Merge pull request #475 from NZLostboy/cis

CIS Checks 2.1.1, 2.1.2, 2.1.3, 2.1.4

powershell/Maester.psd1

@@ -138,6 +138,10 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCisSharedMailboxSignIn',
                'Test-MtCisPasswordExpiry',
                'Test-MtCisCustomerLockBox',
+               'Test-MtCisSafeLink',
+               'Test-MtCisAttachmentFilter',
+               'Test-MtCisInternalMalwareNotification',
+               'Test-MtCisSafeAttachment',
                'Test-MtConditionalAccessWhatIf',
                'Test-MtConnection',
                'Test-MtEidscaControl',
@@ -205,5 +209,4 @@ HelpInfoURI = 'https://maester.dev/docs/commands/'
 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 # DefaultCommandPrefix = ''
 
-}
-
+}

powershell/public/cis/Test-MtCisAttachmentFilter.md

@@ -0,0 +1,25 @@
+2.1.2 (L1) Ensure the Common Attachment Types Filter is enabled
+
+**Rationale:**
+
+Blocking known malicious file types can help prevent malware-infested files from infecting a host.
+
+#### Remediation action:
+
+
+
+To enable the Common Attachment Types Filter:
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com).
+2. Click to expand **Email & collaboration** select **Policies & rules**.
+3. On the Policies & rules page select **Threat policies**.
+4. Under polices select **Anti-malware** and click on the **Default (Default)** policy.
+5. On the Policy page that appears on the right hand pane scroll to the bottom and click on **Edit protection settings**, check the **Enable the common attachments filter**.
+6. Click Save.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 65](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%

powershell/public/cis/Test-MtCisAttachmentFilter.ps1

@@ -0,0 +1,70 @@
+<#
+.SYNOPSIS
+    Checks if the default common attadchment types filter is enabled
+
+.DESCRIPTION
+    The common attachment types fileter should be enabled
+
+.EXAMPLE
+    Test-MtCisAttachmentFilter
+
+    Returns true if the common attachment types filter is enabled.
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtCisAttachmentFilter
+#>
+function Test-MtCisAttachmentFilter {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting Malware Filter Policy..."
+    $policy = Get-MtExo -Request MalwareFilterPolicy
+
+    Write-Verbose "Executing checks"
+    $fileFilter = $policy | Where-Object {
+        $_.EnableFileFilter -match "True"
+    }
+
+    $testResult = ($fileFilter | Measure-Object).Count -ge 1
+
+    $portalLink = "https://security.microsoft.com/presetSecurityPolicies"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has the common attachment file filter enabled ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have the common attachment file filter enabled ($portalLink).`n`n%TestResult%"
+    }
+
+    $resultMd = "| Policy | Result |`n"
+    $resultMd += "| --- | --- |`n"
+
+    if ($testResult) {
+        $Result = "✅ Pass"
+    }
+    else {
+        $Result = "❌ Fail"
+    }
+
+    $resultMd += "| EnableFileFilter | $Result |`n"
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}

powershell/public/cis/Test-MtCisInternalMalwareNotification.md

@@ -0,0 +1,23 @@
+2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
+
+**Rationale:**
+This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated.
+
+#### Remediation action:
+
+To enable notifications for internal users sending malware:
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com).
+2. Click to expand **E-mail & Collaboration** select **Policies & rules**.
+3. On the Policies & rules page select **Threat policies**.
+4. Under Policies select **Anti-malware**.
+5. Click on the **Default (Default)** policy.
+6. Click on **Edit protection settings** and change the settings for **Notify an admin about undelivered messages from internal senders** to **On** and enter the email address of the administrator who should be notified under **Administrator email address**.
+7. Click Save.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 68](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%

powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1

@@ -0,0 +1,82 @@
+<#
+.SYNOPSIS
+Checks if notifications for internal users sending malware are enabled
+
+.DESCRIPTION
+Notifications for internal users sending malware should be enabled, and an administrator email set
+
+.EXAMPLE
+Test-MtCisInternalMalwareNotification
+
+Returns true safe malware notifcications are enabled, and an administrator email address is set
+
+.LINK
+https://maester.dev/docs/commands/Test-MtCisInternalMalwareNotification
+#>
+function Test-MtCisInternalMalwareNotification {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting Malware Filter Policy..."
+    $policy = Get-MtExo -Request MalwareFilterPolicy
+
+    Write-Verbose "Executing checks"
+    $enableInternalSenderAdminNotification = $policy | Where-Object {
+        $_.enableInternalSenderAdminNotifications -match "True"
+    }
+
+    $internalSenderAdminAddress = $policy | Where-Object {
+        $null -ne $_.InternalSenderAdminAddress
+    }
+
+    $testResult = (($enableInternalSenderAdminNotification | Measure-Object).Count -ge 1) -and (($internalSenderAdminAddress | Measure-Object).Count -ge 1)
+
+    $portalLink = "https://security.microsoft.com/antimalwarev2"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has the recommended internal malware notifications configured ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have the recommended internal malware notifications configured ($portalLink).`n`n%TestResult%"
+    }
+
+    $resultMd = "| Policy | Result |`n"
+    $resultMd += "| --- | --- |`n"
+
+    if ($enableInternalSenderAdminNotification) {
+        $enableInternalSenderAdminNotificationResult = "✅ Pass"
+    }
+    else {
+        $enableInternalSenderAdminNotificationResult = "❌ Fail"
+    }
+
+    if ($internalSenderAdminAddress) {
+        $internalSenderAdminAddressResult = "✅ Pass"
+    }
+    else {
+        $internalSenderAdminAddressResult = "❌ Fail"
+    }
+
+    $resultMd += "| EnableInternalSenderAdminNotification | $enableInternalSenderAdminNotificationResult |`n"
+    $resultMd += "| InternalSenderAdminAddress | $internalSenderAdminAddressResult |`n"
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}

powershell/public/cis/Test-MtCisSafeAttachment.md

@@ -0,0 +1,27 @@
+2.1.4 (L2) Ensure Safe Attachments policy is enabled
+
+R**ationale:**
+Enabling Safe Attachments policy helps protect against malware threats in email attachments by analyzing suspicious attachments in a secure, cloud-based environment before they are delivered to the user's inbox. This provides an additional layer of security and can prevent new or unseen types of malware from infiltrating the organization's network.
+
+#### Remediation action:
+
+To enable the Safe Attachments policy:
+1. Navigate to Microsoft 365 Defender [https://security.microsoft.com](https://security.microsoft.com).
+2. Click to expand **E-mail & Collaboration** select **Policies & rules**.
+3. On the Policies & rules page select **Threat policies**.
+4. Under **Policies** select **Safe Attachments**.
+5. Click + **Create**.
+6. Create a Policy Name and Description, and then click **Next**.
+7. Select all valid domains and click Next.
+8. Select **Block**.
+9. Quarantine policy is **AdminOnlyAccessPolicy**.
+10. Leave **Enable redirect** unchecked.
+11. Click **Next** and finally **Submit**.
+
+#### Related links
+
+* [Microsoft 365 Defender](https://security.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 71](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%

