diff --git a/.github/workflows/run_markdown_check.yaml b/.github/workflows/run_markdown_check.yaml index f18cf5d5ec..64cb5b0dc1 100644 --- a/.github/workflows/run_markdown_check.yaml +++ b/.github/workflows/run_markdown_check.yaml @@ -1,11 +1,11 @@ -on: +on: workflow_dispatch: pull_request: types: [opened, reopened] branches: - - "main" + - "main" pull_request_review: - types: [submitted] + types: [submitted] push: branches: - "main" @@ -14,13 +14,13 @@ on: - "baselines/*.md" name: Markdown Check - + jobs: Run-Markdown-Check: runs-on: windows-latest defaults: run: - shell: powershell + shell: powershell permissions: contents: read steps: diff --git a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 index fc7770eea4..a152507739 100644 --- a/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 +++ b/PowerShell/ScubaGear/Modules/Providers/ExportAADProvider.psm1 @@ -12,13 +12,11 @@ function Export-AADProvider { $Tracker = Get-CommandTracker # The below cmdlet covers the following baselines + # - 1.1 # - 2.1 - # - 2.2 - # - 2.3 First Policy bullet - # - 2.4 First Policy bullet - # - 2.9 - # - 2.10 - # - 2.17 first part + # - 3.1 + # - 4.2 + # - 3.7 $AllPolicies = $Tracker.TryCommand("Get-MgIdentityConditionalAccessPolicy") Import-Module $PSScriptRoot/ProviderHelpers/AADConditionalAccessHelper.psm1 @@ -91,13 +89,14 @@ function Export-AADProvider { } $ServicePlans = ConvertTo-Json -Depth 3 @($ServicePlans) - # 2.6, 2.7, & 2.18 1st/3rd Policy Bullets + # 5.1, 5.2, 8.1 & 8.3 $AuthZPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAuthorizationPolicy")) + $SecureScore = ConvertTo-Json -Depth 2 @($Tracker.TryCommand("Get-MgSecuritySecureScore", @{"Top"=1}).ControlScores | Where-Object {$_.ControlName -eq 'RoleOverlap'}) - # 2.7 third bullet + # 5.4 $DirectorySettings = ConvertTo-Json -Depth 10 @($Tracker.TryCommand("Get-MgDirectorySetting")) - # 2.7 Policy Bullet 2] + # 5.3 $AdminConsentReqPolicies = ConvertTo-Json @($Tracker.TryCommand("Get-MgPolicyAdminConsentRequestPolicy")) # Read the properties and relationships of an authentication method policy @@ -111,6 +110,7 @@ function Export-AADProvider { "conditional_access_policies": $AllPolicies, "cap_table_data": $CapTableData, "authorization_policies": $AuthZPolicies, + "secure_score": $SecureScore, "admin_consent_policies": $AdminConsentReqPolicies, "privileged_users": $PrivilegedUsers, "privileged_roles": $PrivilegedRoles, diff --git a/PowerShell/ScubaGear/RequiredVersions.ps1 b/PowerShell/ScubaGear/RequiredVersions.ps1 index de784385c1..12803a2dac 100644 --- a/PowerShell/ScubaGear/RequiredVersions.ps1 +++ b/PowerShell/ScubaGear/RequiredVersions.ps1 @@ -85,6 +85,11 @@ $ModuleList = @( ModuleVersion = [version] '1.14.0' MaximumVersion = [version] '1.99.99999' }, + @{ + ModuleName = 'Microsoft.Graph.Security' + ModuleVersion = [version] '1.14.0' + MaximumVersion = [version] '1.99.99999' + }, @{ ModuleName = 'Microsoft.Graph.Teams' #TODO: Verify is needed ModuleVersion = [version] '1.14.0' diff --git a/Rego/AADConfig.rego b/Rego/AADConfig.rego index 83e6f1170c..724f003111 100644 --- a/Rego/AADConfig.rego +++ b/Rego/AADConfig.rego @@ -705,22 +705,24 @@ tests[{ } #-- -# # MS.AAD.7.2v1 #-- -# At this time we are unable to test for user association to fine-grained privileged roles -# rather than Global Administrator due to runtime and data response size constraints +# Check for secure score value for RoleOverlap Control Category +# Requirements is met if score is equal to 1 (100%) and fails if it is less than 1 +#-- + tests[{ - "PolicyId" : PolicyId, - "Criticality" : "Shall/Not-Implemented", - "Commandlet" : [], - "ActualValue" : [], - "ReportDetails" : NotCheckedDetails(PolicyId), - "RequirementMet" : false + "PolicyId" : "MS.AAD.7.2v1", + "Criticality" : "Shall", + "Commandlet" : ["Get-MgSecuritySecureScore"], + "ActualValue" : SecureScorePolicy, + "ReportDetails" : ReportDetailsBoolean(Status), + "RequirementMet" : Status }] { - PolicyId := "MS.AAD.7.2v1" - true + SecureScorePolicy := input.secure_score[_] + Status := SecureScorePolicy.Score == 1.0 } + #-- # diff --git a/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json b/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json index 59cdafa4ca..9672ac8818 100644 --- a/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json +++ b/Testing/Unit/PowerShell/CreateReport/CreateReportStubs/TestResults.json @@ -1,420 +1,344 @@ -[ +[ { - "ActualValue": "Alex Wilber", - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedUser" - ], + "ActualValue": false, + "Commandlet": "Get-MgPolicyAdminConsentRequestPolicy", + "Control": "AAD 2.7", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "An admin consent workflow SHALL be configured", + "RequirementMet": false + }, + { + "ActualValue": true, + "Commandlet": "Get-MgPolicyAuthorizationPolicy", + "Control": "AAD 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "Only administrators SHALL be allowed to register third-party applications", + "RequirementMet": false + }, + { + "ActualValue": "", + "Commandlet": "Get-MgDirectoryRoleMember", + "Control": "AAD 2.12", + "Criticality": "Shall", + "ReportDetails": "0 admin(s) that are not cloud-only found", + "Requirement": "Users that need to be assigned to highly privileged Azure AD roles SHALL be provisioned cloud-only accounts that are separate from the on-premises directory or other federated identity providers", + "RequirementMet": true + }, + { + "ActualValue": "Role ID : 10dae51f-b6af-4016-8d66-8c2a99b929b3", + "Commandlet": "Get-MgPolicyAuthorizationPolicy", + "Control": "AAD 2.18", + "Criticality": "Should", + "ReportDetails": "Permission level set to \"Limited access\"", + "Requirement": "Guest users SHOULD have limited access to Azure AD directory objects", + "RequirementMet": true + }, + { + "ActualValue": "[ManagePermissionGrantsForSelf.microsoft-user-default-legacy]", + "Commandlet": "Get-MgPolicyAuthorizationPolicy", + "Control": "AAD 2.7", "Criticality": "Shall", - "PolicyId": "MS.AAD.7.3v1", - "ReportDetails": "1 admin(s) that are not cloud-only found:\u003cbr/\u003eAlex Wilber", + "ReportDetails": "Requirement not met", + "Requirement": "Only administrators SHALL be allowed to consent to third-party applications", + "RequirementMet": false + }, + { + "ActualValue": "everyone", + "Commandlet": "Get-MgPolicyAuthorizationPolicy", + "Control": "AAD 2.18", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Only users with the Guest Inviter role SHOULD be able to invite guest users", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.3.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad31v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "", + "Control": "AAD 2.18", + "Criticality": "Should/Not-Implemented", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.18 for instructions on manual check", + "Requirement": "Guest invites SHOULD only be allowed to specific external domains that have been authorized by the agency for legitimate business purposes", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ + "Commandlet": "", + "Control": "AAD 2.2", + "Criticality": "Should/Not-Implemented", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.2 for instructions on manual check", + "Requirement": "A notification SHOULD be sent to the administrator when high-risk users are detected", + "RequirementMet": false + }, + { + "ActualValue": [ - ], + ], + "Commandlet": "", + "Control": "AAD 2.4", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.3.5v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad35v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.4 for instructions on manual check", + "Requirement": "If phishing-resistant MFA cannot be used, an MFA method from the list [see AAD baseline 2.4] SHALL be used in the interim", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "AAD 2.4", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.4.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad41v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.4 for instructions on manual check", + "Requirement": "Phishing-resistant MFA SHALL be used for all users", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "AAD 2.4", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.6.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad61v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.4 for instructions on manual check", + "Requirement": "SMS or Voice as the MFA method SHALL NOT be used", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "AAD 2.5", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.AAD.7.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad72v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.5 for instructions on manual check", + "Requirement": "The following critical logs SHALL be sent at a minimum: AuditLogs, SignInLogs, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ADFSSignInLogs, RiskyServicePrincipals, ServicePrincipalRiskEvents", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.2.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad22v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "", + "Control": "AAD 2.5", + "Criticality": "Shall/Not-Implemented", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.5 for instructions on manual check", + "Requirement": "The logs SHALL be sent to the agency\u0027s SOC for monitoring", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.3.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad33v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "", + "Control": "AAD 2.8", + "Criticality": "Shall/Not-Implemented", + "ReportDetails": "Currently cannot be checked automatically. See Azure Active Directory Secure Configuration Baseline policy 2.8 for instructions on manual check", + "Requirement": "User passwords SHALL NOT expire", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.3.4v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad34v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.1", + "Criticality": "Shall", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Legacy authentication SHALL be blocked", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.3.8v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad38v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.10", + "Criticality": "Shall", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Browser sessions SHALL not be persistent", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.AAD.8.