75 lines
4.3 KiB
PowerShell
75 lines
4.3 KiB
PowerShell
function Test-RestrictExternalSharing {
|
||
[CmdletBinding()]
|
||
[OutputType([CISAuditResult])]
|
||
param (
|
||
# Aligned
|
||
# Define your parameters here
|
||
)
|
||
begin {
|
||
<#
|
||
Conditions for 7.2.3 (L1) Ensure external content sharing is restricted
|
||
Validate test for a pass:
|
||
- Confirm that the automated test results align with the manual audit steps outlined in the CIS benchmark.
|
||
- Specific conditions to check:
|
||
- Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||
Validate test for a fail:
|
||
- Confirm that the failure conditions in the automated test are consistent with the manual audit results.
|
||
- Specific conditions to check:
|
||
- Condition A: The SharingCapability is set to "Anyone" or "ExternalUserAndGuestSharing" in the SharePoint admin center.
|
||
- Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "Anyone" or "ExternalUserAndGuestSharing".
|
||
- Condition C: The external sharing settings in SharePoint Online and OneDrive are set to a more permissive level than the organization’s sharing settings.
|
||
#>
|
||
# Dot source the class script if necessary
|
||
#. .\source\Classes\CISAuditResult.ps1
|
||
# Initialization code, if needed
|
||
$RecNum = "7.2.3"
|
||
Write-Verbose "Running Test-RestrictExternalSharing for $RecNum..."
|
||
}
|
||
process {
|
||
try {
|
||
# 7.2.3 (L1) Ensure external content sharing is restricted
|
||
# Retrieve the SharingCapability setting for the SharePoint tenant
|
||
<#
|
||
$SPOTenantSharingCapability = [PSCustomObject]@{
|
||
SharingCapability = "ExternalUserAndGuestSharing"
|
||
}
|
||
#>
|
||
$SPOTenantSharingCapability = Get-CISSpoOutput -Rec $RecNum
|
||
$isRestricted = $SPOTenantSharingCapability.SharingCapability -in @('ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', 'Disabled')
|
||
# Prepare failure reasons and details based on compliance
|
||
# Condition B: Using PowerShell, the SharingCapability property for the SharePoint tenant is set to "ExternalUserSharingOnly", "ExistingExternalUserSharingOnly", or "Disabled".
|
||
$failureReasons = if (-not $isRestricted) {
|
||
"External content sharing is not adequately restricted. Current setting: $($SPOTenantSharingCapability.SharingCapability)`n" + `
|
||
"The acceptable values for SharingCapability are: 'ExternalUserSharingOnly', 'ExistingExternalUserSharingOnly', or 'Disabled'.`n" + `
|
||
"To remediate this setting, use the Set-SPOTenant cmdlet to set the SharingCapability property to an acceptable value:`n`n" + `
|
||
"Set-SPOTenant -SharingCapability <acceptable value from above>"
|
||
}
|
||
else {
|
||
"N/A"
|
||
}
|
||
# Condition A: The SharingCapability is set to "ExternalUserSharingOnly" or more restrictive in the SharePoint admin center.
|
||
# Condition C: The external sharing settings in SharePoint Online and OneDrive are set to the same or a more restrictive level than the organization’s sharing settings.
|
||
$details = "SharingCapability: $($SPOTenantSharingCapability.SharingCapability)"
|
||
# Create and populate the CISAuditResult object
|
||
$params = @{
|
||
Rec = $RecNum
|
||
Result = $isRestricted
|
||
Status = if ($isRestricted) { "Pass" } else { "Fail" }
|
||
Details = $details
|
||
FailureReason = $failureReasons
|
||
}
|
||
$auditResult = Initialize-CISAuditResult @params
|
||
}
|
||
catch {
|
||
$LastError = $_
|
||
$auditResult = Get-TestError -LastError $LastError -RecNum $RecNum
|
||
}
|
||
}
|
||
end {
|
||
# Return auditResult
|
||
return $auditResult
|
||
}
|
||
}
|