegation", "UpdateFolderPermissions", "UpdateInboxRules")
|
||||
$DelegateActions = @("ApplyRecord", "Create", "FolderBind", "HardDelete", "MailItemsAccessed", "Move", "MoveToDeletedItems", "SendAs", "SendOnBehalf", "SoftDelete", "Update", "UpdateFolderPermissions", "UpdateInboxRules")
|
||||
@@ -38,14 +56,17 @@ function Test-MailboxAuditingE5 {
|
||||
|
||||
$missingActions = @()
|
||||
if ($mailbox.AuditEnabled) {
|
||||
# Validate Admin actions
|
||||
foreach ($action in $AdminActions) {
|
||||
if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" }
|
||||
if ($mailbox.AuditAdmin -notcontains $action) { $missingActions += "Admin action '$action' missing" } # Condition B
|
||||
}
|
||||
# Validate Delegate actions
|
||||
foreach ($action in $DelegateActions) {
|
||||
if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" }
|
||||
if ($mailbox.AuditDelegate -notcontains $action) { $missingActions += "Delegate action '$action' missing" } # Condition C
|
||||
}
|
||||
# Validate Owner actions
|
||||
foreach ($action in $OwnerActions) {
|
||||
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" }
|
||||
if ($mailbox.AuditOwner -notcontains $action) { $missingActions += "Owner action '$action' missing" } # Condition D
|
||||
}
|
||||
|
||||
if ($missingActions.Count -gt 0) {
|
||||
@@ -65,10 +86,10 @@ function Test-MailboxAuditingE5 {
|
||||
# Prepare failure reasons and details based on compliance
|
||||
$failureReasons = if ($allFailures.Count -eq 0) { "N/A" } else { "Audit issues detected." }
|
||||
$details = if ($allFailures.Count -eq 0) {
|
||||
"All Office E5 users have correct mailbox audit settings."
|
||||
"All Office E5 users have correct mailbox audit settings." # Condition A for pass
|
||||
}
|
||||
else {
|
||||
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n")
|
||||
"UserPrincipalName|AuditEnabled|AdminActionsMissing|DelegateActionsMissing|OwnerActionsMissing`n" + ($allFailures -join "`n") # Condition A for fail
|
||||
}
|
||||
|
||||
# Populate the audit result
|
||||
|
||||
@@ -9,7 +9,23 @@ function Test-ModernAuthExchangeOnline {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
|
||||
# Conditions for 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Modern authentication for Exchange Online is enabled.
|
||||
# - Condition B: Exchange Online clients use modern authentication to log in to Microsoft 365 mailboxes.
|
||||
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are no longer able to authenticate to Exchange using Basic Authentication.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Modern authentication for Exchange Online is not enabled.
|
||||
# - Condition B: Exchange Online clients do not use modern authentication to log in to Microsoft 365 mailboxes.
|
||||
# - Condition C: Users of older email clients, such as Outlook 2013 and Outlook 2016, are still able to authenticate to Exchange using Basic Authentication.
|
||||
|
||||
$recnum = "6.5.1"
|
||||
}
|
||||
|
||||
@@ -18,6 +34,8 @@ function Test-ModernAuthExchangeOnline {
|
||||
# Ensuring the ExchangeOnlineManagement module is available
|
||||
|
||||
# 6.5.1 (L1) Ensure modern authentication for Exchange Online is enabled
|
||||
|
||||
# Check modern authentication setting in Exchange Online configuration (Condition A and B)
|
||||
$orgConfig = Get-OrganizationConfig | Select-Object -Property Name, OAuth2ClientProfileEnabled
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
@@ -28,6 +46,7 @@ function Test-ModernAuthExchangeOnline {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Details include the current setting (Condition A and B)
|
||||
$details = "OAuth2ClientProfileEnabled: $($orgConfig.OAuth2ClientProfileEnabled) for Organization: $($orgConfig.Name)"
|
||||
|
||||
# Create and populate the CISAuditResult object
|
||||
|
||||
@@ -9,8 +9,27 @@ function Test-NoWhitelistDomains {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "6.2.2"
|
||||
|
||||
<#
|
||||
Conditions for 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains (Automated)
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: No mail transport rules whitelist any specific domains.
|
||||
- Condition B: Verification of mail transport rules using PowerShell shows no domains are whitelisted.
|
||||
- Condition C: Manual review in Exchange Online admin center confirms no whitelisted domains in transport rules.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: One or more mail transport rules whitelist specific domains.
|
||||
- Condition B: Verification of mail transport rules using PowerShell shows one or more domains are whitelisted.
|
||||
- Condition C: Manual review in Exchange Online admin center shows whitelisted domains in transport rules.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -18,9 +37,11 @@ function Test-NoWhitelistDomains {
|
||||
# 6.2.2 (L1) Ensure mail transport rules do not whitelist specific domains
|
||||
|
||||
# Retrieve transport rules that whitelist specific domains
|
||||
# Condition A: Checking for transport rules that whitelist specific domains
|
||||
$whitelistedRules = Get-TransportRule | Where-Object { $_.SetSCL -eq -1 -and $null -ne $_.SenderDomainIs }
|
||||
|
||||
# Prepare failure reasons and details based on compliance
|
||||
# Condition B: Prepare failure reasons based on the presence of whitelisted rules
|
||||
$failureReasons = if ($whitelistedRules) {
|
||||
"There are transport rules whitelisting specific domains."