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/aad.md#msaad83v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.13", + "Criticality": "Shall", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "MFA SHALL be required for user access to highly privileged roles", "RequirementMet": false }, { - "ActualValue": { - "all_allow_invite_values": [ - { - "AllowInvitesFromValue": "everyone", - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], + "ActualValue": [ + + ], + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.17", "Criticality": "Should", - "PolicyId": "MS.AAD.8.2v1", - "ReportDetails": "Permission level set to \"everyone\" (authorizationPolicy)", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Managed devices SHOULD be required for authentication", "RequirementMet": false }, { - "ActualValue": { - "all_allowed_create_values": [ - { - "DefaultUser_AllowedToCreateApps": false, - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.5.1v1", - "ReportDetails": "0 authorization policies found that allow non-admin users to register third-party applications", - "RequirementMet": true - }, - { - "ActualValue": { - "all_consent_policies": [ - { - "IsEnabled": false, - "PolicyId": null - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAdminConsentRequestPolicy" - ], + "ActualValue": [ + + ], + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.2", "Criticality": "Shall", - "PolicyId": "MS.AAD.5.3v1", - "ReportDetails": "Requirement not met", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Users detected as high risk SHALL be blocked", "RequirementMet": false }, { - "ActualValue": { - "all_grant_policy_values": [ - { - "DefaultUser_DefaultGrantPolicy": [ + "ActualValue": [ - ], - "PolicyId": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], + ], + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.3", "Criticality": "Shall", - "PolicyId": "MS.AAD.5.2v1", - "ReportDetails": "0 authorization policies found that allow non-admin users to consent to third-party applications", - "RequirementMet": true - }, - { - "ActualValue": { - "all_roleid_values": [ - { - "GuestUserRoleId": "10dae51f-b6af-4016-8d66-8c2a99b929b3", - "GuestUserRoleIdString": "Limited access", - "Id": "authorizationPolicy" - } - ] - }, - "Commandlet": [ - "Get-MgPolicyAuthorizationPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.8.1v1", - "ReportDetails": "Permission level set to \"Limited access\" (authorizationPolicy)", - "RequirementMet": true + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Sign-ins detected as high risk SHALL be blocked", + "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.3.7v1", - "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.4", + "Criticality": "Shall", + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "MFA SHALL be required for all users", "RequirementMet": false }, { "ActualValue": [ - "Addam Schroll", - "Andrew Huynh", - "Grant Dasher", - "Nanda Katikaneni", - "Shanti Satyapal", - "Ted Kolovos", - "Thomas Comeau" + ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedUser" - ], + "Commandlet": "Get-MgIdentityConditionalAccessPolicy", + "Control": "AAD 2.9", "Criticality": "Shall", - "PolicyId": "MS.AAD.7.1v1", - "ReportDetails": "7 global admin(s) found:\u003cbr/\u003eAddam Schroll, Andrew Huynh, Grant Dasher, Nanda Katikaneni, Shanti Satyapal, Ted Kolovos, Thomas Comeau", - "RequirementMet": true + "ReportDetails": "0 conditional access policy(s) found that meet(s) all requirements", + "Requirement": "Sign-in frequency SHALL be configured to 12 hours", + "RequirementMet": false }, { "ActualValue": [ "Application Administrator", "Cloud Application Administrator", + "Exchange Administrator", + "Global Administrator", "Hybrid Identity Administrator", "Privileged Role Administrator", - "SharePoint Administrator" + "SharePoint Administrator", + "User Administrator" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Should", - "PolicyId": "MS.AAD.7.6v1", - "ReportDetails": "5 role(s) that do not require approval to activate found:\u003cbr/\u003eApplication Administrator, Cloud Application Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator", + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.14", + "Criticality": "Shall", + "ReportDetails": "8 role(s) configured to allow permanent active assignment or expiration period too long:\u003cbr/\u003eApplication Administrator, Cloud Application Administrator, Exchange Administrator, Global Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator", + "Requirement": "Permanent active role assignments SHALL NOT be allowed for highly privileged roles. Active assignments SHALL have an expiration period.", "RequirementMet": false }, { "ActualValue": [ + "Application Administrator", + "Cloud Application Administrator", "Exchange Administrator", "Global Administrator", + "Hybrid Identity Administrator", "Privileged Role Administrator", "SharePoint Administrator", "User Administrator" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.7.5v1", - "ReportDetails": "5 role(s) assigned to users outside of PIM:\u003cbr/\u003eExchange Administrator, Global Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator", + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.15", + "Criticality": "Should", + "ReportDetails": "8 role(s) that do not require approval to activate found:\u003cbr/\u003eApplication Administrator, Cloud Application Administrator, Exchange Administrator, Global Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator", + "Requirement": "Activation of highly privileged roles SHOULD require approval", "RequirementMet": false }, { "ActualValue": [ + "Application Administrator", + "Cloud Application Administrator", + "Exchange Administrator", "Global Administrator", + "Hybrid Identity Administrator", + "Privileged Role Administrator", "SharePoint Administrator", "User Administrator" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.16", "Criticality": "Shall", - "PolicyId": "MS.AAD.7.4v1", - "ReportDetails": "3 role(s) configured to allow permanent active assignment or expiration period too long:\u003cbr/\u003eGlobal Administrator, SharePoint Administrator, User Administrator", + "ReportDetails": "8 role(s) without notification e-mail configured for role assignments found:\u003cbr/\u003eApplication Administrator, Cloud Application Administrator, Exchange Administrator, Global Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator", + "Requirement": "Eligible and Active highly privileged role assignments SHALL trigger an alert", "RequirementMet": false }, { "ActualValue": [ - "Live - Block legacy authentication" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.1.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - Block legacy authentication. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - MFA Required for Everyone" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.3.2v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - MFA Required for Everyone. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - MFA required for Highly Privileged Roles" - ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole", - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.3.6v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - MFA required for Highly Privileged Roles. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - Risky Sign Ins Block Access" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.2.3v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - Risky Sign Ins Block Access. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Live - Risky Users Block Access" - ], - "Commandlet": [ - "Get-MgIdentityConditionalAccessPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.AAD.2.1v1", - "ReportDetails": "1 conditional access policy(s) found that meet(s) all requirements:\u003cbr/\u003eLive - Risky Users Block Access. \u003ca href=\u0027#caps\u0027\u003eView all CA policies\u003c/a\u003e.", - "RequirementMet": true - }, - { - "ActualValue": [ - "Privileged Role Administrator" + "Application Administrator", + "Cloud Application Administrator", + "Exchange Administrator", + "Global Administrator", + "Hybrid Identity Administrator", + "Privileged Role Administrator", + "SharePoint Administrator", + "User Administrator" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.16", "Criticality": "Shall", - "PolicyId": "MS.AAD.7.8v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "Requirement not met", + "Requirement": "User activation of the Global Administrator role SHALL trigger an alert", + "RequirementMet": false }, { "ActualValue": [ - "Privileged Role Administrator" + "Application Administrator", + "Cloud Application Administrator", + "Exchange Administrator", + "Hybrid Identity Administrator", + "Privileged Role Administrator", + "SharePoint Administrator", + "User Administrator" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.16", "Criticality": "Should", - "PolicyId": "MS.AAD.7.9v1", - "ReportDetails": "1 role(s) without notification e-mail configured for role activations found:\u003cbr/\u003ePrivileged Role Administrator", + "ReportDetails": "7 role(s) without notification e-mail configured for role activations found:\u003cbr/\u003eApplication Administrator, Cloud Application Administrator, Exchange Administrator, Hybrid Identity Administrator, Privileged Role Administrator, SharePoint Administrator, User Administrator", + "Requirement": "User activation of other highly privileged roles SHOULD trigger an alert", "RequirementMet": false }, { "ActualValue": [ - "Privileged Role Administrator", - "User Administrator" + "FNU LNU" ], - "Commandlet": [ - "Get-MgSubscribedSku", - "Get-PrivilegedRole" - ], + "Commandlet": "Get-MgDirectoryRoleMember", + "Control": "AAD 2.11", "Criticality": "Shall", - "PolicyId": "MS.AAD.7.7v1", - "ReportDetails": "2 role(s) without notification e-mail configured for role assignments found:\u003cbr/\u003ePrivileged Role Administrator, User Administrator", + "ReportDetails": "1 global admin(s) found:\u003cbr/\u003eFNU LNU", + "Requirement": "A minimum of two users and a maximum of four users SHALL be provisioned with the Global Administrator role", "RequirementMet": false }, { "ActualValue": [ - { - "Name": "EnableGroupSpecificConsent", - "SettingsGroup": "Consent Policy Settings", - "Value": "false" - } + "Global Administrator" ], - "Commandlet": [ - "Get-MgDirectorySetting" - ], + "Commandlet": "Get-MgRoleManagementDirectoryRoleAssignmentScheduleInstance", + "Control": "AAD 2.14", "Criticality": "Shall", - "PolicyId": "MS.AAD.5.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 role(s) assigned to users outside of PIM:\u003cbr/\u003eGlobal Administrator", + "Requirement": "Provisioning of users to highly privileged roles SHALL NOT occur outside of a PAM system, such as the Azure AD PIM service, because this bypasses the controls the PAM system provides", + "RequirementMet": false }, { "ActualValue": false, @@ -435,7 +359,7 @@ "Control": "Defender 2.5", "Criticality": "Shall", "ReportDetails": "Requirement not met", - "Requirement": "All safety tips SHALL be enabled: user impersonation default policy", + "Requirement": "All safety tips SHALL be enabled: first contact default policy", "RequirementMet": false }, { @@ -446,7 +370,7 @@ "Control": "Defender 2.5", "Criticality": "Shall", "ReportDetails": "Requirement not met", - "Requirement": "All safety tips SHALL be enabled: user impersonation unusual characters default policy", + "Requirement": "All safety tips SHALL be enabled: user impersonation default policy", "RequirementMet": false }, { @@ -454,9 +378,10 @@ "Commandlet": [ "Get-AntiPhishPolicy" ], + "Control": "Defender 2.5", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.8v1", "ReportDetails": "Requirement not met", + "Requirement": "All safety tips SHALL be enabled: user impersonation unusual characters default policy", "RequirementMet": false }, { @@ -508,9 +433,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.7v1", "ReportDetails": "Requirement met", + "Requirement": "Zero-hour auto purge (ZAP) SHALL be enabled: default policy", "RequirementMet": true }, { @@ -518,9 +444,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.6v1", "ReportDetails": "Requirement met", + "Requirement": "Spam safety tips SHOULD be turned on: default policy", "RequirementMet": true }, { @@ -528,9 +455,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.1v1", "ReportDetails": "Requirement not met", + "Requirement": "The bulk complaint level (BCL) threshold SHOULD be set to six or lower: default policy", "RequirementMet": false }, { @@ -538,9 +466,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.5v1", "ReportDetails": "Requirement not met", + "Requirement": "Spam in quarantine SHOULD be retained for at least 30 days: default policy", "RequirementMet": false }, { @@ -548,9 +477,10 @@ "Commandlet": [ "Get-AntiPhishPolicy" ], + "Control": "Defender 2.5", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.7v1", "ReportDetails": "Requirement not met", + "Requirement": "Mail classified as spoofed SHALL be quarantined: default policy", "RequirementMet": false }, { @@ -569,9 +499,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.2v1", "ReportDetails": "Requirement met", + "Requirement": "Spam SHALL be moved to either the junk email folder or the quarantine folder: default policy", "RequirementMet": true }, { @@ -579,9 +510,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.3v1", "ReportDetails": "Requirement not met", + "Requirement": "Phishing SHALL be quarantined: default policy", "RequirementMet": false }, { @@ -589,9 +521,10 @@ "Commandlet": [ "Get-HostedContentFilterPolicy" ], + "Control": "Defender 2.6", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.6.4v1", "ReportDetails": "Requirement met", + "Requirement": "Bulk email SHOULD be moved to either the junk email folder or the quarantine folder: default policy", "RequirementMet": true }, { @@ -621,9 +554,10 @@ "Commandlet": [ "Get-AntiPhishPolicy" ], + "Control": "Defender 2.5", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.5.6v1", "ReportDetails": "Requirement not met", + "Requirement": "Message action SHALL be set to quarantine if the message is detected as impersonated: users default policy", "RequirementMet": false }, { @@ -644,9 +578,10 @@ "Commandlet": [ ], + "Control": "Defender 2.10", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.DEFENDER.10.