Merge pull request #61 from turbot/release/v0.9

Release/v0.9

CHANGELOG.md

@@ -1,3 +1,9 @@
+## v0.9 [2023-11-14]
+
+_What's new?_
+
+- Added CIS v3.0.0 benchmark (`steampipe check benchmark.cis_v300`). ([#57](https://github.com/turbot/steampipe-mod-microsoft365-compliance/pull/57))
+
 ## v0.8 [2023-11-09]
 
 _Breaking changes_

README.md

@@ -13,8 +13,9 @@ Or in a terminal:
 Includes support for:
 
 * [Microsoft 365 CIS v1.4.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v140)
-* [Microsoft 365 CIS v1.5.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v150) 🚀 New!
-* [Microsoft 365 CIS v2.0.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v200) 🚀 New!
+* [Microsoft 365 CIS v1.5.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v150)
+* [Microsoft 365 CIS v2.0.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v200)
+* [Microsoft 365 CIS v3.0.0](https://hub.steampipe.io/mods/turbot/microsoft365_compliance/controls/benchmark.cis_v300) 🚀 New!
 
 ## Getting started
 

cis_v300/cis.sp

@@ -0,0 +1,23 @@
+locals {
+  cis_v300_common_tags = merge(local.microsoft365_compliance_common_tags, {
+    cis         = "true"
+    cis_version = "v3.0.0"
+  })
+}
+
+benchmark "cis_v300" {
+  title         = "CIS v3.0.0"
+  description   = "The CIS Microsoft 365 Security Configuration Benchmark provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS."
+  documentation = file("./cis_v300/docs/cis_overview.md")
+
+  children = [
+    benchmark.cis_v300_1,
+    benchmark.cis_v300_2,
+    benchmark.cis_v300_3,
+    benchmark.cis_v300_5
+  ]
+
+  tags = merge(local.cis_v300_common_tags, {
+    type = "Benchmark"
+  })
+}

cis_v300/docs/cis_overview.md

@@ -0,0 +1,52 @@
+To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.
+
+## Overview
+
+All CIS Benchmarks focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like:
+
+  - Monitoring the base operating system for vulnerabilities and quickly updating with the latest security patches
+  - Monitoring applications and libraries for vulnerabilities and quickly updating with the latest security patches
+
+In the end, the CIS Benchmarks are designed as a key component of a comprehensive cybersecurity program.
+
+This document, Security Configuration Benchmark for Microsoft 365, provides prescriptive guidance for establishing a secure configuration posture for Microsoft 365 Cloud offerings running on any OS. This guide was tested against Microsoft 365, and includes recommendations for Exchange Online, SharePoint Online, OneDrive for Business, Teams, Power BI (Fabric) and Azure Active Directory.
+
+To ensure all PowerShell related cmdlets work in your tenant please download the latest versions of the PowerShell modules. Scripts and commands referenced in this benchmark were tested using the following modules:
+
+  - ExchangeOnlineManagement 3.3.0
+  - Microsoft.Graph 2.4.0
+  - MicrosoftTeams 5.5.0
+  - Microsoft.Online.SharePoint.PowerShell 16.0.24009.12000
+  - AzureAD 2.0.2.182
+
+## Profile Definitions
+
+The following configuration profiles are defined by this Benchmark:
+
+**E3 Level 1**
+
+Items in this profile apply to customer deployments of Microsoft M365 with an E3 license and intend to:
+  - be practical and prudent;
+  - provide a clear security benefit; and
+  - not inhibit the utility of the technology beyond acceptable means.
+
+**E3 Level 2**
+
+This profile extends the "E3 Level 1" profile. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E3:
+  - are intended for environments or use cases where security is paramount
+  - acts as defense in depth measure
+  - may negatively inhibit the utility or performance of the technology.
+
+**E5 Level 1**
+
+Items in this profile extend what is provided by the "E3 Level 1" profile for customer deployments of Microsoft M365 with an E5 license and intend to:
+  - be practical and prudent;
+  - provide a clear security benefit; and
+  - not inhibit the utility of the technology beyond acceptable means.
+
+**E5 Level 2**
+
+This profile extends the "E3 Level 1" and "E5 Level 1" profiles. Items in this profile exhibit one or more of the following characteristics and is focused on customer deployments of Microsoft M365 E5:
+  - are intended for environments or use cases where security is paramount
+  - acts as defense in depth measure
+  - may negatively inhibit the utility or performance of the technology.

