From 2fd993dd574d309bc04d2819d31246d7c954b2fa Mon Sep 17 00:00:00 2001 From: Henrik Piecha Date: Mon, 9 Feb 2026 12:24:23 +0100 Subject: [PATCH] Added CIS M365v5 SPO tests --- powershell/Maester.psd1 | 3 +- .../maester/spo/Test-MtSpoB2BIntegration.md | 13 ++++++ .../maester/spo/Test-MtSpoB2BIntegration.ps1 | 39 ++++++++++++++++ ...poCustomScriptExecutionOnSiteCollection.md | 21 +++++++++ ...oCustomScriptExecutionOnSiteCollection.ps1 | 45 +++++++++++++++++++ .../spo/Test-MtSpoDefaultSharingLink.md | 13 ++++++ .../spo/Test-MtSpoDefaultSharingLink.ps1 | 37 +++++++++++++++ .../Test-MtSpoDefaultSharingLinkPermission.md | 12 +++++ ...Test-MtSpoDefaultSharingLinkPermission.ps1 | 37 +++++++++++++++ .../spo/Test-MtSpoGuestAccessExpiry.md | 18 ++++++++ .../spo/Test-MtSpoGuestAccessExpiry.ps1 | 38 ++++++++++++++++ .../Test-MtSpoGuestCannotShareUnownedItem.md | 16 +++++++ .../Test-MtSpoGuestCannotShareUnownedItem.ps1 | 37 +++++++++++++++ .../Test-MtSpoPreventDownloadMaliciousFile.md | 15 +++++++ ...Test-MtSpoPreventDownloadMaliciousFile.ps1 | 37 +++++++++++++++ tests/Maester/Spo/Test-SpoTenant.Tests.ps1 | 44 ++++++++++++++++++ tests/maester-config.json | 35 +++++++++++++++ website/docs/tests/maester/MT.1113.md | 19 ++++++++ website/docs/tests/maester/MT.1114.md | 29 ++++++++++++ website/docs/tests/maester/MT.1115.md | 21 +++++++++ website/docs/tests/maester/MT.1116.md | 20 +++++++++ website/docs/tests/maester/MT.1117.md | 26 +++++++++++ website/docs/tests/maester/MT.1118.md | 24 ++++++++++ website/docs/tests/maester/MT.1119.md | 23 ++++++++++ 24 files changed, 621 insertions(+), 1 deletion(-) create mode 100644 powershell/public/maester/spo/Test-MtSpoB2BIntegration.md create mode 100644 powershell/public/maester/spo/Test-MtSpoB2BIntegration.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.md create mode 100644 powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.md create mode 100644 powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.md create mode 100644 powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.md create mode 100644 powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.md create mode 100644 powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.ps1 create mode 100644 powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.md create mode 100644 powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.ps1 create mode 100644 tests/Maester/Spo/Test-SpoTenant.Tests.ps1 create mode 100644 website/docs/tests/maester/MT.1113.md create mode 100644 website/docs/tests/maester/MT.1114.md create mode 100644 website/docs/tests/maester/MT.1115.md create mode 100644 website/docs/tests/maester/MT.1116.md create mode 100644 website/docs/tests/maester/MT.1117.md create mode 100644 website/docs/tests/maester/MT.1118.md create mode 100644 website/docs/tests/maester/MT.1119.md diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1 index 2f2cac855..e3b31ba02 100644 --- a/powershell/Maester.psd1 +++ b/powershell/Maester.psd1 @@ -186,7 +186,8 @@ 'Test-MtXspmCriticalCredsOnDevicesWithNonCriticalAccounts', 'Test-MtXspmPublicRemotelyExploitableHighExposureDevices', 'Test-MtXspmCriticalCredentialsOnNonTpmProtectedDevices', - 'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices' + 'Test-MtXspmCriticalCredentialsOnNonCredGuardProtectedDevices', + 'Test-MtSpoB2BIntegration', 'Test-MtSpoCustomScriptExecutionOnSiteCollection', 'Test-MtSpoDefaultSharingLink', 'Test-MtSpoDefaultSharingLinkPermission', 'Test-MtSpoGuestAccessExpiry', 'Test-MtSpoGuestCannotShareUnownedItem', 'Test-MtSpoPreventDownloadMaliciousFile' # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. CmdletsToExport = @() diff --git a/powershell/public/maester/spo/Test-MtSpoB2BIntegration.md b/powershell/public/maester/spo/Test-MtSpoB2BIntegration.md new file mode 100644 index 000000000..e9f48f6f8 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoB2BIntegration.md @@ -0,0 +1,13 @@ +7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled + +Before integration SharePoint Online with Microsoft Entra B2B external users authenticated via one-time passcode, directly to SharePoint. +This authentication bypasses all configurations from Microsoft Entra as well as sign-in logs and can only be monitoring in Auditing-logs. + +With SharePoint and OneDrive integrated with Microsoft Entra B2B Invitation Manager, invited people outside the organization are each given a guest account in the directory and are subject to Microsoft Entra ID access policies such as conditional access. +Invitations to a SharePoint site use Microsoft Entra B2B and no longer require users to have or create a personal Microsoft account. + +## Related Links + +* [SharePoint and OneDrive integration with Microsoft Entra B2B | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration) +* [Secure external sharing recipient experience | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release) +* CIS 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoB2BIntegration.ps1 b/powershell/public/maester/spo/Test-MtSpoB2BIntegration.ps1 new file mode 100644 index 000000000..74408aa37 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoB2BIntegration.ps1 @@ -0,0 +1,39 @@ +<# +.SYNOPSIS + Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing. + +.DESCRIPTION + Microsoft Entra B2B integration allows you to manage external sharing in SharePoint Online using Microsoft Entra. With this integration, you can use Microsoft Entra to control access to your SharePoint Online resources, including sites, lists, and libraries. This provides a more secure and streamlined way to manage external sharing in SharePoint Online. + When Microsoft Entra B2B integration is enabled, you can use Microsoft Entra to create and manage guest users, assign permissions, and monitor access to your SharePoint Online resources. This allows you to have better control over who can access your SharePoint Online resources and what they can do with them. + The recommended state is EnableAzureADB2BIntegration set to $true. + +.EXAMPLE + Test-MtSpoB2BIntegration + + Returns true if the SharePoint tenant is integrated with Microsoft Entra B2B, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoB2BIntegration +#> +function Test-MtSpoB2BIntegration { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing SharePoint Entra B2B integration..." + + $return = $true + try { + $B2BIntegration = Get-SPOTenant | Select-Object -ExpandProperty EnableAzureADB2BIntegration + if ($B2BIntegration) { + $testResult = "Well done. Your SharePoint tenant is integrated with Microsoft Entra B2B." + } else { + $testResult = "Your SharePoint tenant is not integrated with Microsoft Entra B2B." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.md b/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.md new file mode 100644 index 000000000..0e3120c8d --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.md @@ -0,0 +1,21 @@ +7.3.4 (L1) Ensure custom script execution is restricted on site collections + +Description: +This setting controls custom script execution on a particular site (previously called "site collection"). +Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: +* Scripts have access to everything the user has access to. +* Scripts can access content across several Microsoft 365 services and even +beyond with Microsoft Graph integration. The recommended state is DenyAddAndCustomizePages set to $true. + +Rationale: +Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited: +* What code has been inserted +* Where the code has been inserted +* Who inserted the code + +Note: Microsoft recommends using the SharePoint Framework instead of custom scripts + +## Related Links + +* [Allow or prevent custom script | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script) +* CIS 7.3.4 (L1) Ensure custom script execution is restricted on site collections \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.ps1 b/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.ps1 new file mode 100644 index 000000000..344771e9f --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoCustomScriptExecutionOnSiteCollection.ps1 @@ -0,0 +1,45 @@ +<# +.SYNOPSIS + 7.3.4 (L1) Ensure custom script execution is restricted on site collections + +.DESCRIPTION + This setting controls custom script execution on a particular site (previously called "site collection"). + Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: + * Scripts have access to everything the user has access to. + * Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration. The recommended state is DenyAddAndCustomizePages set to $true. + +.EXAMPLE + Test-MtSpoCustomScriptExecutionOnSiteCollection + + Returns true if custom script execution is restricted on all site collections, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoCustomScriptExecutionOnSiteCollection +#> +function Test-MtSpoCustomScriptExecutionOnSiteCollection { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing default sharing link type in SharePoint Online..." + + $return = $true + try { + $noncompliantSites = Get-SPOSite | Where-Object { $_.DenyAddAndCustomizePages -eq "Disabled" -and $_.Url -notlike "*-my.sharepoint.com/" } + if ($noncompliantSites | Measure-Object | Select-Object -ExpandProperty Count -eq 0) { + $testResult = "Well done. Custom script execution is restricted on all site collections." + } else { + $result = "Title | URL | DenyAddAndCustomizePages |`n" + $result += "--- | --- | --- |`n" + foreach ($site in $noncompliantSites) { + $result += "$($site.Title) | $($site.Url) | $($site.DenyAddAndCustomizePages) |`n" + } + $testResult = "Custom script execution is not restricted on the following site collections:`n`n$($result)" + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.md