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender102v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Defender Secure Configuration Baseline policy 2.10 for instructions on manual check", + "Requirement": "Advanced audit SHALL be enabled", "RequirementMet": false }, { @@ -656,9 +591,10 @@ "Commandlet": [ ], + "Control": "Defender 2.10", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.DEFENDER.10.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender103v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Defender Secure Configuration Baseline policy 2.10 for instructions on manual check", + "Requirement": "Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31", "RequirementMet": false }, { @@ -668,9 +604,10 @@ "Commandlet": [ ], + "Control": "Defender 2.2", "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.2.5v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender25v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Defender Secure Configuration Baseline policy 2.2 for instructions on manual check", + "Requirement": "A list of apps that are not allowed to access files protected by DLP policy SHOULD be defined", "RequirementMet": false }, { @@ -680,9 +617,10 @@ "Commandlet": [ ], + "Control": "Defender 2.2", "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.2.6v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender26v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Defender Secure Configuration Baseline policy 2.2 for instructions on manual check", + "Requirement": "A list of browsers that are not allowed to access files protected by DLP policy SHOULD be defined", "RequirementMet": false }, { @@ -692,9 +630,10 @@ "Commandlet": [ ], + "Control": "Defender 2.9", "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.DEFENDER.9.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/defender.md#msdefender92v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Defender Secure Configuration Baseline policy 2.9 for instructions on manual check", + "Requirement": "The alerts SHOULD be sent to a monitored address or incorporated into a SIEM", "RequirementMet": false }, { @@ -702,13 +641,13 @@ ], "Commandlet": [ - "Get-AntiPhishPolicy" + "Get-AdminAuditLogConfig" ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: \"?\" for unauthenticated senders for spoof non-default policies", - "RequirementMet": true + "Control": "Defender 2.10", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "Unified audit logging SHALL be enabled", + "RequirementMet": false }, { "ActualValue": [ @@ -719,9 +658,9 @@ ], "Control": "Defender 2.5", "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: \"via\" tag non-default policies", - "RequirementMet": true + "ReportDetails": "No users are included for targeted user protection.", + "Requirement": "User impersonation protection SHOULD be enabled for key agency leaders", + "RequirementMet": false }, { "ActualValue": [ @@ -733,7 +672,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: domain impersonation non-default policies", + "Requirement": "All safety tips SHOULD be enabled: \"?\" for unauthenticated senders for spoof non-default policies", "RequirementMet": true }, { @@ -746,7 +685,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: user impersonation non-default policies", + "Requirement": "All safety tips SHOULD be enabled: \"via\" tag non-default policies", "RequirementMet": true }, { @@ -759,7 +698,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "All safety tips SHOULD be enabled: user impersonation unusual characters non-default policies", + "Requirement": "All safety tips SHOULD be enabled: domain impersonation non-default policies", "RequirementMet": true }, { @@ -772,7 +711,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "Mail classified as spoofed SHOULD be quarantined: non-default policies", + "Requirement": "All safety tips SHOULD be enabled: first contact non-default policies", "RequirementMet": true }, { @@ -785,7 +724,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: domains non-default policies", + "Requirement": "All safety tips SHOULD be enabled: user impersonation non-default policies", "RequirementMet": true }, { @@ -798,7 +737,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: mailbox non-default policies", + "Requirement": "All safety tips SHOULD be enabled: user impersonation unusual characters non-default policies", "RequirementMet": true }, { @@ -811,7 +750,7 @@ "Control": "Defender 2.5", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: users non-default policies", + "Requirement": "Mail classified as spoofed SHOULD be quarantined: non-default policies", "RequirementMet": true }, { @@ -821,9 +760,62 @@ "Commandlet": [ "Get-AntiPhishPolicy" ], + "Control": "Defender 2.5", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.1v1", - "ReportDetails": "No users are included for targeted user protection.", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: domains non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: mailbox non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Message action SHOULD be set to quarantine if the message is detected as impersonated: users non-default policies", + "RequirementMet": true + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Domain impersonation protection SHOULD be enabled for domains owned by the agency", + "RequirementMet": false + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-AntiPhishPolicy" + ], + "Control": "Defender 2.5", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Intelligence for impersonation protection SHALL be enabled", "RequirementMet": false }, { @@ -833,9 +825,23 @@ "Commandlet": [ "Get-AntiPhishPolicy" ], + "Control": "Defender 2.5", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.3v1", "ReportDetails": "The Custom Domains protection policies: Enabled, EnableTargetedDomainsProtection, and TargetedDomainsToProtect are not set correctly", + "Requirement": "Domain impersonation protection SHOULD be added for frequent partners", + "RequirementMet": false + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-AtpPolicyForO365" + ], + "Control": "Defender 2.8", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams", "RequirementMet": false }, { @@ -871,11 +877,51 @@ "Commandlet": [ "Get-DlpComplianceRule" ], + "Control": "Defender 2.2", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.2.1v1", "ReportDetails": "No matching rule found for U.S. Social Security Number (SSN)", + "Requirement": "A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency: U.S. Social Security Number (SSN)", "RequirementMet": false }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-EOPProtectionPolicyRule" + ], + "Control": "Defender 2.1", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Standard Preset security profiles SHOULD NOT be used", + "RequirementMet": true + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-EOPProtectionPolicyRule" + ], + "Control": "Defender 2.1", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Strict Preset security profiles SHOULD NOT be used", + "RequirementMet": true + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-HostedContentFilterPolicy" + ], + "Control": "Defender 2.6", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "Allowed senders MAY be added but allowed domains SHALL NOT be added: default policy", + "RequirementMet": true + }, { "ActualValue": [ @@ -1037,12 +1083,13 @@ ], "Commandlet": [ - "Get-HostedContentFilterPolicy" + "Get-MalwareFilterPolicy" ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.6.8v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "Control": "Defender 2.3", + "Criticality": "Should", + "ReportDetails": "No malware policies found that block .cmd files.", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: cmd files", + "RequirementMet": false }, { "ActualValue": [ @@ -1051,10 +1098,24 @@ "Commandlet": [ "Get-MalwareFilterPolicy" ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.3.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "Control": "Defender 2.3", + "Criticality": "Should", + "ReportDetails": "No malware policies found that block .exe files.", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: exe files", + "RequirementMet": false + }, + { + "ActualValue": [ + + ], + "Commandlet": [ + "Get-MalwareFilterPolicy" + ], + "Control": "Defender 2.3", + "Criticality": "Should", + "ReportDetails": "No malware policies found that block .vbe files.", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: vbe files", + "RequirementMet": false }, { "ActualValue": [ @@ -1063,9 +1124,10 @@ "Commandlet": [ "Get-MalwareFilterPolicy" ], + "Control": "Defender 2.4", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.4.1v1", "ReportDetails": "Requirement met", + "Requirement": "Zero-hour Auto Purge (ZAP) for malware SHOULD be enabled in the default anti-malware policy and in all existing custom policies", "RequirementMet": true }, { @@ -1077,9 +1139,10 @@ "Get-SafeAttachmentRule", "Get-AcceptedDomain" ], + "Control": "Defender 2.8", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.8.2v1", "ReportDetails": "No enabled policy found with action set to block that apply to all domains", + "Requirement": "The action for malware in email attachments SHALL be set to block", "RequirementMet": false }, { @@ -1091,9 +1154,10 @@ "Get-SafeAttachmentRule", "Get-AcceptedDomain" ], + "Control": "Defender 2.8", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.8.3v1", "ReportDetails": "No enabled policy found with action set to block and at least one contact specified", + "Requirement": "Redirect emails with detected attachments to an agency-specified email SHOULD be enabled", "RequirementMet": false }, { @@ -1104,9 +1168,10 @@ "Get-SafeAttachmentRule", "Get-AcceptedDomain" ], + "Control": "Defender 2.8", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.8.1v1", - "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", + "ReportDetails": "No policy found that applies to all domains: tqhjy.onmicrosoft.com", + "Requirement": "At least one Safe Attachments Policy SHALL include all agency domains-and by extension-all users", "RequirementMet": false }, { @@ -1117,9 +1182,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.2v1", "ReportDetails": "Requirement not met", + "Requirement": "Internal agency email messages SHALL have safe links enabled", "RequirementMet": false }, { @@ -1130,9 +1196,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.3v1", "ReportDetails": "Requirement not met", + "Requirement": "Malicious link click checking SHALL be enabled with Microsoft Teams", "RequirementMet": false }, { @@ -1143,9 +1210,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.4v1", "ReportDetails": "Requirement not met", + "Requirement": "Real-time suspicious URL and file-link scanning SHALL be enabled", "RequirementMet": false }, { @@ -1156,9 +1224,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.5v1", "ReportDetails": "Requirement not met", + "Requirement": "Safe Links in Office 365 apps SHALL be turned on", "RequirementMet": false }, { @@ -1169,9 +1238,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.6v1", "ReportDetails": "Requirement not met", + "Requirement": "URL rewriting and malicious link click checking SHALL be enabled", "RequirementMet": false }, { @@ -1182,9 +1252,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.7v1", "ReportDetails": "Requirement not met", + "Requirement": "URLs SHALL be scanned completely before message delivery", "RequirementMet": false }, { @@ -1195,9 +1266,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.8v1", "ReportDetails": "Requirement not met", + "Requirement": "User click tracking SHALL be enabled", "RequirementMet": false }, { @@ -1208,9 +1280,10 @@ "Get-SafeLinksPolicy", "Get-SafeLinksRule" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.9v1", "ReportDetails": "Requirement not met", + "Requirement": "Users SHALL NOT be enabled to click through to the original URL", "RequirementMet": false }, { @@ -1221,9 +1294,10 @@ "Get-SafeLinksRule", "Get-AcceptedDomain" ], + "Control": "Defender 2.7", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.7.1v1", - "ReportDetails": "No policy found that applies to all domains: alexwilber.myo365.site, y2zj1.onmicrosoft.com", + "ReportDetails": "No policy found that applies to all domains: tqhjy.onmicrosoft.com", + "Requirement": "The Safe Links Policy SHALL include all agency domains-and by extension-all users", "RequirementMet": false }, { @@ -1234,35 +1308,10 @@ "Get-MalwareFilterPolicy" ], "Control": "Defender 2.3", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: cmd files", - "RequirementMet": true - }, - { - "ActualValue": [ - "Default" - ], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Control": "Defender 2.3", - "Criticality": "Should", - "ReportDetails": "Requirement met", - "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked: vbe files", - "RequirementMet": true - }, - { - "ActualValue": [ - "Default" - ], - "Commandlet": [ - "Get-MalwareFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.3.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "Criticality": "Shall", + "ReportDetails": "1 malware policy(ies) found that do(es) not have the common attachments filter enabled: Default", + "Requirement": "The common attachments filter SHALL be enabled in the default anti-malware policy and in all existing policies", + "RequirementMet": false }, { "ActualValue": [ @@ -1271,14 +1320,16 @@ "Commandlet": [ "Get-DlpComplianceRule" ], + "Control": "Defender 2.2", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.4v1", "ReportDetails": "1 rule(s) found that do(es) not notify at least one user: Default Teams DLP policy rule", + "Requirement": "Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled", "RequirementMet": false }, { "ActualValue": [ "Default Teams DLP policy rule", + "Items containing 1-9 credit card numbers shared externally", "Items with 10 or more credit card numbers shared externally" ], "Commandlet": [ @@ -1293,39 +1344,16 @@ { "ActualValue": [ "Default Teams DLP policy rule", + "Items containing 1-9 credit card numbers shared externally", "Items with 10 or more credit card numbers shared externally" ], "Commandlet": [ "Get-DlpComplianceRule" ], + "Control": "Defender 2.2", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.3v1", - "ReportDetails": "2 rule(s) found that do(es) not block access or associated policy not set to enforce block action: Default Teams DLP policy rule, Items with 10 or more credit card numbers shared externally", - "RequirementMet": false - }, - { - "ActualValue": [ - "Enabled" - ], - "Commandlet": [ - "Get-EOPProtectionPolicyRule" - ], - "Control": "Defender 2.1", - "Criticality": "Should", - "ReportDetails": "The Strict Preset Security Policy is present and not disabled", - "Requirement": "Strict Preset security profiles SHOULD NOT be used", - "RequirementMet": false - }, - { - "ActualValue": [ - "Enabled" - ], - "Commandlet": [ - "Get-EOPProtectionPolicyRule" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.1.1v1", - "ReportDetails": "The Standard Preset Security Policy is present and not disabled", + "ReportDetails": "3 rule(s) found that do(es) not block access: Default Teams DLP policy rule, Items containing 1-9 credit card numbers shared externally, Items with 10 or more credit card numbers shared externally", + "Requirement": "The action for the DLP policy SHOULD be set to block sharing sensitive information with everyone when DLP conditions are met", "RequirementMet": false }, { @@ -1336,96 +1364,12 @@ "Commandlet": [ "Get-ProtectionAlert" ], + "Control": "Defender 2.9", "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.9.1v1", "ReportDetails": "2 disabled required alert(s) found: Malware campaign detected after delivery, Unusual increase in email reported as phish", - "RequirementMet": false - }, - { - "ActualValue": [ - "Strict Preset Security Policy1685627357814" - ], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Control": "Defender 2.5", - "Criticality": "Should", - "ReportDetails": "1 custom anti phish policy(ies) found where first contact safety tips are not enabled: Strict Preset Security Policy1685627357814", - "Requirement": "All safety tips SHOULD be enabled: first contact non-default policies", + "Requirement": "At a minimum, the alerts required by the Exchange Online Minimum Viable Secure Configuration Baseline SHALL be enabled", "RequirementMet": false }, - { - "ActualValue": [ - { - "Action": "MoveToJmf", - "IntelligenceProtection": true, - "Name": "Standard Preset Security Policy1685627231985" - }, - { - "Action": "Quarantine", - "IntelligenceProtection": true, - "Name": "Strict Preset Security Policy1685627357814" - } - ], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.5v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "Action": "Quarantine", - "Name": "Standard Preset Security Policy1685627231985", - "OrgDomains": true - }, - { - "Action": "Quarantine", - "Name": "Strict Preset Security Policy1685627357814", - "OrgDomains": true - } - ], - "Commandlet": [ - "Get-AntiPhishPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.5.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "EnableATPForSPOTeamsODB": true, - "Identity": "Default" - } - ], - "Commandlet": [ - "Get-AtpPolicyForO365" - ], - "Criticality": "Should", - "PolicyId": "MS.DEFENDER.8.4v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "Identity": "Admin Audit Log Settings", - "UnifiedAuditLogIngestionEnabled": true - } - ], - "Commandlet": [ - "Get-AdminAuditLogConfig" - ], - "Criticality": "Shall", - "PolicyId": "MS.DEFENDER.10.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, { "ActualValue": [ { @@ -1442,7 +1386,7 @@ "Control": "Defender 2.2", "Criticality": "Should", "ReportDetails": "Requirement met", - "Requirement": "The custom policy SHOULD be applied in SharePoint", + "Requirement": "The custom policy SHOULD be applied in Exchange", "RequirementMet": true }, { @@ -1458,9 +1402,10 @@ "Commandlet": [ "Get-DLPCompliancePolicy" ], + "Control": "Defender 2.2", "Criticality": "Should", - "PolicyId": "MS.DEFENDER.2.2v1", "ReportDetails": "Requirement met", + "Requirement": "The custom policy SHOULD be applied in SharePoint", "RequirementMet": true }, { @@ -1482,714 +1427,427 @@ "Requirement": "The custom policy SHOULD be applied in Teams", "RequirementMet": true }, + { + "ActualValue": false, + "Commandlet": "Get-HostedConnectionFilterPolicy", + "Control": "EXO 2.12", + "Criticality": "Should", + "ReportDetails": "Requirement met", + "Requirement": "Safe lists SHOULD NOT be enabled", + "RequirementMet": true + }, + { + "ActualValue": false, + "Commandlet": "Get-OrganizationConfig", + "Control": "EXO 2.13", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "Mailbox auditing SHALL be enabled", + "RequirementMet": true + }, + { + "ActualValue": true, + "Commandlet": "Get-TransportConfig", + "Control": "EXO 2.5", + "Criticality": "Shall", + "ReportDetails": "Requirement met", + "Requirement": "SMTP AUTH SHALL be disabled in Exchange Online", + "RequirementMet": true + }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.10.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", - "RequirementMet": false - }, - { - "ActualValue": [ - - ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.10", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.10.2v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Emails SHALL be scanned for malware", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.10", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.1v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Emails identified as containing malware SHALL be quarantined or dropped", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.2v1", + "Commandlet": "", + "Control": "EXO 2.10", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Email scanning SHOULD be capable of reviewing emails after delivery", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.14.3v1", + "Commandlet": "", + "Control": "EXO 2.11", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Impersonation protection checks SHOULD be used", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.16.1v1", + "Commandlet": "", + "Control": "EXO 2.11", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "The phishing protection solution SHOULD include an AI-based phishing detection tool comparable to EOP Mailbox Intelligence", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.1v1", + "Commandlet": "", + "Control": "EXO 2.11", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "User warnings, comparable to the user safety tips included with EOP, SHOULD be displayed", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.14", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.2v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "A spam filter SHALL be enabled. The filtering solution selected SHOULD offer services comparable to the native spam filtering offered by Microsoft", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.14", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.17.3v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Allowed senders MAY be added, but allowed domains SHALL NOT be added", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.14", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.8.1v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Spam and high confidence spam SHALL be moved to either the junk email folder or the quarantine folder", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.8.2v1", + "Commandlet": "", + "Control": "EXO 2.15", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Direct download links SHOULD be scanned for malware", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.9.1v1", + "Commandlet": "", + "Control": "EXO 2.15", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "URL comparison with a block-list SHOULD be enabled", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.EXO.9.3v1", + "Commandlet": "", + "Control": "EXO 2.15", + "Criticality": "Should/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "User click tracking SHOULD be enabled", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.EXO.2.