cis_v300/docs/cis_v300_1.md

@@ -0,0 +1,3 @@
+## Overview
+
+The Microsoft 365 admin center is the primary landing page for everything 365 related and contains navigational links to all the other admin centers. https://admin.microsoft.com/.

cis_v300/docs/cis_v300_1_1_3.md

@@ -0,0 +1,25 @@
+## Description
+
+More than one global administrator should be designated so a single admin can be monitored and to provide redundancy should a single admin leave an organization. Additionally, there should be no more than four global admins set for any tenant. Ideally global administrators will have no licenses assigned to them.
+
+If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.
+
+## Remediation
+
+To correct the number of global tenant administrators:
+
+1. Navigate to the `Microsoft 365 admin center` https://admin.microsoft.com.
+2. Select `Users` > `Active Users.`
+3. In the `Search` field enter the name of the user to be made a Global Administrator.
+4. To create a new Global Admin:
+    1. Select the user's name.
+    2. A window will appear to the right.
+    3. Select `Manage roles.`
+    4. Select `Admin center access.`
+    5. Check `Global Administrator.`
+    6. Click `Save changes.`
+5. To remove Global Admins:
+    1. Select User.
+    2. Under `Roles` select `Manage roles.`
+    3. De-Select the appropriate role.
+    4. Click `Save changes.`

cis_v300/docs/cis_v300_1_1_4.md

@@ -0,0 +1,26 @@
+## Description
+
+Guest users can be set up for those users not in the organization to still be granted access to resources. It is important to maintain visibility for what guest users are established in the tenant.
+
+Ensure Guest Users are reviewed no less frequently than biweekly.
+
+**Note:** With the E5 license an access review can be configured to review guest accounts automatically on a reoccurring basis. This is the preferred method if the licensing is available.
+
+## Remediation
+
+To review guest users in the UI:
+
+1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com/.
+2. Click to expand `Users` and select `Guest Users.`
+3. Review the list of users.
+
+To verify Microsoft 365 audit log search is enabled using Microsoft Graph PowerShell:
+
+1. Connect using `Connect-MgGraph -Scopes "User.Read.All"`
+2. Run the following PowerShell command:
+
+```bash
+Get-MgUser -All -Property UserType,UserPrincipalName | Where {$_.UserType -ne "Member"} | Format-Table UserPrincipalName, UserType
+```
+
+3. Review the list of users. If nothing is returned then there are no guest users.

cis_v300/docs/cis_v300_1_2_1.md

@@ -0,0 +1,28 @@
+## Description
+
+Microsoft 365 Groups is the foundational membership service that drives all teamwork across Microsoft 365. With Microsoft 365 Groups, you can give a group of people access to a collection of shared resources. While there are several different group types this recommendation concerns Microsoft 365 Groups.
+
+In the Administration panel, when a group is created, the default privacy value is "Public".
+
+Ensure that only organizationally managed and approved public groups exist. When a group has a "public" privacy, users may access data related to this group (e.g. SharePoint), through three methods:
+  - By using the Azure portal, and adding themselves into the public group.
+  - By requesting access to the group from the Group application of the Access Panel.
+  - By accessing the SharePoint URL.
+
+Administrators are notified when a user uses the Azure Portal. Requesting access to the group forces users to send a message to the group owner, but they still have immediate access to the group. The SharePoint URL is usually guessable and can be found from the Group application of the Access Panel. If group privacy is not controlled, any user may access sensitive information, according to the group they try to access.
+
+**Note:**  Public in this case means public to the identities within organization.
+
+## Remediation
+
+To enable only organizationally managed/approved public groups exist:
+
+1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.
+2. Click to expand `Teams & groups` select `Active teams & groups.`
+3. On the Active teams and groups page, select the group's name that is public.
+4. On the popup groups name page, Select `Settings.`
+5. Under Privacy, select `Private.`
+
+### Default Value
+
+Public when create from the Administration portal; private otherwise.