b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.md new file mode 100644 index 000000000..9536db153 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.md @@ -0,0 +1,13 @@ +7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive + +Description: +This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. +The recommended state is Specific people (only the people the user specifies) or Only people in your organization (more restrictive). + +Rationale: +By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.ps1 b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.ps1 new file mode 100644 index 000000000..c8eef8e18 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLink.ps1 @@ -0,0 +1,37 @@ +<# +.SYNOPSIS + 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive + +.DESCRIPTION + By default, the sharing link experience in SharePoint and OneDrive is set to "Anyone with the link". This means that when users share files or folders, the default option allows anyone with the link to access the content, which can lead to unintentional overexposure of sensitive information. By changing the default sharing link type to "Specific people", users are encouraged to be more deliberate about who they share content with, reducing the risk of unauthorized access and supporting a more secure sharing environment. + +.EXAMPLE + Test-MtSpoDefaultSharingLink + + Returns true if the default sharing link type is set to a restrictive option, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoDefaultSharingLink +#> +function Test-MtSpoDefaultSharingLink { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing default sharing link type in SharePoint Online..." + + $return = $true + try { + $DefaultSharingLinkType = Get-SPOTenant | Select-Object -ExpandProperty DefaultSharingLinkType + if ($DefaultSharingLinkType -eq "Direct" -or $DefaultSharingLinkType -eq "Internal") { + $testResult = "Well done. Default sharing link type is set to a restrictive option." + } else { + $testResult = "Default sharing link type is not set to a restrictive option." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.md b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.md new file mode 100644 index 000000000..0f9496261 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.md @@ -0,0 +1,12 @@ +7.2.11 (L1) Ensure the SharePoint default sharing link permission is set + +Description: +This setting configures the permission that is selected by default for sharing link from a SharePoint site. The recommended state is View. + +Rationale: +Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.ps1 b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.ps1 new file mode 100644 index 000000000..d4976f039 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoDefaultSharingLinkPermission.ps1 @@ -0,0 +1,37 @@ +<# +.SYNOPSIS + 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set + +.DESCRIPTION + By default, the sharing link permission in SharePoint and OneDrive is set to "Edit". This means that when users share files or folders, the default option allows recipients to edit the content, which can lead to unintentional modifications or deletions of sensitive information. By changing the default sharing link permission to "View", users are encouraged to be more deliberate about granting edit permissions, reducing the risk of unauthorized changes and supporting a more secure sharing environment. + +.EXAMPLE + Test-MtSpoDefaultSharingLinkPermission + + Returns true if the default sharing link permission is set to a restrictive option, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoDefaultSharingLinkPermission +#> +function Test-MtSpoDefaultSharingLinkPermission { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing default sharing link permission in SharePoint Online..." + + $return = $true + try { + $DefaultLinkPermission = Get-SPOTenant | Select-Object -ExpandProperty DefaultLinkPermission + if ($DefaultLinkPermission -eq "View") { + $testResult = "Well done. Default sharing link permission is set to View." + } else { + $testResult = "Default sharing link permission is not set to View." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.md b/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.md new file mode 100644 index 000000000..9e89028d9 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.md @@ -0,0 +1,18 @@ +7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically + +Description: +This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with. +The recommended state is 30 or less. + +Rationale: +This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight. +Note: Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group. + +Impact: +Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire. +**Note:** The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.ps1 b/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.ps1 new file mode 100644 index 000000000..21a4c3f08 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoGuestAccessExpiry.ps1 @@ -0,0 +1,38 @@ +<# +.SYNOPSIS + 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically + +.DESCRIPTION + By default, guest access to a SharePoint site or OneDrive does not expire. + This means that once a guest user is granted access to a site or OneDrive, they will have indefinite access until manually removed by an administrator. Enabling automatic expiration of guest access helps to ensure that external users do not retain access to sensitive information longer than necessary, reducing the risk of unauthorized access and supporting a more secure sharing environment. The recommended state is to enable guest access expiration and set it to 30 days or less. + +.EXAMPLE + Test-MtSpoGuestAccessExpiry + + Returns true if guest access expiration is enabled and set to 30 days or less, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoGuestAccessExpiry +#> +function Test-MtSpoGuestAccessExpiry { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing guest access expiration settings in SharePoint Online..." + + $return = $true + try { + $spoTenant = Get-SPOTenant + if ($spoTenant.ExternalUserExpirationRequired -eq $true -and $spoTenant.ExternalUserExpireInDays -le 30) { + $testResult = "Well done. Guest access expiration is enabled and set to 30 days or less ($($spoTenant.ExternalUserExpireInDays) days)." + } else { + $testResult = "Guest access expiration is not enabled or set to more than 30 days." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.md b/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.md new file mode 100644 index 000000000..c0afcd9e6 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.md @@ -0,0 +1,16 @@ +7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + +Description: +SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. + +Rationale: +Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. + +Impact: +The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. +However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.ps1 b/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.ps1 new file mode 100644 index 000000000..ce68a56ce --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoGuestCannotShareUnownedItem.ps1 @@ -0,0 +1,37 @@ +<# +.SYNOPSIS + Ensure that SharePoint guest users cannot share items they don't own + +.DESCRIPTION + By default, external users can share items they don't own. This means that if a guest user has access to an item, they can share it with others, potentially leading to unauthorized access and data leaks. By preventing external users from resharing items they don't own, you can help protect sensitive information and maintain better control over who has access to your SharePoint resources. The recommended state is PreventExternalUsersFromResharing set to $true. + +.EXAMPLE + Test-MtSpoGuestCannotShareUnownedItem + + Returns true if the SharePoint tenant is integrated with Microsoft Entra B2B, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoGuestCannotShareUnownedItem +#> +function Test-MtSpoGuestCannotShareUnownedItem { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing that SharePoint guest users cannot share items they don't own..." + + $return = $true + try { + $PreventExternalUsersFromResharing = Get-SPOTenant | Select-Object -ExpandProperty PreventExternalUsersFromResharing + if ($PreventExternalUsersFromResharing) { + $testResult = "Well done. External users cannot share items they don't own." + } else { + $testResult = "External users can share items they don't own." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.md b/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.md new file mode 100644 index 000000000..fc18b40e2 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.md @@ -0,0 +1,15 @@ +7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download + +Description: +By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded. + +Rationale: +Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. + +Impact: +The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur. + +## Related Links + +* [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files) +* CIS 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download \ No newline at end of file diff --git a/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.ps1 b/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.ps1 new file mode 100644 index 000000000..4834c90c9 --- /dev/null +++ b/powershell/public/maester/spo/Test-MtSpoPreventDownloadMaliciousFile.ps1 @@ -0,0 +1,37 @@ +<# +.SYNOPSIS + Ensure malicious file download prevention is Enabled in SharePoint Online + +.DESCRIPTION + By default, users can't open, move, copy, or share* malicious files