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/exo.md#msexo21v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Commandlet": "", + "Control": "EXO 2.16", + "Criticality": "Shall/3rd Party", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "At a minimum, the following alerts SHALL be enabled...[see Exchange Online secure baseline for list]", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], + "Commandlet": "", + "Control": "EXO 2.16", "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.10.3v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "The alerts SHOULD be sent to a monitored address or incorporated into a SIEM", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.1v1", + "Commandlet": "", + "Control": "EXO 2.17", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Advanced audit SHALL be enabled", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.2v1", + "Commandlet": "", + "Control": "EXO 2.17", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Audit logs SHALL be maintained for at least the minimum duration dictated by OMB M-21-31", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.11.3v1", + "Commandlet": "", + "Control": "EXO 2.17", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Unified audit logging SHALL be enabled", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.1v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Commandlet": "", + "Control": "EXO 2.2", + "Criticality": "Shall/Not-Implemented", + "ReportDetails": "Currently cannot be checked automatically. See Exchange Online Secure Configuration Baseline policy 2.# for instructions on manual check", + "Requirement": "A list of approved IP addresses for sending mail SHALL be maintained", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.2v1", + "Commandlet": "", + "Control": "EXO 2.8", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "A DLP solution SHALL be used. The selected DLP solution SHOULD offer services comparable to the native DLP solution offered by Microsoft", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.15.3v1", + "Commandlet": "", + "Control": "EXO 2.8", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "The DLP solution SHALL protect PII and sensitive information, as defined by the agency. At a minimum, the sharing of credit card numbers, Taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) via email SHALL be restricted", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.16.2v1", + "Commandlet": "", + "Control": "EXO 2.9", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Disallowed file types SHALL be determined and set. At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe)", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - - ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.EXO.9.2v1", + "Commandlet": "", + "Control": "EXO 2.9", + "Criticality": "Shall/3rd Party", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Emails SHALL be filtered by the file types of included attachments. The selected filtering solution SHOULD offer services comparable to Microsoft Defender\u0027s Common Attachment Filter", "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.4.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "Commandlet": "", + "Control": "EXO 2.9", + "Criticality": "Should/3rd Party", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "The attachment filter SHOULD attempt to determine the true file type and assess the file extension", + "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.4.2v1", + "Commandlet": "Get-HostedConnectionFilterPolicy", + "Control": "EXO 2.12", + "Criticality": "Should", "ReportDetails": "Requirement met", + "Requirement": "IP allow lists SHOULD NOT be created", "RequirementMet": true }, { "ActualValue": [ ], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], + "Commandlet": "Get-TransportRule", + "Control": "EXO 2.7", "Criticality": "Shall", - "PolicyId": "MS.EXO.4.3v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "No transport rule found with that applies to emails received from outside the organization", + "Requirement": "External sender warnings SHALL be implemented", + "RequirementMet": false }, { "ActualValue": [ - + "Anonymous:CalendarSharingFreeBusyReviewer", + "*:CalendarSharingFreeBusySimple" ], - "Commandlet": [ - "Get-ScubaDmarcRecords", - "Get-AcceptedDomain" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.4.4v1", + "Commandlet": "Get-SharingPolicy", + "Control": "EXO 2.6", + "Criticality": "Shall", "ReportDetails": "Requirement met", + "Requirement": "Calendar details SHALL NOT be shared with all domains, although they MAY be shared with specific domains", "RequirementMet": true }, { "ActualValue": [ - + "Anonymous:CalendarSharingFreeBusyReviewer", + "*:CalendarSharingFreeBusySimple" ], - "Commandlet": [ - "Get-TransportRule" - ], + "Commandlet": "Get-SharingPolicy", + "Control": "EXO 2.6", "Criticality": "Shall", - "PolicyId": "MS.EXO.7.1v1", - "ReportDetails": "No transport rule found that applies warnings to emails received from outside the organization", - "RequirementMet": false + "ReportDetails": "Requirement met", + "Requirement": "Contact folders SHALL NOT be shared with all domains, although they MAY be shared with specific domains", + "RequirementMet": true }, { "ActualValue": [ [ - + { + "domain": "tqhjy.onmicrosoft.com", + "rdata": "" + } ], [ - null + ] ], - "Commandlet": [ - "Get-DkimSigningConfig", - "Get-ScubaDkimRecords", - "Get-AcceptedDomain" - ], + "Commandlet": "Get-DkimSigningConfig, Resolve-DnsName", + "Control": "EXO 2.3", "Criticality": "Should", - "PolicyId": "MS.EXO.3.1v1", - "ReportDetails": "1 of 1 agency domain(s) found in violation: alexwilber.myo365.site", - "RequirementMet": false - }, - { - "ActualValue": [ - { - "AddressBookPolicyRoutingEnabled": false, - "AdminDisplayName": "", - "AgentGeneratedMessageLoopDetectionInSmtpEnabled": true, - "AgentGeneratedMessageLoopDetectionInSubmissionEnabled": true, - "AllowLegacyTLSClients": false, - "AnonymousSenderToRecipientRatePerHour": 1800, - "AttributionRejectBeforeMServRequest": false, - "AttributionRejectConsumerMessages": false, - "ClearCategories": true, - "ConvertDisclaimerWrapperToEml": false, - "ConvertReportToMessage": false, - "CurrentTransportSystemState": "Green", - "DSNConversionMode": "PreserveDSNBody", - "DiagnosticsAggregationServicePort": 9710, - "DistinguishedName": "CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableExternalHTTPMailDelivery": false, - "ExchangeObjectId": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", - "ExchangeVersion": "0.1 (8.0.535.0)", - "ExternalDelayDsnEnabled": true, - "ExternalDsnDefaultLanguage": null, - "ExternalDsnLanguageDetectionEnabled": true, - "ExternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", - "ExternalDsnReportingAuthority": null, - "ExternalDsnSendHtml": true, - "ExternalPostmasterAddress": null, - "GenerateCopyOfDSNFor": [ - - ], - "Guid": "b4f29764-fa61-4718-ac8d-29e1ad3007b9", - "HeaderPromotionModeSetting": "NoCreate", - "HygieneSuite": "Premium", - "Id": "Transport Settings", - "Identity": "Transport Settings", - "InternalDelayDsnEnabled": true, - "InternalDsnDefaultLanguage": null, - "InternalDsnLanguageDetectionEnabled": true, - "InternalDsnMaxMessageAttachSize": "10 MB (10,485,760 bytes)", - "InternalDsnReportingAuthority": null, - "InternalDsnSendHtml": true, - "InternalSMTPServers": [ - - ], - "IsValid": true, - "JournalArchivingEnabled": false, - "JournalMessageExpirationDays": 0, - "JournalReportDLMemberSubstitutionEnabled": false, - "JournalingReportNdrTo": "u003cu003e", - "LegacyArchiveJournalingEnabled": false, - "LegacyArchiveLiveJournalingEnabled": false, - "LegacyJournalingMigrationEnabled": false, - "MaxAllowedAgentGeneratedMessageDepth": 3, - "MaxAllowedAgentGeneratedMessageDepthPerAgent": 2, - "MaxDumpsterSizePerDatabase": "18 MB (18,874,368 bytes)", - "MaxDumpsterTime": "7.00:00:00", - "MaxReceiveSize": "Unlimited", - "MaxRecipientEnvelopeLimit": "Unlimited", - "MaxSendSize": "Unlimited", - "MessageExpiration": "1.00:00:00", - "MigrationEnabled": true, - "Name": "Transport Settings", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Transport-Settings", - "ObjectClass": [ - "top", - "container", - "msExchTransportSettings" - ], - "ObjectState": "Unchanged", - "OpenDomainRoutingEnabled": false, - "OrganizationFederatedMailbox": "FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@y2zj1.onmicrosoft.com", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "BN6PR10A08DC001.NAMPR10A008.PROD.OUTLOOK.COM", - "OtherWellKnownObjects": [ - - ], - "PreserveReportBodypart": true, - "QueueDiagnosticsAggregationInterval": "00:01:00", - "RedirectDLMessagesForLegacyArchiveJournaling": false, - "RedirectUnprovisionedUserMessagesForLegacyArchiveJournaling": false, - "ReplyAllStormBlockDurationHours": 6, - "ReplyAllStormDetectionMinimumRecipients": 2500, - "ReplyAllStormDetectionMinimumReplies": 10, - "ReplyAllStormProtectionEnabled": true, - "Rfc2231EncodingEnabled": false, - "SafetyNetHoldTime": "7.00:00:00", - "SmtpClientAuthenticationDisabled": true, - "SupervisionTags": [ - "Reject", - "Allow" - ], - "TLSReceiveDomainSecureList": [ - - ], - "TLSSendDomainSecureList": [ - - ], - "TransportRuleAttachmentTextScanLimit": "1 MB (1,048,576 bytes)", - "TransportRuleCollectionAddedRecipientsLimit": 100, - "TransportRuleCollectionRegexCharsLimit": "20 KB (20,480 bytes)", - "TransportRuleConfig": [ - "TransportRuleMinProductVersion:14.0.0.0", - "TransportRuleRegexValidationTimeout:00:00:00.3000000", - "TransportRuleAttachmentTextScanLimit:1 MB (1,048,576 bytes)", - "TransportRuleSizeLimit:8 KB (8,192 bytes)", - "TransportRuleCollectionRegexCharsLimit:20 KB (20,480 bytes)", - "TransportRuleLimit:300", - "TransportRuleCollectionAddedRecipientsLimit:100" - ], - "TransportRuleLimit": 300, - "TransportRuleMinProductVersion": { - "Build": 0, - "Major": 14, - "MajorRevision": 0, - "Minor": 0, - "MinorRevision": 0, - "Revision": 0 - }, - "TransportRuleRegexValidationTimeout": "00:00:00.3000000", - "TransportRuleSizeLimit": "8 KB (8,192 bytes)", - "TransportSystemState": "", - "VerifySecureSubmitEnabled": false, - "VoicemailJournalingEnabled": true, - "WhenChanged": "/Date(1643184493000)/", - "WhenChangedUTC": "/Date(1643184493000)/", - "WhenCreated": "/Date(1643059670000)/", - "WhenCreatedUTC": "/Date(1643059670000)/", - "Xexch50Enabled": true - } - ], - "Commandlet": [ - "Get-TransportConfig" - ], - "Criticality": "Shall", - "PolicyId": "MS.EXO.5.1v1", "ReportDetails": "Requirement met", + "Requirement": "DKIM SHOULD be enabled for any custom domain", "RequirementMet": true }, { "ActualValue": [ { - "AdminDisplayName": "", - "Default": true, - "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "Domains": [ - "Anonymous:CalendarSharingFreeBusyReviewer", - "*:CalendarSharingFreeBusySimple" - ], - "Enabled": true, - "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "ExchangeVersion": "0.10 (14.0.100.0)", - "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "Id": "Default Sharing Policy", - "Identity": "Default Sharing Policy", - "IsValid": true, - "Name": "Default Sharing Policy", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", - "ObjectClass": [ - "top", - "msExchSharingPolicy" - ], - "ObjectState": "Changed", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "BN6PR10A08DC001.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650762000)/", - "WhenChangedUTC": "/Date(1645650762000)/", - "WhenCreated": "/Date(1645650752000)/", - "WhenCreatedUTC": "/Date(1645650752000)/" + "domain": "tqhjy.onmicrosoft.com", + "rdata": "" } ], - "Commandlet": [ - "Get-SharingPolicy" - ], + "Commandlet": "Resolve-DnsName", + "Control": "EXO 2.4", "Criticality": "Shall", - "PolicyId": "MS.EXO.6.