cis_v300/docs/cis_v300_1_3_1.md

@@ -0,0 +1,29 @@
+## Description
+
+Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items that can change are the number of days until a password expires and whether or whether passwords expire at all.
+
+Organizations such as NIST and Microsoft have updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure. Other recommendations within this Benchmark suggest the use of MFA authentication for at least critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD.
+
+## Remediation
+
+To set Office 365 passwords are set to never expire:
+
+1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.
+2. Click to expand `Settings` select `Org Settings.`
+3. Click on `Security & privacy.`
+4. Check the `Set passwords to never expire (recommended)` box.
+5. Click `Save.`
+
+To set Office 365 Passwords Are Not Set to Expire, use the Microsoft Graph PowerShell module:
+
+1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Domain.ReadWrite.All".`
+2. Run the following Microsoft Graph PowerShell command:
+
+```bash
+Update-MgDomain -DomainId <Domain> -PasswordValidityPeriodInDays 2147483647 -
+PasswordNotificationWindowInDays 30
+```
+
+### Default Value
+
+If the property is not set, a default value of 90 days will be used.

cis_v300/docs/cis_v300_1_3_3.md

@@ -0,0 +1,28 @@
+## Description
+
+External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar.
+
+Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.
+
+## Remediation
+
+To disable calendar details sharing with external users:
+
+1. Navigate to `Microsoft 365 admin center` https://admin.microsoft.com.
+2. Click to expand `Settings` select `Org settings.`
+3. In the `Services` section click `Calendar.`
+4. Uncheck `Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.`
+5. Click `Save.`
+
+To disable calendar details sharing with external users policy, use the Exchange Online PowerShell Module:
+
+1. Connect to Exchange Online using `Connect-ExchangeOnline.`
+2. Run the following Exchange Online PowerShell command:
+
+```bash
+Set-SharingPolicy -Identity "Name of the policy" -Enabled $False
+```
+
+### Default Value
+
+Enabled (True).

cis_v300/docs/cis_v300_2.md

@@ -0,0 +1,5 @@
+## Overview
+
+Microsoft 365 Defender, also known as Security, contains settings relating to policies, rules, security that are common to many Microsoft 365 applications.
+
+Direct link: https://security.microsoft.com/.

cis_v300/docs/cis_v300_2_3_1.md

@@ -0,0 +1,29 @@
+## Description
+
+The Account Provisioning Activity report details any account provisioning that was attempted by an external application.
+
+If the organization doesn't usually use a third party provider to manage accounts, any entry on the list is likely illicit. However, if the organization uses a third party provider, it is recommended to monitor transaction volumes and look for new or unusual third party applications that may be managing users. If anything unusual is observed, the provider should be contacted to determine the legitimacy of the action.
+
+## Remediation
+
+To review the Account Provisioning Activity report:
+
+1. Navigate to `Microsoft 365 Defender` https://security.microsoft.com.
+2. Click on `Audit.`
+3. Set `Activities` to `Added user` for `User administration activities.`
+4. Set `Start Date` and `End Date.`
+5. Click `Search.`
+6. Review.
+
+To review Account Provisioning Activity report using PowerShell:
+
+1. Connect to Exchange Online using `Connect-ExchangeOnline.`
+2. Run the following Exchange Online PowerShell command:
+
+```bash
+$startDate = ((Get-date).AddDays(-7)).ToShortDateString()
+$endDate = (Get-date).ToShortDateString()
+Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate | Where-Object
+{ $_.Operations -eq "add user." }
+```
+3. Review the output.