that are detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. However, they can delete and download malicious files. + +.EXAMPLE + Test-MtSpoPreventDownloadMaliciousFile + + Returns true if malicious file download prevention is enabled in your SharePoint tenant, false otherwise. + +.LINK + https://maester.dev/docs/commands/Test-MtSpoPreventDownloadMaliciousFile + #> +function Test-MtSpoPreventDownloadMaliciousFile { + [CmdletBinding()] + [OutputType([bool])] + param() + Write-Verbose "Testing malicious file download prevention in SharePoint Online..." + + $return = $true + try { + $DisallowInfectedFileDownload = Get-SPOTenant | Select-Object -ExpandProperty DisallowInfectedFileDownload + if ($DisallowInfectedFileDownload) { + $testResult = "Well done. Malicious file download prevention is enabled in your SharePoint tenant." + } else { + $testResult = "Malicious file download prevention is not enabled in your SharePoint tenant." + $return = $false + } + Add-MtTestResultDetail -Result $testResult + return $return + } catch { + Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ + return $null + } +} \ No newline at end of file diff --git a/tests/Maester/Spo/Test-SpoTenant.Tests.ps1 b/tests/Maester/Spo/Test-SpoTenant.Tests.ps1 new file mode 100644 index 000000000..ac1c0fdc4 --- /dev/null +++ b/tests/Maester/Spo/Test-SpoTenant.Tests.ps1 @@ -0,0 +1,44 @@ +Describe 'Maester/SpoTenant' -Tag 'Maester', 'SpoTenant' { + It 'MT.1113: Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing.' -Tag 'MT.1113', 'CIS', 'CIS M365v5', 'CIS 7.2.2', 'Severity:Medium' { + $result = Test-MtSpoB2BIntegration + if ($null -ne $result) { + $result | Should -Be $true -Because 'SharePoint tenant is integrated with Microsoft Entra B2B.' + } + } + It 'MT.1114: Ensure custom script execution is restricted on site collections' -Tag 'MT.1114', 'CIS', 'CIS M365v5', 'CIS 7.3.4', 'Severity:Medium' { + $result = Test-MtSpoCustomScriptExecutionOnSiteCollection + if ($null -ne $result) { + $result | Should -Be $true -Because 'custom script execution is restricted on site collections.' + } + } + It 'MT.1115: Ensure link sharing is restricted in SharePoint and OneDrive' -Tag 'MT.1115', 'CIS', 'CIS M365v5', 'CIS 7.2.7', 'Severity:Low' { + $result = Test-MtSpoDefaultSharingLink + if ($null -ne $result) { + $result | Should -Be $true -Because 'link sharing is restricted in SharePoint and OneDrive.' + } + } + It 'MT.1116: Ensure the SharePoint default sharing link permission is set' -Tag 'MT.1116', 'CIS', 'CIS M365v5', 'CIS 7.2.11', 'Severity:Low' { + $result = Test-MtSpoDefaultSharingLinkPermission + if ($null -ne $result) { + $result | Should -Be $true -Because 'the SharePoint default sharing link permission is set.' + } + } + It 'MT.1117: Ensure guest access to a site or OneDrive will expire automatically' -Tag 'MT.1117', 'CIS', 'CIS M365v5', 'CIS 7.2.9', 'Severity:Low' { + $result = Test-MtSpoGuestAccessExpiry + if ($null -ne $result) { + $result | Should -Be $true -Because 'guest access to a site or OneDrive will expire automatically.' + } + } + It 'MT.1118: Ensure that SharePoint guest users cannot share items they dont own' -Tag 'MT.1118', 'CIS', 'CIS M365v5', 'CIS 7.2.5', 'Severity:High' { + $result = Test-MtSpoGuestCannotShareUnownedItem + if ($null -ne $result) { + $result | Should -Be $true -Because 'SharePoint guest users cannot share items they dont own.' + } + } + It 'MT.1119: Ensure Office 365 SharePoint infected files are disallowed for download' -Tag 'MT.1119', 'CIS', 'CIS M365v5', 'CIS 7.3.1', 'Severity:High' { + $result = Test-MtSpoPreventDownloadMaliciousFile + if ($null -ne $result) { + $result | Should -Be $true -Because 'Office 365 SharePoint infected files are disallowed for download.' + } + } +} \ No newline at end of file diff --git a/tests/maester-config.json b/tests/maester-config.json index 7d5b39c63..b47eeec80 100644 --- a/tests/maester-config.json +++ b/tests/maester-config.json @@ -1273,6 +1273,41 @@ "Severity": "Medium", "Title": "Privileged user accounts should not remain enabled when the linked primary account is disabled" }, + { + "Id": "MT.1113", + "Severity": "Medium", + "Title": "Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing." + }, + { + "Id": "MT.1114", + "Severity": "Medium", + "Title": "Ensure custom script execution is restricted on site collections" + }, + { + "Id": "MT.1115", + "Severity": "Low", + "Title": "Ensure link sharing is restricted in SharePoint and OneDrive" + }, + { + "Id": "MT.1116", + "Severity": "Low", + "Title": "Ensure the SharePoint default sharing link permission is set" + }, + { + "Id": "MT.1117", + "Severity": "Low", + "Title": "Ensure guest access to a site or OneDrive will expire automatically" + }, + { + "Id": "MT.1118", + "Severity": "High", + "Title": "Ensure that SharePoint guest users cannot share items they don't