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 of 1 agency domain(s) found in violation: tqhjy.onmicrosoft.com", + "Requirement": "A DMARC policy SHALL be published for every second-level domain", + "RequirementMet": false }, { "ActualValue": [ { - "AdminDisplayName": "", - "Default": true, - "DistinguishedName": "CN=Default Sharing Policy,CN=Federation,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "Domains": [ - "Anonymous:CalendarSharingFreeBusyReviewer", - "*:CalendarSharingFreeBusySimple" - ], - "Enabled": true, - "ExchangeObjectId": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "ExchangeVersion": "0.10 (14.0.100.0)", - "Guid": "2f1ca8cf-5ba5-45e3-b73a-1405ff552a2e", - "Id": "Default Sharing Policy", - "Identity": "Default Sharing Policy", - "IsValid": true, - "Name": "Default Sharing Policy", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Sharing-Policy", - "ObjectClass": [ - "top", - "msExchSharingPolicy" - ], - "ObjectState": "Changed", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "BN6PR10A08DC001.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650762000)/", - "WhenChangedUTC": "/Date(1645650762000)/", - "WhenCreated": "/Date(1645650752000)/", - "WhenCreatedUTC": "/Date(1645650752000)/" + "domain": "tqhjy.onmicrosoft.com", + "rdata": "" } ], - "Commandlet": [ - "Get-SharingPolicy" - ], + "Commandlet": "Resolve-DnsName", + "Control": "EXO 2.4", "Criticality": "Shall", - "PolicyId": "MS.EXO.6.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - { - "AdminDisplayName": "", - "DirectoryBasedEdgeBlockMode": "Default", - "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableSafeList": false, - "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "ExchangeVersion": "0.20 (15.0.0.0)", - "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "IPAllowList": [ - - ], - "IPBlockList": [ - - ], - "Id": "Default", - "Identity": "Default", - "IsDefault": true, - "IsValid": true, - "Name": "Default", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", - "ObjectClass": [ - "top", - "msExchHostedConnectionFilterPolicy" - ], - "ObjectState": "Unchanged", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "BN6PR10A08DC001.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650841000)/", - "WhenChangedUTC": "/Date(1645650841000)/", - "WhenCreated": "/Date(1645650828000)/", - "WhenCreatedUTC": "/Date(1645650828000)/" - } - ], - "Commandlet": [ - "Get-HostedConnectionFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.12.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 of 1 agency domain(s) found in violation: tqhjy.onmicrosoft.com", + "Requirement": "An agency point of contact SHOULD be included for aggregate and/or failure reports", + "RequirementMet": false }, { "ActualValue": [ { - "AdminDisplayName": "", - "DirectoryBasedEdgeBlockMode": "Default", - "DistinguishedName": "CN=Default,CN=Hosted Connection Filter,CN=Transport Settings,CN=Configuration,CN=y2zj1.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR10A008,DC=PROD,DC=OUTLOOK,DC=COM", - "EnableSafeList": false, - "ExchangeObjectId": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "ExchangeVersion": "0.20 (15.0.0.0)", - "Guid": "3843aef3-f3bd-49c1-a674-4d6741ac11b6", - "IPAllowList": [ - - ], - "IPBlockList": [ - - ], - "Id": "Default", - "Identity": "Default", - "IsDefault": true, - "IsValid": true, - "Name": "Default", - "ObjectCategory": "NAMPR10A008.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Hosted-Connection-Filter-Policy", - "ObjectClass": [ - "top", - "msExchHostedConnectionFilterPolicy" - ], - "ObjectState": "Unchanged", - "OrganizationId": "NAMPR10A008.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/y2zj1.onmicrosoft.com - NAMPR10A008.PROD.OUTLOOK.COM/ConfigurationUnits/y2zj1.onmicrosoft.com/Configuration", - "OrganizationalUnitRoot": "y2zj1.onmicrosoft.com", - "OriginatingServer": "BN6PR10A08DC001.NAMPR10A008.PROD.OUTLOOK.COM", - "WhenChanged": "/Date(1645650841000)/", - "WhenChangedUTC": "/Date(1645650841000)/", - "WhenCreated": "/Date(1645650828000)/", - "WhenCreatedUTC": "/Date(1645650828000)/" + "domain": "tqhjy.onmicrosoft.com", + "rdata": "" } ], - "Commandlet": [ - "Get-HostedConnectionFilterPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.EXO.12.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "Commandlet": "Resolve-DnsName", + "Control": "EXO 2.4", + "Criticality": "Shall", + "ReportDetails": "1 of 1 agency domain(s) found in violation: tqhjy.onmicrosoft.com", + "Requirement": "The DMARC message rejection option SHALL be \"p=reject\"", + "RequirementMet": false }, { "ActualValue": [ { - "AuditDisabled": false, - "DisplayName": "y2zj1", - "Name": "y2zj1.onmicrosoft.com" + "domain": "tqhjy.onmicrosoft.com", + "rdata": "" } ], - "Commandlet": [ - "Get-OrganizationConfig" - ], + "Commandlet": "Resolve-DnsName", + "Control": "EXO 2.4", "Criticality": "Shall", - "PolicyId": "MS.EXO.13.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 of 1 agency domain(s) found in violation: tqhjy.onmicrosoft.com", + "Requirement": "The DMARC point of contact for aggregate reports SHALL include reports@dmarc.cyber.dhs.gov", + "RequirementMet": false }, { "ActualValue": [ ], - "Commandlet": [ - "Get-ScubaSpfRecords", - "Get-AcceptedDomain" - ], + "Commandlet": "Resolve-DnsName", + "Control": "EXO 2.2", "Criticality": "Shall", - "PolicyId": "MS.EXO.2.2v1", "ReportDetails": "Requirement met", + "Requirement": "An SPF policy(s) that designates only these addresses as approved senders SHALL be published", "RequirementMet": true }, { "ActualValue": [ "*" ], - "Commandlet": [ - "Get-RemoteDomain" - ], + "Commandlet": "Get-RemoteDomain", + "Control": "EXO 2.1", "Criticality": "Shall", - "PolicyId": "MS.EXO.1.1v1", "ReportDetails": "1 remote domain(s) that allows automatic forwarding: *", + "Requirement": "Automatic forwarding to external domains SHALL be disabled", "RequirementMet": false }, { @@ -2199,9 +1857,10 @@ "Commandlet": [ ], + "Control": "OneDrive 2.6", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.6.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive61v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Onedrive Secure Configuration Baseline policy 2.6 for instructions on manual check", + "Requirement": "OneDrive Client Sync SHALL be restricted to the local domain", "RequirementMet": false }, { @@ -2211,9 +1870,10 @@ "Commandlet": [ ], + "Control": "OneDrive 2.7", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.7.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive71v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Onedrive Secure Configuration Baseline policy 2.7 for instructions on manual check", + "Requirement": "Legacy Authentication SHALL be blocked", "RequirementMet": false }, { @@ -2221,11 +1881,12 @@ ], "Commandlet": [ - + "Get-SPOTenant" ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.1.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive11v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "OneDrive 2.1", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Anyone links SHOULD be disabled", "RequirementMet": false }, { @@ -2233,11 +1894,12 @@ ], "Commandlet": [ - + "Get-SPOTenant" ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.2.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive21v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "OneDrive 2.2", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "An expiration date SHOULD be set for Anyone links", "RequirementMet": false }, { @@ -2245,11 +1907,12 @@ ], "Commandlet": [ - + "Get-SPOTenant" ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.2.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive22v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "OneDrive 2.2", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Expiration date SHOULD be set to thirty days", "RequirementMet": false }, { @@ -2257,11 +1920,12 @@ ], "Commandlet": [ - + "Get-SPOTenant" ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.ONEDRIVE.3.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/onedrive.md#msonedrive31v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "OneDrive 2.3", + "Criticality": "Should", + "ReportDetails": "Requirement not met", + "Requirement": "Anyone link permissions SHOULD be limited to View", "RequirementMet": false }, { @@ -2269,103 +1933,39 @@ ], "Commandlet": [ - "Get-SPOTenantSyncClientRestriction", - "Get-PnPTenantSyncClientRestriction" + "Get-SPOTenant" ], + "Control": "OneDrive 2.4", "Criticality": "Shall", - "PolicyId": "MS.ONEDRIVE.5.1v1", "ReportDetails": "Requirement not met", - "Requirement": "OneDrive Client Sync SHALL only be allowed only within the local domain", + "Requirement": "OneDrive Client for Windows SHALL be restricted to agency-Defined Domain(s)", "RequirementMet": false }, { "ActualValue": [ { "AllowedDomainList": [ - "786548dd-877b-4760-a749-6b1efbc1190a" + ], - "BlockMacSync": true, + "BlockMacSync": false, "DisableReportProblemDialog": false, "ExcludedFileExtensions": [ "" ], "OptOutOfGrooveBlock": false, "OptOutOfGrooveSoftBlock": false, - "TenantRestrictionEnabled": true + "TenantRestrictionEnabled": false } ], "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" + "Get-SPOTenantSyncClientRestriction" ], + "Control": "OneDrive 2.5", "Criticality": "Shall", - "PolicyId": "MS.ONEDRIVE.4.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": false, - "Commandlet": [ - "Get-PowerAppTenantIsolationPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.3.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-TenantSettings" - ], - "Control": "Power Platform 2.1", - "Criticality": "Shall", - "ReportDetails": "Requirement met", - "Requirement": "The ability to create trial environments SHALL be restricted to admins", - "RequirementMet": true - }, - { - "ActualValue": true, - "Commandlet": [ - "Get-TenantSettings" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.1.1v1", "ReportDetails": "Requirement met", + "Requirement": "OneDrive Client Sync SHALL only be allowed only within the local domain", "RequirementMet": true }, - { - "ActualValue": "No DLP Policies found", - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.POWERPLATFORM.2.2v1", - "ReportDetails": "No DLP Policies found", - "RequirementMet": false - }, - { - "ActualValue": "No DLP Policies found", - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.POWERPLATFORM.2.3v1", - "ReportDetails": "No DLP Policies found", - "RequirementMet": false - }, - { - "ActualValue": [ - - ], - "Commandlet": [ - - ], - "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.4.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform41v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", - "RequirementMet": false - }, { "ActualValue": [ @@ -2373,33 +1973,10 @@ "Commandlet": [ ], + "Control": "Sharepoint 2.3", "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.3.2v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform32v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [ - - ], - "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.POWERPLATFORM.3.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/powerplatform.md#mspowerplatform33v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [ - - ], - "Commandlet": [ - "Get-DlpPolicy" - ], - "Criticality": "Shall", - "PolicyId": "MS.POWERPLATFORM.2.1v1", - "ReportDetails": "No policy found that applies to default environment", + "ReportDetails": "Currently cannot be checked automatically. See Sharepoint Secure Configuration Baseline policy 2.3 for instructions on manual check", + "Requirement": "Sharing settings for specific SharePoint sites SHOULD align to their sensitivity level", "RequirementMet": false }, { @@ -2409,9 +1986,10 @@ "Commandlet": [ ], + "Control": "Sharepoint 2.5", "Criticality": "Shall/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.5.