diff --git a/powershell/Maester.psd1 b/powershell/Maester.psd1 index 41c8f026..1a91eae7 100644 --- a/powershell/Maester.psd1 +++ b/powershell/Maester.psd1 @@ -130,7 +130,7 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae 'Test-MtCisaSpamAlternative', 'Test-MtCisaSafeLink', 'Test-MtCisaSafeLinkDownloadScan', 'Test-MtCisaSafeLinkClickTracking', 'Test-MtCisaExoAlert', 'Test-MtCisaExoAlertSiem', 'Test-MtCisaAuditLog', 'Test-MtCisaAuditLogPremium', 'Test-MtCisaAuditLogRetention', - 'Get-MtExo', 'Clear-MtExoCache', + 'Get-MtExo', 'Clear-MtExoCache', 'Test-MtCisaSpoSharing', 'Test-MtCisaSpoSharingAllowedDomain', 'Test-MtCisCloudAdmin', 'Test-MtCisGlobalAdminCount', 'Test-MtCis365PublicGroup', diff --git a/powershell/public/Get-MtGraphScope.ps1 b/powershell/public/Get-MtGraphScope.ps1 index 4e2a7bf4..45fd3712 100644 --- a/powershell/public/Get-MtGraphScope.ps1 +++ b/powershell/public/Get-MtGraphScope.ps1 @@ -61,6 +61,7 @@ function Get-MtGraphScope { 'RoleEligibilitySchedule.Read.Directory' 'RoleManagement.Read.All' 'Policy.Read.ConditionalAccess' + 'SharePointTenantSettings.Read.All' 'UserAuthenticationMethod.Read.All' ) diff --git a/powershell/public/cisa/spo/Test-MtCisaSpoSharing.md b/powershell/public/cisa/spo/Test-MtCisaSpoSharing.md new file mode 100644 index 00000000..d18efaf3 --- /dev/null +++ b/powershell/public/cisa/spo/Test-MtCisaSpoSharing.md @@ -0,0 +1,21 @@ +External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. + +Rationale: Sharing information outside the organization via SharePoint increases the risk of unauthorized access. By limiting external sharing, administrators decrease the risk of access to information. + +#### Remediation action: + +1. Sign in to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219). +2. Select Policies > Sharing. +3. Adjust external sharing slider for SharePoint to Existing guests or Only people in your organization. + +> ⚠️ WARNING: This will break existing sharing. + +4. Select Save. + +#### Related links + +* [CISA 1 External Sharing - MS.SHAREPOINT.1.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint11v1) +* [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/SharepointConfig.rego#L68) + + +%TestResult% \ No newline at end of file diff --git a/powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1 b/powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1 new file mode 100644 index 00000000..6e6fa217 --- /dev/null +++ b/powershell/public/cisa/spo/Test-MtCisaSpoSharing.ps1 @@ -0,0 +1,44 @@ +<# +.SYNOPSIS + Checks state of SharePoint Online sharing + +.DESCRIPTION + External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization. + +.EXAMPLE + Test-MtCisaSharePointOnlineSharing + + Returns true if sharing is restricted + +.LINK + https://maester.dev/docs/commands/Test-MtCisaSharePointOnlineSharing +#> +function Test-MtCisaSharePointOnlineSharing { + [CmdletBinding()] + [OutputType([bool])] + param() + + $policy = Invoke-MtGraphRequest -RelativeUri "admin/sharepoint/settings" -ApiVersion "v1.0" + + $resultPolicy = $policy | Where-Object { + $_.sharingCapability -in @("disabled","existingExternalUserSharingOnly") + } + + $testResult = ($resultPolicy | Measure-Object).Count -gt 0 + + if ($testResult) { + $testResultMarkdown = "Well done. Your tenant restricts SharePoint Online sharing." + } else { + $testResultMarkdown = "Your tenant does not restrict SharePoint Online sharing.`n`n%TestResult%" + $policy | ForEach-Object { + $result = "* $($_.sharingCapability)`n" + $result | Out-Null + } + } + + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown + + return $testResult +} \ No newline at end of file diff --git a/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.md b/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.md new file mode 100644 index 00000000..c557a095 --- /dev/null +++ b/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.md @@ -0,0 +1,24 @@ +External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. + +Rationale: By limiting sharing to domains or approved security groups used for interagency collaboration purposes, administrators help prevent sharing with unknown organizations and individuals. + +#### Remediation action: + +This policy is only applicable if the external sharing slider on the admin page is set to any value other than Only People in your organization. +1. Sign in to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219). +2. Select Policies > Sharing. +3. Expand More external sharing settings. +4. Select Limit external sharing by domain. +5. Select Add domains. +6. Add each approved external domain users are allowed to share files with. +7. Select Manage security groups +8. Add each approved security group. Members of these groups will be allowed to share files externally. +9. Select Save. + +#### Related links + +* [CISA 1 External Sharing - MS.SHAREPOINT.1.