cis_v300/docs/cis_v300_3.md

@@ -0,0 +1,5 @@
+## Overview
+
+Microsoft Purview, also known as Compliance, contains settings related to all things compliance, data governance, information protection and risk management.
+
+Direct link: https://compliance.microsoft.com/

cis_v300/docs/cis_v300_3_1_1.md

@@ -0,0 +1,24 @@
+## Description
+
+When audit log search is enabled in the Microsoft Purview compliance portal, user and admin activity within the organization is recorded in the audit log and retained for 90 days. However, some organizations may prefer to use a third-party security information and event management (SIEM) application to access their auditing data. In this scenario, a global admin can choose to turn off audit log search in Microsoft 365.
+
+Enabling audit log search in the Microsoft Purview compliance portal can help organizations improve their security posture, meet regulatory compliance requirements, respond to security incidents, and gain valuable operational insights.
+
+## Remediation
+
+To enable Microsoft 365 audit log search:
+
+1. Navigate to `Microsoft Purview` https://compliance.microsoft.com.
+2. Select `Audit` to open the audit search.
+3. Click `Start recording user and admin activity` next to the information warning at the top.
+4. Click `Yes` on the dialog box to confirm.
+
+
+To enable Microsoft 365 audit log search using PowerShell:
+
+1. Connect to Exchange Online using `Connect-ExchangeOnline.`
+2. Run the following PowerShell command:
+
+```bash
+Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
+```

cis_v300/docs/cis_v300_5.md

@@ -0,0 +1,5 @@
+## Overview
+
+Microsoft Entra, also known as Identity, contains settings related to identity, conditional access, and was formerly named Azure AD.
+
+Direct link: https://entra.microsoft.com/.

cis_v300/docs/cis_v300_5_1_1_1.md

@@ -0,0 +1,42 @@
+## Description
+
+Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect the organization. Security defaults contain preconfigured security settings for common attacks.
+
+By default, Microsoft enables security defaults. The goal is to ensure that all organizations have a basic level of security enabled. The security default setting is manipulated in the Azure Portal.
+
+The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.
+
+The use of security defaults, however, will prohibit custom settings which are being set with more advanced settings from this benchmark.
+
+For example, doing the following:
+  - Requiring all users and admins to register for MFA.
+  - Challenging users with MFA - mostly when they show up on a new device or app, but more often for critical roles and tasks.
+  - Disabling authentication from legacy authentication clients, which can’t do MFA.
+
+## Remediation
+
+To disable security defaults:
+
+1. Navigate to the `Microsoft Entra admin center` https://entra.microsoft.com.
+2. Click to expand `Identity` select `Overview`
+3. Click `Properties.`
+4. Click `Manage security defaults.`
+5. Set the `Security defaults` dropdown to `Disabled.`
+6. Select Save.
+
+To configure security defaults using Microsoft Graph PowerShell:
+
+1. Connect to the Microsoft Graph service using `Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess".`
+2. Run the following Microsoft Graph PowerShell command:
+
+```bash
+$params = @{ IsEnabled = $false }
+Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy -BodyParameter
+$params
+```
+
+**Warning:**: It is recommended not to disable security defaults until you are ready to implement conditional access rules in the benchmark. Rules such as requiring MFA for all users and blocking legacy protocols are required in CA in order to make up the gap by disabling defaults. Plan accordingly. See the reference section for more details on what coverage Security Defaults provide.
+
+### Default Value
+
+Enabled.

cis_v300/docs/cis_v300_5_1_2_2.md

@@ -0,0 +1,18 @@
+## Description
+
+App registrations allows users to register custom-developed applications for use within the directory.
+
+Third party integrated applications connection to services should be disabled, unless there is a very clear value and robust security controls are in place. While there are legitimate uses, attackers can grant access from breached accounts to third party applications to exfiltrate data from your tenancy without having to maintain the breached account.
+
+## Remediation
+
+To prohibit third party integrated applications:
+
+1. Navigate to `Microsoft Entra admin center` https://entra.microsoft.com/.
+2. Click to expand `Identity` > `Users` select `Users settings.`
+3. Set `Users can register applications` to `No.`
+4. Click Save.
+
+### Default Value
+
+Yes (Users can register applications.)