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint51v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "ReportDetails": "Currently cannot be checked automatically. See Sharepoint Secure Configuration Baseline policy 2.5 for instructions on manual check", + "Requirement": "Users SHALL be prevented from running custom scripts on personal sites (OneDrive)", "RequirementMet": false }, { @@ -2419,11 +1997,12 @@ ], "Commandlet": [ - + "Get-SPOTenant" ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.1.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint13v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "Sharepoint 2.1", + "Criticality": "Shall", + "ReportDetails": "Requirement not met", + "Requirement": "File and folder links default sharing setting SHALL be set to \"Specific People (Only the People the User Specifies)\"", "RequirementMet": false }, { @@ -2431,116 +2010,155 @@ ], "Commandlet": [ - - ], - "Criticality": "Should/Not-Implemented", - "PolicyId": "MS.SHAREPOINT.3.1v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/sharepoint.md#mssharepoint31v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", - "RequirementMet": false - }, - { - "ActualValue": [ - false - ], - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" + "Get-SPOTenant" ], + "Control": "Sharepoint 2.2", "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.1.4v1", "ReportDetails": "Requirement not met", + "Requirement": "External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs", "RequirementMet": false }, { "ActualValue": [ - 1 + ], "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" + "Get-SPOTenant" ], + "Control": "Sharepoint 2.4", "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.1.1v1", "ReportDetails": "Requirement not met", + "Requirement": "Expiration timers SHOULD be set to 30 days", "RequirementMet": false }, { "ActualValue": [ - 1 - ], - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.1.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - 1, - true, - 29 - ], - "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" - ], - "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.4.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": [ - 1, - true, - 31 + ], "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" + "Get-SPOTenant" ], + "Control": "Sharepoint 2.4", "Criticality": "Should", - "PolicyId": "MS.SHAREPOINT.4.1v1", - "ReportDetails": "Requirement not met: Expiration timer for \u0027Guest access to a site or OneDrive\u0027 NOT set to 30 days or less", + "ReportDetails": "Requirement not met", + "Requirement": "Expiration timers for \u0027guest access to a site or OneDrive\u0027 and \u0027people who use a verification code\u0027 SHOULD be set", "RequirementMet": false }, { "ActualValue": [ - 2 + { + "AllowDownloadingNonWebViewableFiles": false, + "AllowEditing": true, + "AllowSelfServiceUpgrade": true, + "AnonymousLinkExpirationInDays": 0, + "AuthenticationContextName": null, + "BlockDownloadLinksFileType": 1, + "BlockDownloadPolicy": false, + "CommentsOnSitePagesDisabled": false, + "CompatibilityLevel": 15, + "ConditionalAccessPolicy": 0, + "DefaultLinkPermission": 0, + "DefaultLinkToExistingAccess": false, + "DefaultShareLinkRole": 0, + "DefaultShareLinkScope": 0, + "DefaultSharingLinkType": 0, + "DenyAddAndCustomizePages": 2, + "DisableAppViews": 2, + "DisableCompanyWideSharingLinks": 2, + "DisableFlows": 2, + "DisableSharingForNonOwnersStatus": null, + "ExcludeBlockDownloadPolicySiteOwners": false, + "ExcludedBlockDownloadGroupIds": [ + + ], + "ExternalUserExpirationInDays": 0, + "GroupId": "00000000-0000-0000-0000-000000000000", + "HubSiteId": "00000000-0000-0000-0000-000000000000", + "InformationBarriersMode": "", + "InformationSegment": [ + + ], + "IsHubSite": false, + "IsTeamsChannelConnected": false, + "IsTeamsConnected": false, + "LastContentModifiedDate": "/Date(1669883125563)/", + "LimitedAccessFileType": 1, + "LocaleId": 1033, + "LockIssue": null, + "LockState": "Unlock", + "LoopDefaultSharingLinkRole": 0, + "LoopDefaultSharingLinkScope": -1, + "LoopOverrideSharingCapability": false, + "LoopSharingCapability": 2, + "MediaTranscription": 0, + "OverrideBlockUserInfoVisibility": 0, + "OverrideSharingCapability": false, + "OverrideTenantAnonymousLinkExpirationPolicy": false, + "OverrideTenantExternalUserExpirationPolicy": false, + "Owner": "efb52a3c-c813-4e58-855e-63e4bfb5a20e", + "PWAEnabled": 1, + "ReadOnlyForUnmanagedDevices": false, + "RelatedGroupId": "00000000-0000-0000-0000-000000000000", + "RequestFilesLinkEnabled": true, + "RequestFilesLinkExpirationInDays": -1, + "ResourceQuota": 300, + "ResourceQuotaWarningLevel": 255, + "ResourceUsageAverage": 0, + "ResourceUsageCurrent": 0, + "RestrictedAccessControl": false, + "RestrictedToGeo": 3, + "SandboxedCodeActivationCapability": 2, + "SensitivityLabel": null, + "SharingAllowedDomainList": "", + "SharingBlockedDomainList": "", + "SharingCapability": 2, + "SharingDomainRestrictionMode": 0, + "SharingLockDownCanBeCleared": true, + "SharingLockDownEnabled": false, + "ShowPeoplePickerSuggestionsForGuestUsers": false, + "SiteDefinedSharingCapability": 2, + "SocialBarOnSitePagesDisabled": false, + "Status": "Active", + "StorageQuota": 26214400, + "StorageQuotaType": null, + "StorageQuotaWarningLevel": 25574400, + "StorageUsageCurrent": 1, + "TeamsChannelType": 0, + "Template": "SITEPAGEPUBLISHING#0", + "Title": "Communication site", + "Url": "https://tqhjy.sharepoint.com/", + "WebsCount": 1 + } ], "Commandlet": [ - "Get-SPOSite", - "Get-PnPTenantSite" + "Get-SPOSite" ], + "Control": "Sharepoint 2.5", "Criticality": "Shall", - "PolicyId": "MS.SHAREPOINT.5.2v1", "ReportDetails": "Requirement met", + "Requirement": "Users SHALL be prevented from running custom scripts on self-service created sites", "RequirementMet": true }, { - "ActualValue": [ - 2 - ], + "ActualValue": true, "Commandlet": [ - "Get-SPOTenant", - "Get-PnPTenant" + "Get-CsTeamsMeetingPolicy" ], - "Criticality": "Shall", - "PolicyId": "MS.SHAREPOINT.2.1v1", + "Control": "Teams 2.9", + "Criticality": "Should", "ReportDetails": "Requirement not met", + "Requirement": "Cloud video recording SHOULD be disabled in the global (org-wide default) meeting policy", "RequirementMet": false }, { - "ActualValue": true, + "ActualValue": "AlwaysEnabled", "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], + "Control": "Teams 2.10", "Criticality": "Should", - "PolicyId": "MS.TEAMS.9.1v1", "ReportDetails": "Requirement not met", + "Requirement": "Record an event SHOULD be set to Organizer can record", "RequirementMet": false }, { @@ -2548,19 +2166,10 @@ "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], + "Control": "Teams 2.3", "Criticality": "Should", - "PolicyId": "MS.TEAMS.3.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true - }, - { - "ActualValue": "UserOverride", - "Commandlet": [ - "Get-CsTeamsMeetingBroadcastPolicy" - ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.10.1v1", "ReportDetails": "Requirement met", + "Requirement": "Internal users SHOULD be admitted automatically", "RequirementMet": true }, { @@ -2570,9 +2179,10 @@ "Commandlet": [ ], + "Control": "Teams 2.11", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.11.1v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "A DLP solution SHALL be enabled", "RequirementMet": false }, { @@ -2582,9 +2192,10 @@ "Commandlet": [ ], + "Control": "Teams 2.11", "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.11.4v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "The DLP solution SHALL protect Personally Identifiable Information (PII) and sensitive information, as defined by the agency. At a minimum, the sharing of credit card numbers, taxpayer Identification Numbers (TIN), and Social Security Numbers (SSN) via email SHALL be restricted", "RequirementMet": false }, { @@ -2594,9 +2205,10 @@ "Commandlet": [ ], - "Criticality": "Shall/3rd Party", - "PolicyId": "MS.TEAMS.8.3v1", - "ReportDetails": "Not currently checked automatically. See \u003ca href=\"https://github.com/cisagov/ScubaGear/blob/0.3.0/baselines/teams.md#msteams83v1\" target=\"_blank\"\u003eSecure Configuration Baseline policy\u003c/a\u003e for instructions on manual check", + "Control": "Teams 2.11", + "Criticality": "Should/3rd Party", + "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Agencies SHOULD use either the native DLP solution offered by Microsoft or a DLP solution that offers comparable services", "RequirementMet": false }, { @@ -2606,9 +2218,10 @@ "Commandlet": [ ], + "Control": "Teams 2.12", "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.11.2v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Attachments included with Teams messages SHOULD be scanned for malware", "RequirementMet": false }, { @@ -2618,9 +2231,10 @@ "Commandlet": [ ], + "Control": "Teams 2.12", "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.12.1v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Users SHOULD be prevented from opening or downloading files detected as malware", "RequirementMet": false }, { @@ -2630,9 +2244,10 @@ "Commandlet": [ ], + "Control": "Teams 2.13", "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.12.2v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "Direct download links SHOULD be scanned for malware", "RequirementMet": false }, { @@ -2642,9 +2257,10 @@ "Commandlet": [ ], + "Control": "Teams 2.13", "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.1v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "URL comparison with a block-list SHOULD be enabled", "RequirementMet": false }, { @@ -2654,9 +2270,10 @@ "Commandlet": [ ], + "Control": "Teams 2.13", "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.2v1", "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Requirement": "User click tracking SHOULD be enabled", "RequirementMet": false }, { @@ -2666,9 +2283,10 @@ "Commandlet": [ ], - "Criticality": "Should/3rd Party", - "PolicyId": "MS.TEAMS.13.3v1", - "ReportDetails": "Custom implementation allowed. If you are using Defender to fulfill this requirement, run the Defender version of this script. Otherwise, use a 3rd party tool OR manually check", + "Control": "Teams 2.8", + "Criticality": "Shall/3rd Party", + "ReportDetails": "Cannot be checked automatically. See Microsoft Teams Secure Configuration Baseline policy 2.8 for instructions on manual check", + "Requirement": "Agencies SHALL establish policy dictating the app review and approval process to be used by the agency", "RequirementMet": false }, { @@ -2679,25 +2297,27 @@ "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], + "Control": "Teams 2.3", "Criticality": "Should", - "PolicyId": "MS.TEAMS.3.1v1", "ReportDetails": "Requirement met", + "Requirement": "Anonymous users, including dial-in users, SHOULD NOT be admitted automatically", "RequirementMet": true }, { "ActualValue": [ [ - + "Global" ], - "MicrosoftCommunicationsOnline/NOAM-ED6-A7" + "MicrosoftCommunicationsOnline/NOAM-ED6-A5" ], "Commandlet": [ "Get-CsTeamsClientConfiguration" ], + "Control": "Teams 2.7", "Criticality": "Shall", - "PolicyId": "MS.TEAMS.7.1v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 Requirement not met: Email integration is enabled across domain: Global", + "Requirement": "Teams email integration SHALL be disabled", + "RequirementMet": false }, { "ActualValue": [ @@ -2706,9 +2326,10 @@ "Commandlet": [ "Get-CsTeamsAppPermissionPolicy" ], + "Control": "Teams 2.8", "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.2av1", "ReportDetails": "Requirement met", + "Requirement": "Agencies SHOULD allow