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint13v1) +* [CISA ScubaGear Rego Reference](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/Rego/SharepointConfig.rego#L130) + + +%TestResult% \ No newline at end of file diff --git a/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1 b/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1 new file mode 100644 index 00000000..cd4bfa43 --- /dev/null +++ b/powershell/public/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.ps1 @@ -0,0 +1,48 @@ +<# +.SYNOPSIS + Checks state of SharePoint Online sharing + +.DESCRIPTION + External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. + +.EXAMPLE + Test-MtCisaSharePointOnlineSharingAllowedDomains + + Returns true if sharing uses restricted domains + +.LINK + https://maester.dev/docs/commands/Test-MtCisaSharePointOnlineSharingAllowedDomain +#> +function Test-MtCisaSharePointOnlineSharingAllowedDomain { + [CmdletBinding()] + [OutputType([bool])] + param() + + $policy = Invoke-MtGraphRequest -RelativeUri "admin/sharepoint/settings" -ApiVersion "v1.0" + + if($policy.sharingCapability -eq "disabled"){ + Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "SharePoint Online external sharing is disabled." + return $null + } + + $resultPolicy = $policy.sharingAllowedDomainList + + $testResult = ($resultPolicy | Measure-Object).Count -gt 0 + + if ($testResult) { + $testResultMarkdown = "Well done. Your tenant restricts SharePoint Online sharing to specific domains.`n`n%TestResult%" + } else { + $testResultMarkdown = "Your tenant does not restrict SharePoint Online sharing to specific domains." + } + + $resultPolicy | ForEach-Object { + $result = "* $_`n" + $result | Out-Null + } + + $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $result + + Add-MtTestResultDetail -Result $testResultMarkdown + + return $testResult +} \ No newline at end of file diff --git a/tests/cisa/spo/Test-MtCisaSpoSharing.Tests.ps1 b/tests/cisa/spo/Test-MtCisaSpoSharing.Tests.ps1 new file mode 100644 index 00000000..c8cf85e9 --- /dev/null +++ b/tests/cisa/spo/Test-MtCisaSpoSharing.Tests.ps1 @@ -0,0 +1,10 @@ +Describe "CISA SCuBA" -Tag "MS.SHAREPOINT", "MS.SHAREPOINT.1.1", "CISA", "Security", "All" { + It "MS.SHAREPOINT.1.1: External sharing for SharePoint SHALL be limited to Existing guests or Only People in your organization." { + + $result = Test-MtCisaSharePointOnlineSharing + + if ($null -ne $result) { + $result | Should -Be $true -Because "external sharing is limited." + } + } +} \ No newline at end of file diff --git a/tests/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.Tests.ps1 b/tests/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.Tests.ps1 new file mode 100644 index 00000000..403963c3 --- /dev/null +++ b/tests/cisa/spo/Test-MtCisaSpoSharingAllowedDomain.Tests.ps1 @@ -0,0 +1,10 @@ +Describe "CISA SCuBA" -Tag "MS.SHAREPOINT", "MS.SHAREPOINT.1.3", "CISA", "Security", "All" { + It "MS.SHAREPOINT.1.3: External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs." { + + $result = Test-MtCisaSharePointOnlineSharingAllowedDomain + + if ($null -ne $result) { + $result | Should -Be $true -Because "external sharing is limited." + } + } +} \ No newline at end of file diff --git a/website/docs/sections/permissions.md b/website/docs/sections/permissions.md index 7b9e4e5e..bbbf605a 100644 --- a/website/docs/sections/permissions.md +++ b/website/docs/sections/permissions.md @@ -7,4 +7,5 @@ - **Reports.Read.All** - **RoleEligibilitySchedule.Read.Directory** - **RoleManagement.Read.All** +- **SharePointTenantSettings.Read.All** - **UserAuthenticationMethod.Read.All** diff --git a/website/docs/tests/cisa/spo.md b/website/docs/tests/cisa/spo.md new file mode 100644 index 00000000..1bca4645 --- /dev/null +++ b/website/docs/tests/cisa/spo.md @@ -0,0 +1,26 @@ +--- +sidebar_label: SharePoint Online +description: Implementation of CISA SharePoint Online Controls +--- + +# CISA Controls for Microsoft SharePoint Online + +## Overview + +The tests in this section verifies that a Microsoft 365 tenant’s **SharePoint Online** configuration conforms to the policies described in the Secure Cloud Business Applications ([SCuBA](https://cisa.gov/scuba)) Security Configuration Baseline [documents](https://github.com/cisagov/ScubaGear/blob/main/baselines/README.md). + +## Tests + +| Cmdlet Name | CISA Control ID (Link) | +|- | - | +| Test-MtCisaSpoSharing | [MS.SHAREPOINT.1.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint11v1) | +| Not Implemented (Not availabile in Graph) | [MS.SHAREPOINT.1.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint12v1) | +| Test-MtCisaSpoSharingAllowedDomain | [MS.SHAREPOINT.1.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint13v1) | +| Not Implemented (Deprecated setting) | [MS.SHAREPOINT.1.4v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint14v1) | +| Not Implemented | [MS.SHAREPOINT.2.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint21v1) | +| Not Implemented | [MS.SHAREPOINT.2.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint22v1) | +| Not Implemented | [MS.SHAREPOINT.3.1v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint31v1) | +| Not Implemented | [MS.SHAREPOINT.3.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint32v1) | +| Not Implemented | [MS.SHAREPOINT.3.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint33v1) | +| Not Implemented | [MS.SHAREPOINT.3.3v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint33v1) | +| Not Implemented | [MS.SHAREPOINT.4.2v1](https://github.com/cisagov/ScubaGear/blob/main/PowerShell/ScubaGear/baselines/sharepoint.md#mssharepoint42v1) |