|
||||
}
|
||||
@@ -28,6 +49,7 @@ function Test-NoWhitelistDomains {
|
||||
"N/A"
|
||||
}
|
||||
|
||||
# Condition C: Prepare details about the whitelisted rules if found
|
||||
$details = if ($whitelistedRules) {
|
||||
$ruleDetails = $whitelistedRules | ForEach-Object { "{0}: {1}" -f $_.Name, ($_.SenderDomainIs -join ', ') }
|
||||
"Whitelisted Rules: $($ruleDetails -join '; ')"
|
||||
|
||||
@@ -7,6 +7,22 @@ function Test-PasswordHashSync {
|
||||
)
|
||||
|
||||
begin {
|
||||
# Conditions for 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Password hash sync is enabled in the Azure AD Connect tool on the on-premises server.
|
||||
# - Condition B: Password hash sync is verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
|
||||
# - Condition C: Using Microsoft Graph PowerShell, the verification command returns the expected result indicating that password sync is enabled for the on-premises AD.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Password hash sync is not enabled in the Azure AD Connect tool on the on-premises server.
|
||||
# - Condition B: Password hash sync is not verified as enabled in the Azure AD Connect Sync section in the Microsoft Entra admin center.
|
||||
# - Condition C: Using Microsoft Graph PowerShell, the verification command returns no result indicating that password sync is not enabled for the on-premises AD.
|
||||
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
# Initialization code, if needed
|
||||
@@ -16,9 +32,8 @@ function Test-PasswordHashSync {
|
||||
process {
|
||||
try {
|
||||
# 5.1.8.1 (L1) Ensure password hash sync is enabled for hybrid deployments
|
||||
# Pass if OnPremisesSyncEnabled is True. Fail otherwise.
|
||||
|
||||
# Retrieve password hash sync status
|
||||
# Retrieve password hash sync status (Condition A and C)
|
||||
$passwordHashSync = Get-MgOrganization | Select-Object -ExpandProperty OnPremisesSyncEnabled
|
||||
$hashSyncResult = $passwordHashSync
|
||||
|
||||
|
||||
@@ -9,11 +9,26 @@ function Test-RestrictOutlookAddins {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code
|
||||
$customPolicyFailures = @()
|
||||
$defaultPolicyFailureDetails = @()
|
||||
$relevantRoles = @('My Custom Apps', 'My Marketplace Apps', 'My ReadWriteMailbox Apps')
|
||||
$recnum = "6.3.1"
|
||||
|
||||
# Conditions for 6.3.1 (L2) Ensure users installing Outlook add-ins is not allowed
|
||||
#
|
||||
# Validate test for a pass:
|
||||
# - Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
|
||||
# - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
|
||||
#
|
||||
# Validate test for a fail:
|
||||
# - Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
# - Specific conditions to check:
|
||||
# - Condition A: One or more of the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are checked under Other roles.
|
||||
# - Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are assigned to users.
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -28,6 +43,8 @@ function Test-RestrictOutlookAddins {
|
||||
if ($policy.RoleAssignmentPolicy) {
|
||||
$rolePolicyDetails = Get-RoleAssignmentPolicy -Identity $policy.RoleAssignmentPolicy
|
||||
$foundRoles = $rolePolicyDetails.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition B: Using PowerShell, verify that MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are not assigned to users.
|
||||
if ($foundRoles) {
|
||||
$customPolicyFailures += "Policy: $($policy.RoleAssignmentPolicy): Roles: $($foundRoles -join ', ')"
|
||||
}
|
||||
@@ -38,6 +55,8 @@ function Test-RestrictOutlookAddins {
|
||||
# Check Default Role Assignment Policy
|
||||
$defaultPolicy = Get-RoleAssignmentPolicy "Default Role Assignment Policy"
|
||||
$defaultPolicyRoles = $defaultPolicy.AssignedRoles | Where-Object { $_ -in $relevantRoles }
|
||||
|
||||
# Condition A: Verify that the roles MyCustomApps, MyMarketplaceApps, and MyReadWriteMailboxApps are unchecked under Other roles.
|
||||
if ($defaultPolicyRoles) {
|
||||
$defaultPolicyFailureDetails = $defaultPolicyRoles
|
||||
}
|
||||
|
||||
@@ -9,8 +9,25 @@ function Test-RestrictTenantCreation {
|
||||
begin {
|
||||
# Dot source the class script if necessary
|
||||
#. .\source\Classes\CISAuditResult.ps1
|
||||
|
||||
# Initialization code, if needed
|
||||
$recnum = "5.1.2.3"
|
||||
|
||||
<#
|
||||
Conditions for 5.1.2.3 (L1) Ensure 'Restrict non-admin users from creating tenants' is set to 'Yes'
|
||||
|
||||
Validate test for a pass:
|
||||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Restrict non-admin users from creating tenants is set to 'Yes' in the Azure AD and Entra administration portal.
|
||||
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is set to 'Yes'.
|
||||
|
||||
Validate test for a fail:
|
||||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||||
- Specific conditions to check:
|
||||
- Condition A: Restrict non-admin users from creating tenants is not set to 'Yes' in the Azure AD and Entra administration portal.
|
||||
- Condition B: Using PowerShell, the setting for restricting non-admin users from creating tenants is not set to 'Yes'.
|
||||
#>
|
||||
}
|
||||
|
||||
process {
|
||||
@@ -60,5 +77,3 @@ function Test-RestrictTenantCreation {
|
||||
return $auditResult
|
||||
}
|
||||
}
|
||||
|
||||
# Additional helper functions (if any)
|
||||
|
||||
Reference in New Issue
Block a user