all apps published by Microsoft, but MAY block specific Microsoft apps as needed", "RequirementMet": true }, { @@ -2716,11 +2337,12 @@ ], "Commandlet": [ - "Get-CsTeamsAppPermissionPolicy" + "Get-CsTeamsMeetingPolicy" ], + "Control": "Teams 2.1", "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.2v1", "ReportDetails": "Requirement met", + "Requirement": "External participants SHOULD NOT be enabled to request control of shared desktops or windows in the Global (Org-wide default) meeting policy or in custom meeting policies if any exist", "RequirementMet": true }, { @@ -2730,10 +2352,10 @@ "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], - "Control": "Teams 2.4", - "Criticality": "Should", + "Control": "Teams 2.2", + "Criticality": "Shall", "ReportDetails": "Requirement met", - "Requirement": "Anonymous users SHOULD be enabled to join meetings", + "Requirement": "Anonymous users SHALL NOT be enabled to start meetings in the Global (Org-wide default) meeting policy or in custom meeting policies if any exist", "RequirementMet": true }, { @@ -2743,9 +2365,10 @@ "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.2.1v1", + "Control": "Teams 2.4", + "Criticality": "Should", "ReportDetails": "Requirement met", + "Requirement": "Anonymous users SHOULD be enabled to join meetings", "RequirementMet": true }, { @@ -2755,9 +2378,10 @@ "Commandlet": [ "Get-CsTeamsMeetingPolicy" ], + "Control": "Teams 2.9", "Criticality": "Should", - "PolicyId": "MS.TEAMS.1.1v1", "ReportDetails": "Requirement met", + "Requirement": "For all meeting polices that allow cloud recording, recordings SHOULD be stored inside the country of that agencyG��s tenant", "RequirementMet": true }, { @@ -2765,11 +2389,12 @@ ], "Commandlet": [ - "Get-CsTeamsMeetingPolicy" + "Get-CsTenantFederationConfiguration" ], - "Criticality": "Should", - "PolicyId": "MS.TEAMS.9.3v1", + "Control": "Teams 2.4", + "Criticality": "Shall", "ReportDetails": "Requirement met", + "Requirement": "External access SHALL only be enabled on a per-domain basis", "RequirementMet": true }, { @@ -2779,9 +2404,10 @@ "Commandlet": [ "Get-CsTenantFederationConfiguration" ], + "Control": "Teams 2.5", "Criticality": "Shall", - "PolicyId": "MS.TEAMS.4.1v1", "ReportDetails": "Requirement met", + "Requirement": "Unmanaged users SHALL NOT be enabled to initiate contact with internal users", "RequirementMet": true }, { @@ -2791,9 +2417,10 @@ "Commandlet": [ "Get-CsTenantFederationConfiguration" ], - "Criticality": "Shall", - "PolicyId": "MS.TEAMS.5.1v1", + "Control": "Teams 2.5", + "Criticality": "Should", "ReportDetails": "Requirement met", + "Requirement": "Internal users SHOULD NOT be enabled to initiate contact with unmanaged users", "RequirementMet": true }, { @@ -2803,34 +2430,36 @@ "Commandlet": [ "Get-CsTenantFederationConfiguration" ], + "Control": "Teams 2.6", "Criticality": "Shall", - "PolicyId": "MS.TEAMS.6.1v1", "ReportDetails": "Requirement met", + "Requirement": "Contact with Skype users SHALL be blocked", "RequirementMet": true }, { "ActualValue": [ - + "Global" ], "Commandlet": [ - "Get-CsTenantFederationConfiguration" + "Get-CsTeamsAppPermissionPolicy" ], + "Control": "Teams 2.8", "Criticality": "Should", - "PolicyId": "MS.TEAMS.5.2v1", - "ReportDetails": "Requirement met", - "RequirementMet": true + "ReportDetails": "1 meeting policy(ies) found that allow custom apps by default: Global", + "Requirement": "Agencies SHOULD NOT allow installation of all custom apps, but MAY allow specific apps as needed", + "RequirementMet": false }, { "ActualValue": [ - "Global", - "Tag:Test Policy" + "Global" ], "Commandlet": [ "Get-CsTeamsAppPermissionPolicy" ], + "Control": "Teams 2.8", "Criticality": "Should", - "PolicyId": "MS.TEAMS.8.1v1", - "ReportDetails": "2 meeting policy(ies) found that block Microsoft Apps by default: Global, Tag:Test Policy", + "ReportDetails": "1 meeting policy(ies) found that allow third-party apps by default: Global", + "Requirement": "Agencies SHOULD NOT allow installation of all third-party apps, but MAY allow specific apps as needed", "RequirementMet": false } -] +] \ No newline at end of file diff --git a/Testing/Unit/Rego/AAD/AADConfig_07_test.rego b/Testing/Unit/Rego/AAD/AADConfig_07_test.rego index 372db09516..fd6af69505 100644 --- a/Testing/Unit/Rego/AAD/AADConfig_07_test.rego +++ b/Testing/Unit/Rego/AAD/AADConfig_07_test.rego @@ -1,7 +1,5 @@ package aad import future.keywords -import data.report.utils.NotCheckedDetails - # # MS.AAD.7.1v1 @@ -103,16 +101,40 @@ test_PrivilegedUsers_Incorrect_V2 if { # # MS.AAD.7.2v1 #-- -test_NotImplemented_Correct if { +test_SecureScore_Correct if { + PolicyId := "MS.AAD.7.2v1" + + Output := tests with input as { + "secure_score" : [ + { + "Score" : 1.0 + } + ] + } + + RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] + + count(RuleOutput) == 1 + RuleOutput[0].RequirementMet + RuleOutput[0].ReportDetails == "Requirement met" +} + +test_SecureScore_Incorrect if { PolicyId := "MS.AAD.7.2v1" - Output := tests with input as { } + Output := tests with input as { + "secure_score" : [ + { + "Score": 0.5 + } + ] + } RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] count(RuleOutput) == 1 not RuleOutput[0].RequirementMet - RuleOutput[0].ReportDetails == NotCheckedDetails(PolicyId) + RuleOutput[0].ReportDetails == "Requirement not met" } #-- diff --git a/Testing/Unit/Rego/Teams/TeamsConfig_07_test.rego b/Testing/Unit/Rego/Teams/TeamsConfig_07_test.rego index fe6ea07eea..501803914b 100644 --- a/Testing/Unit/Rego/Teams/TeamsConfig_07_test.rego +++ b/Testing/Unit/Rego/Teams/TeamsConfig_07_test.rego @@ -45,7 +45,7 @@ test_AllowEmailIntoChannel_Correct_V1_multi if { { "Identity": "Tag:AllOn", "AllowEmailIntoChannel": false - } + } ], "teams_tenant_info": [ { @@ -147,7 +147,7 @@ test_AllowEmailIntoChannel_Correct_V2 if { } RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - + count(RuleOutput) == 1 RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "N/A: Feature is unavailable in GCC environments" @@ -179,7 +179,7 @@ test_AllowEmailIntoChannel_Correct_V2_multi if { } RuleOutput := [Result | Result = Output[_]; Result.PolicyId == PolicyId] - + count(RuleOutput) == 1 RuleOutput[0].RequirementMet RuleOutput[0].ReportDetails == "N/A: Feature is unavailable in GCC environments" diff --git a/baselines/aad.md b/baselines/aad.md index 486c075271..7beb2411b3 100644 --- a/baselines/aad.md +++ b/baselines/aad.md @@ -1,6 +1,6 @@ # CISA M365 Security Configuration Baseline for Azure Active Directory -Azure Active Directory (AAD) is a cloud-based identity and access control service that provides security and functional capabilities to Microsoft 365. This security baseline provides policies to help secure AAD. +Azure Active Directory (AAD) is a cloud-based identity and access control service that provides security and functional capabilities to Microsoft 365. This security baseline provides policies to help secure AAD. ## License Compliance and Copyright @@ -94,7 +94,7 @@ base, follow [these instructions](https://learn.microsoft.com/en-us/azure/active ## 2. Risk Based Policies -This section provides policies that help reduce security risks related to user accounts that may have been compromised. These policies use a combination of AAD Identity Protection and AAD Conditional Access. AAD Identity Protection uses numerous signals to detect the risk level for each user or sign-in to determine if an account may have been compromised. +This section provides policies that help reduce security risks related to user accounts that may have been compromised. These policies use a combination of AAD Identity Protection and AAD Conditional Access. AAD Identity Protection uses numerous signals to detect the risk level for each user or sign-in to determine if an account may have been compromised. - _Additional mitigations to secure Workload Identities:_ Although not covered in this baseline due to the need for an additional non-standard license, Microsoft also provides support for mitigating risks related to workload identities (AAD applications or service principals). Agencies should strongly consider implementing this feature because workload identities present many of the same risks as interactive user access and are commonly used in modern systems. Follow [these instructions](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity) to apply conditional access policies to workload identities. @@ -475,7 +475,7 @@ Group owners SHALL NOT be allowed to consent to applications. ## 6. Passwords -This section provides policies that help reduce security risks associated with legacy password practices that are no longer supported by research. +This section provides policies that help reduce security risks associated with legacy password practices that are no longer supported by research. ### Policies #### MS.AAD.6.1v1 @@ -611,7 +611,7 @@ The following implementation instructions that reference the AAD PIM service wil 4. Review the score for the action named **Use least privileged administrative roles.** -5. Review the **current score** value and compare it to the **max score**. +5. Review the **current score** value and compare it to the **max score**. If the current score is not the maximum value and the status is not **Completed**, you must perform the improvement actions. If that is the case, follow the detailed action steps and then check the score again after 48 hours to ensure compliance. #### MS.AAD.7.3v1 instructions: @@ -653,14 +653,14 @@ Performing a manual review of highly privileged users to determine which ones ar 3. Select the **Global administrator role.** -4. Under **Manage**, select **Assignments.** Repeat the steps below for both the **Eligible** and the **Active** AAD PIM assignments. +4. Under **Manage**, select **Assignments.** Repeat the steps below for both the **Eligible** and the **Active** AAD PIM assignments. 5. For each user or group listed, examine the value in the **Start time** column. If it contains a value of **-**, this indicates that the respective user / group was assigned to that role outside of AAD PIM. If the role was assigned outside of AAD PIM, delete the assignment and recreate it using AAD PIM. #### MS.AAD.7.6v1 instructions: -1. In **Azure Active Directory** create a new group named **Privileged Escalation Approvers**. This group will contain users that will receive role activation approval requests and approve or deny them. +1. In **Azure Active Directory** create a new group named **Privileged Escalation Approvers**. This group will contain users that will receive role activation approval requests and approve or deny them. 2. Assign this new group to the AAD role **Privileged Role Administrators**. This permission is required so that users in this group can adjudicate role activation approval requests. diff --git a/sample-config-files/aad-config.yaml b/sample-config-files/aad-config.yaml index ac8098f4be..abb0ed1809 100644 --- a/sample-config-files/aad-config.yaml +++ b/sample-config-files/aad-config.yaml @@ -37,8 +37,10 @@ Aad: - fc29f4a8-2b27-4d1e-898e-cfacb98bd8f8 Groups: - 08adb07a-956f-450e-b41c-81e92e3db2c4 + - 8454f405-3b29-4102-b888-315c4e3de2d0 MS.AAD.2.1v1: *CommonExclusions MS.AAD.2.3v1: *CommonExclusions + MS.AAD.3.1v1: *CommonExclusions MS.AAD.3.2v1: *CommonExclusions MS.AAD.7.4v1: &CommonRoleExclusions RoleExclusions: diff --git a/utils/UninstallModules.ps1 b/utils/UninstallModules.ps1 index 83488bba06..9dfd9acad3 100644 --- a/utils/UninstallModules.ps1 +++ b/utils/UninstallModules.ps1 @@ -30,6 +30,7 @@ $ModuleList = @( "Microsoft.Graph.Identity.Governance", "Microsoft.Graph.Identity.SignIns", "Microsoft.Graph.Planner", + "Microsoft.Graph.Security", "Microsoft.Graph.Teams", "Microsoft.Graph.Users", "Microsoft.Graph.Authentication"