own" + }, + { + "Id": "MT.1119", + "Severity": "High", + "Title": "Ensure Office 365 SharePoint infected files are disallowed for download" + }, { "Id": "ORCA.100", "Severity": "Medium", diff --git a/website/docs/tests/maester/MT.1113.md b/website/docs/tests/maester/MT.1113.md new file mode 100644 index 000000000..bdc596dec --- /dev/null +++ b/website/docs/tests/maester/MT.1113.md @@ -0,0 +1,19 @@ +--- +title: MT.1113 - Ensure your SharePoint tenant is integrated with Microsoft Entra B2B for external sharing. +description: Microsoft Entra B2B integration allows you to manage external sharing in SharePoint Online using Microsoft Entra. With this integration, you can use Microsoft Entra to control access to your SharePoint Online resources, including sites, lists, and libraries. This provides a more secure and streamlined way to manage external sharing in SharePoint Online. +slug: /tests/MT.1113 +sidebar_class_name: hidden +--- + +## Description +Before integration SharePoint Online with Microsoft Entra B2B external users authenticated via one-time passcode, directly to SharePoint. +This authentication bypasses all configurations from Microsoft Entra as well as sign-in logs and can only be monitoring in Auditing-logs. + +With SharePoint and OneDrive integrated with Microsoft Entra B2B Invitation Manager, invited people outside the organization are each given a guest account in the directory and are subject to Microsoft Entra ID access policies such as conditional access. +Invitations to a SharePoint site use Microsoft Entra B2B and no longer require users to have or create a personal Microsoft account. + +## Related Links + +* [SharePoint and OneDrive integration with Microsoft Entra B2B | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration) +* [Secure external sharing recipient experience | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release) +* CIS 7.2.2 (L1) Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1114.md b/website/docs/tests/maester/MT.1114.md new file mode 100644 index 000000000..8f5eec158 --- /dev/null +++ b/website/docs/tests/maester/MT.1114.md @@ -0,0 +1,29 @@ +--- +title: MT.1114 - Ensure custom script execution is restricted on site collections +description: Ensure custom script execution is restricted on site collections +slug: /tests/MT.1114 +sidebar_class_name: hidden +--- + +## Description +7.3.4 (L1) Ensure custom script execution is restricted on site collections + +Description: +This setting controls custom script execution on a particular site (previously called "site collection"). +Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means: +* Scripts have access to everything the user has access to. +* Scripts can access content across several Microsoft 365 services and even +beyond with Microsoft Graph integration. The recommended state is DenyAddAndCustomizePages set to $true. + +Rationale: +Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited: +* What code has been inserted +* Where the code has been inserted +* Who inserted the code + +Note: Microsoft recommends using the SharePoint Framework instead of custom scripts + +## Related Links + +* [Allow or prevent custom script | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/allow-or-prevent-custom-script) +* CIS 7.3.4 (L1) Ensure custom script execution is restricted on site collections \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1115.md b/website/docs/tests/maester/MT.1115.md new file mode 100644 index 000000000..4bc1a8df0 --- /dev/null +++ b/website/docs/tests/maester/MT.1115.md @@ -0,0 +1,21 @@ +--- +title: MT.1115 - Ensure link sharing is restricted in SharePoint and OneDrive +description: Ensure link sharing is restricted in SharePoint and OneDrive +slug: /tests/MT.1115 +sidebar_class_name: hidden +--- + +## Description +7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive + +Description: +This setting sets the default link type that a user will see when sharing content in OneDrive or SharePoint. It does not restrict or exclude any other options. +The recommended state is Specific people (only the people the user specifies) or Only people in your organization (more restrictive). + +Rationale: +By defaulting to specific people, the user will first need to consider whether or not the content being shared should be accessible by the entire organization versus select individuals. This aids in reinforcing the concept of least privilege. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.7 (L1) Ensure link sharing is restricted in SharePoint and OneDrive \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1116.md b/website/docs/tests/maester/MT.1116.md new file mode 100644 index 000000000..ca958356a --- /dev/null +++ b/website/docs/tests/maester/MT.1116.md @@ -0,0 +1,20 @@ +--- +title: MT.1116 - Ensure the SharePoint default sharing link permission is set +description: Ensure the SharePoint default sharing link permission is set +slug: /tests/MT.1116 +sidebar_class_name: hidden +--- + +## Description +7.2.11 (L1) Ensure the SharePoint default sharing link permission is set + +Description: +This setting configures the permission that is selected by default for sharing link from a SharePoint site. The recommended state is View. + +Rationale: +Setting the view permission as the default ensures that users must deliberately select the edit permission when sharing a link. This approach reduces the risk of unintentionally granting edit privileges to a resource that only requires read access, supporting the principle of least privilege. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.11 (L1) Ensure the SharePoint default sharing link permission is set \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1117.md b/website/docs/tests/maester/MT.1117.md new file mode 100644 index 000000000..25887dadf --- /dev/null +++ b/website/docs/tests/maester/MT.1117.md @@ -0,0 +1,26 @@ +--- +title: MT.1117 - Ensure guest access to a site or OneDrive will expire automatically +description: Ensure guest access to a site or OneDrive will expire automatically +slug: /tests/MT.1117 +sidebar_class_name: hidden +--- + +## Description +7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically + +Description: +This policy setting configures the expiration time for each guest that is invited to the SharePoint site or with whom users share individual files and folders with. +The recommended state is 30 or less. + +Rationale: +This setting ensures that guests who no longer need access to the site or link no longer have access after a set period of time. Allowing guest access for an indefinite amount of time could lead to loss of data confidentiality and oversight. +Note: Guest membership applies at the Microsoft 365 group level. Guests who have permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group. + +Impact: +Site collection administrators will have to renew access to guests who still need access after 30 days. They will receive an e-mail notification once per week about guest access that is about to expire. +**Note:** The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.9 (L1) Ensure guest access to a site or OneDrive will expire automatically \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1118.md b/website/docs/tests/maester/MT.1118.md new file mode 100644 index 000000000..ed74ad172 --- /dev/null +++ b/website/docs/tests/maester/MT.1118.md @@ -0,0 +1,24 @@ +--- +title: MT.1118 - Ensure that SharePoint guest users cannot share items they dont own +description: Ensure that SharePoint guest users cannot share items they dont own +slug: /tests/MT.1118 +sidebar_class_name: hidden +--- + +## Description +7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own + +Description: +SharePoint gives users the ability to share files, folders, and site collections. Internal users can share with external collaborators, and with the right permissions could share to other external parties. + +Rationale: +Sharing and collaboration are key; however, file, folder, or site collection owners should have the authority over what external users get shared with to prevent unauthorized disclosures of information. + +Impact: +The impact associated with this change is highly dependent upon current practices. If users do not regularly share with external parties, then minimal impact is likely. +However, if users do regularly share with guests/externally, minimum impacts could occur as those external users will be unable to 're-share' content. + +## Related Links + +* [Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn](https://learn.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off#change-the-organization-level-external-sharing-setting) +* CIS 7.2.5 (L2) Ensure that SharePoint guest users cannot share items they don't own \ No newline at end of file diff --git a/website/docs/tests/maester/MT.1119.md b/website/docs/tests/maester/MT.1119.md new file mode 100644 index 000000000..4b052193b --- /dev/null +++ b/website/docs/tests/maester/MT.1119.md @@ -0,0 +1,23 @@ +--- +title: MT.1119 - Ensure Office 365 SharePoint infected files are disallowed for download +description: Ensure Office 365 SharePoint infected files are disallowed for download +slug: /tests/MT.1119 +sidebar_class_name: hidden +--- + +## Description +7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download + +Description: +By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded. + +Rationale: +Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team. + +Impact: +The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur. + +## Related Links + +* [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files) +* CIS 7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download \ No newline at end of file