powershell/public/cis/Test-MtCisSafeAttachment.ps1

@@ -0,0 +1,97 @@
+<#
+.SYNOPSIS
+Checks if the Safe Attachments policy is enabled
+
+.DESCRIPTION
+The Safe Attachments policy is enabled
+
+.EXAMPLE
+Test-MtCisSafeAttachment
+
+Returns true safe attachments policy is enabled
+
+.LINK
+https://maester.dev/docs/commands/Test-MtCisSafeAttachment
+#>
+function Test-MtCisSafeAttachment {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if (!(Test-MtConnection ExchangeOnline)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
+        return $null
+    }
+    elseif (!(Test-MtConnection SecurityCompliance)) {
+        Add-MtTestResultDetail -SkippedBecause NotConnectedSecurityCompliance
+        return $null
+    }
+    elseif ($null -eq (Get-MtLicenseInformation -Product Mdo)) {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedMdo
+        return $null
+    }
+
+    Write-Verbose "Getting Safe Attachment Policy..."
+    $policy = Get-MtExo -Request SafeAttachmentPolicy
+
+    $safeAttachmentCheckList = @()
+
+    #Enable
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "Enable"
+        "Value"     = "True"
+    }
+
+    #Action
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "Action"
+        "Value"     = "Block"
+    }
+
+    #QuarantineTag
+    $safeAttachmentCheckList += [pscustomobject] @{
+        "CheckName" = "QuarantineTag"
+        "Value"     = "AdminOnlyAccessPolicy"
+    }
+
+    Write-Verbose "Executing checks"
+    $failedCheckList = @()
+    foreach ($check in $safeAttachmentCheckList) {
+
+        $checkResult = $policy | Where-Object { $_.($check.CheckName) -notmatch $check.Value }
+
+        if ($checkResult) {
+            #If the check fails, add it to the list so we can report on it later
+            $failedCheckList += $check.CheckName
+        }
+
+    }
+
+    $testResult = ($failedCheckList | Measure-Object).Count -eq 0
+
+    $portalLink = "https://security.microsoft.com/safeattachmentv2"
+
+    if ($testResult) {
+        $testResultMarkdown = "Well done. Your tenant has the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
+    }
+    else {
+        $testResultMarkdown = "Your tenant does not have the the safe attachment policy enabled ($portalLink).`n`n%TestResult%"
+    }
+
+
+    $resultMd = "| Check Name | Result |`n"
+    $resultMd += "| --- | --- |`n"
+    foreach ($item in $safeAttachmentCheckList) {
+        $itemResult = "❌ Fail"
+        if ($item.CheckName -notin $failedCheckList) {
+            $itemResult = "✅ Pass"
+        }
+        $resultMd += "| $($item.CheckName) | $($itemResult) |`n"
+    }
+
+    $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $resultMd
+
+    Add-MtTestResultDetail -Result $testResultMarkdown
+
+    return $testResult
+}

powershell/public/cis/Test-MtCisSafeLink.md

@@ -0,0 +1,42 @@
+2.1.1 (L2) Ensure Safe Links for Office Applications is Enabled
+
+Safe Links for Office applications extends phishing protection to documents and emails that contain hyperlinks, even after they have been delivered to a user.
+
+#### Remediation action:
+
+To create a Safe Links policy:
+
+1. Navigate to Microsoft 365 admin center [https://admin.microsoft.com](https://admin.microsoft.com).
+2. Under **Email & collaboration** select **Policies & rules**
+3. Select **Threat policies** then **Safe Links**
+4. Click on **+Create**
+5. Name the policy then click **Next**
+6. In Domains select all valid domains for the organization and Next
+7. Ensure the following **URL & click protection settings** are defined:
+
+**Email**
+* Checked **On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default**
+* Checked **Apply Safe Links to email messages sent within the organization**
+* Checked **Apply real-time URL scanning for suspicious links and links that point to files**
+* Checked **Wait for URL scanning to complete before delivering the message**
+* Unchecked **Do not rewrite URLs, do checks via Safe Links API only**.
+
+**Teams**
+* Checked **On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten**.
+
+**Office 365 Apps**
+* Checked On: **Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten**
+
+**Click protection settings**
+* Checked: **Track user clicks**
+* Unchecked: **Let users click through the original URL**
+* There is no recommendation for organization branding
+8. Click **Next** twice and finally Submit.
+
+#### Related links
+
+* [Microsoft 365 Admin Center](https://admin.microsoft.com)
+* [CIS Microsoft 365 Foundations Benchmark v3.1.0 - Page 61](https://www.cisecurity.org/benchmark/microsoft_365)
+
+<!--- Results --->
+%TestResult%