From 8d75d45ed97be5af0ee8784cf80b833a2280bd4b Mon Sep 17 00:00:00 2001 From: meme112233 Date: Tue, 6 Aug 2024 21:30:54 -0400 Subject: [PATCH] Convert Microsoft Secure Score to OHDF (#6007) * draft of the microsoftSecureScore converter * bugfix: reading of secureScoreProfiles doc needed field for the array * minor update map/filter * add threats to tags from profile matching controlScore * add testing and update status check to use scoreInPercentage * update testing and fingerprinting * update fingerprinting for accept combined msftSecureScore document via UX * lint fix * msft-config-mapper-2.ts renamed without 2, cleanup commented out code * code cleanup. delete unused code * tslint allow commented out code in test suite * revert jest version bump * revert package.json to minimal requirements being added (only typing from MSFT) * rename mapper for consistency. msft_secure_score_mapper * update test name and remove linting inline disble block for commented out code * rename files for org per PR comments * update tags. fix array of array issue. add tiers,services,userImpact tags, add passthrough partial wroking * bugfix: replace missed exports due to rename to MsftSecureScoreMapper * bugfix/ typo * console debugging * Revert "console debugging" This reverts commit 8a003c8b466b2b6e99de586250e704fd4fe50491. * Passthrough fix; minor styling changes Signed-off-by: Charles Hu * actual sample msft secureScore.json test doc updated to have value: [] * bugfix/populate code with control data and optionally profiles data * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <106095667+charleshu-8@users.noreply.github.com> * remove 'summary' field as no value available * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <106095667+charleshu-8@users.noreply.github.com> * improve names of parameters in arrow functions * Update libs/hdf-converters/src/msft-secure-score-mapper.ts Co-authored-by: Charles Hu <106095667+charleshu-8@users.noreply.github.com> * remove unuded profile.version field as no value known from Microsoft * code cleanup. remove unused import * lint and update test expected results * update test data * Missed argument name change Signed-off-by: Charles Hu * Linting Signed-off-by: Charles Hu * implementationStatus -> controls.results.code_desc, remediation -> descriptions. data/label fix , leave controls.code blank * update test data for changes to mapper * Update msft-secure-score-mapper.ts * lint fix and update test data * relocate NIST to be in tags * sort exports per PR comment * add Msft_Secure_mapper to supported formats README.md * typo fixed * add run_time to mapper. required for downstream transformations that require start and end times. * update delimeter on control title from ... to \n * rename tag: group->category in dederence to msft naming * utilize lodash.uniq for tag.threats[] * add profiles[].remediationImpact as descriptions[label:rationale] * add secure score to FileReader.vue * update merge of records by id/cat * fix rawdata passthrough * update profiles.title include runID * handle output readability better * track secureScoreControlProfile.rank as control.tag.rank * remove run_time * cleanup inports * lint fix * conditional includsion of tags * secureScoreResults used to output full OHDF report per secureScore report in combined_input * bugfix/ exports from msft-secure-score-mapper fixed * update exports msftSecureMapper * export MsftSecureScoreMapper * add unmapped fields as tags or passthrough data * update MsftSecureScoreResult type hints * update MsftSecureScoreResult type hints * add withRaw parameter to msft secure score results * use utils.global constants for default NIST tags * remove duplicate tag 'rank' * convert forEach to for ... of * convert forEach to map(..) * delete extra copy of combined_msft.json * lint fix * private keyword isn't that useful Signed-off-by: Amndeep Singh Mann * memoized the getProfiles function so that the repeated calls to the function don't all need to do the search Signed-off-by: Amndeep Singh Mann --------- Signed-off-by: Charles Hu Signed-off-by: Amndeep Singh Mann Co-authored-by: Charles Hu Co-authored-by: Charles Hu <106095667+charleshu-8@users.noreply.github.com> Co-authored-by: Eugene Aronne <34140975+ejaronne@users.noreply.github.com> Co-authored-by: Amndeep Singh Mann --- .../global/upload_tabs/FileReader.vue | 1 + apps/frontend/src/store/report_intake.ts | 3 + libs/hdf-converters/README.md | 29 +- libs/hdf-converters/index.ts | 1 + libs/hdf-converters/package.json | 1 + .../sample_input_report/combined.json | 8230 +++++++++ .../sample_input_report/profiles.json | 7106 +++++++ .../secureScore-multiple.json | 161 + .../sample_input_report/secureScore.json | 779 + .../secure_score-hdf-multi.json | 15228 ++++++++++++++++ .../secure_score-hdf-withraws.json | 10548 +++++++++++ .../secure_score-hdfs.json | 10548 +++++++++++ .../src/msft-secure-score-mapper.ts | 352 + .../src/utils/fingerprinting.ts | 2 + .../forward/msft_secure_score_mapper.spec.ts | 103 + yarn.lock | 5 + 16 files changed, 53083 insertions(+), 14 deletions(-) create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json create mode 100644 libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json create mode 100644 libs/hdf-converters/src/msft-secure-score-mapper.ts create mode 100644 libs/hdf-converters/test/mappers/forward/msft_secure_score_mapper.spec.ts diff --git a/apps/frontend/src/components/global/upload_tabs/FileReader.vue b/apps/frontend/src/components/global/upload_tabs/FileReader.vue index ee8f2d1757..c7f02a9524 100644 --- a/apps/frontend/src/components/global/upload_tabs/FileReader.vue +++ b/apps/frontend/src/components/global/upload_tabs/FileReader.vue @@ -38,6 +38,7 @@
  • Golang Security Checker (gosec)
  • Ion Channel
  • JFrog Xray
    • +
  • Microsoft Secure Score
  • Nessus
  • Netsparker
  • Nikto
    • diff --git a/apps/frontend/src/store/report_intake.ts b/apps/frontend/src/store/report_intake.ts index bfa293397b..6f74facdd8 100644 --- a/apps/frontend/src/store/report_intake.ts +++ b/apps/frontend/src/store/report_intake.ts @@ -18,6 +18,7 @@ import { INPUT_TYPES, IonChannelMapper, JfrogXrayMapper, + MsftSecureScoreResults, NessusResults, NetsparkerMapper, NiktoMapper, @@ -230,6 +231,8 @@ export class InspecIntake extends VuexModule { switch (typeGuess) { case INPUT_TYPES.JFROG: return new JfrogXrayMapper(convertOptions.data).toHdf(); + case INPUT_TYPES.MSFT_SEC_SCORE: + return new MsftSecureScoreResults(convertOptions.data).toHdf(); case INPUT_TYPES.ASFF: return Object.values( new ASFFResultsMapper(convertOptions.data).toHdf() diff --git a/libs/hdf-converters/README.md b/libs/hdf-converters/README.md index 5d48c5ae64..f293b6ac62 100644 --- a/libs/hdf-converters/README.md +++ b/libs/hdf-converters/README.md @@ -16,20 +16,21 @@ OHDF Converters supplies several methods to convert various types of security to 9. [**gosec-mapper**] - gosec results JSON file 10. [**ionchannel-mapper**] - SBOM data from Ion Channel 11. [**jfrog-xray-mapper**] - JFrog Xray results JSON file -12. [**nessus-mapper**] - Nessus XML results file -13. [**netsparker-mapper**] - Netsparker XML results file -14. [**nikto-mapper**] - Nikto results JSON file -15. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file -16. [**sarif-mapper**] - SARIF JSON file -17. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object -18. [**snyk-mapper**] - Snyk results JSON file -19. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API -20. [**splunk-mapper**] - Splunk instance -21. [**trufflehog-mapper**] - Trufflehog results json file -22. [**twistlock-mapper**] - Twistlock CLI output file -23. [**veracode-mapper**] - Veracode Scan Results XML file -24. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report -25. [**zap-mapper**] - OWASP ZAP results JSON +12. [**msft-secure-mapper**] - Microsoft Secure Score results file +13. [**nessus-mapper**] - Nessus XML results file +14. [**netsparker-mapper**] - Netsparker XML results file +15. [**nikto-mapper**] - Nikto results JSON file +16. [**prisma-mapper**] - Prisma Cloud Scan Report CSV file +17. [**sarif-mapper**] - SARIF JSON file +18. [**scoutsuite-mapper**] - ScoutSuite results from a Javascript object +19. [**snyk-mapper**] - Snyk results JSON file +20. [**sonarqube-mapper**] - SonarQube vulnerabilities for the specified project name and optional branch or pull/merge request ID name from an API +21. [**splunk-mapper**] - Splunk instance +22. [**trufflehog-mapper**] - Trufflehog results json file +23. [**twistlock-mapper**] - Twistlock CLI output file +24. [**veracode-mapper**] - Veracode Scan Results XML file +25. [**xccdf-results-mapper**] - SCAP client XCCDF-Results XML report +26. [**zap-mapper**] - OWASP ZAP results JSON ### NOTICE diff --git a/libs/hdf-converters/index.ts b/libs/hdf-converters/index.ts index 3c46f6bb7c..b7971d17fe 100644 --- a/libs/hdf-converters/index.ts +++ b/libs/hdf-converters/index.ts @@ -24,6 +24,7 @@ export * as NiktoNistMappingData from './src/mappings/NiktoNistMappingData'; export * as NistCciMappingData from './src/mappings/NistCciMappingData'; export * as OWaspNistMappingData from './src/mappings/OWaspNistMappingData'; export * as ScoutsuiteNistMappingData from './src/mappings/ScoutsuiteNistMappingData'; +export * from './src/msft-secure-score-mapper'; export * from './src/nessus-mapper'; export * from './src/netsparker-mapper'; export * from './src/nikto-mapper'; diff --git a/libs/hdf-converters/package.json b/libs/hdf-converters/package.json index 04653edf07..e2626e7804 100644 --- a/libs/hdf-converters/package.json +++ b/libs/hdf-converters/package.json @@ -25,6 +25,7 @@ "xml2json": "tsx data/converters/xml2json.ts" }, "dependencies": { + "@microsoft/microsoft-graph-types": "^2.40.0", "@aws-sdk/client-config-service": "^3.95.0", "@e965/xlsx": "^0.20.0", "@mdi/js": "^7.0.96", diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json new file mode 100644 index 0000000000..592b2cd6e7 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json @@ -0,0 +1,8230 @@ +{ + "secureScore": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores", + "value": [ + { + "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "activeUserCount": 1, + "createdDateTime": "2024-01-01T00:00:00Z", + "currentScore": 128, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "licensedUserCount": 0, + "maxScore": 274, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "controlScores": [ + { + "controlCategory": "Apps", + "controlName": "spo_idle_session_timeout", + "description": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "spo_legacy_auth", + "description": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasFirewallLogUpload", + "description": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasCutomActivityPolicy", + "description": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Policy in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasCloudAppNotification", + "description": "App discovery policies can notify you when new apps or abnormal usage is observed within your organization, based on traffic logs data.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Policy in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasOAuthAppNotification", + "description": "OAuth app policies can help you manage app permission and notify you when a user or an admin consents to a new Open Authorization (OAuth) app. With this information, you can investigate which permissions each app requested and which users authorized them.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "AATP_DefenderForIdentityIsNotInstalled", + "description": "Installing Microsoft Defender for Identity sensors provides you with the ability to detect advanced threats in your entire identity infrastructure. Actionable security alerts are generated through the analysis of network traffic and security events.", + "score": 0, + "lastSynced": "2024-01-01T14:59:53Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_atpprotection", + "description": "Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Data", + "controlName": "dlp_datalossprevention", + "description": "Data Loss Prevention (DLP) policies allows content in multiple locations, such as, devices, Exchange online and Teams chats to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "exo_individualsharing", + "description": "Users should not be allowed to share the full details of their calendars with external users.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safedocuments", + "description": "Safe Documents uses Microsoft Defender for Endpoint to scan documents and files for malicious content. To keep you protected, Safe Documents sends files to the Defender for Endpoint cloud for analysis. Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_connectionfilter", + "description": "

    If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. These options include Exchange mail flow rules (also known as transport rules), Outlook Safe Senders, the IP Allow List (connection filtering), and allowed sender lists or allowed domain lists in anti-spam policies. Collectively, you can think of these options as safe sender lists.

    The available safe sender lists are described in the following list in order from most recommended to least recommended:
    1. Mail flow rules
    2. Outlook Safe Senders
    3. IP Allow List (connection filtering)
    4. Allowed sender lists or allowed domain lists (anti-spam policies)

    Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. Since the IP Allow List doesn't prevent malware or high confidence phishing messages from being filtered, this creates a high risk of attackers successfully delivering email to an inbox that would otherwise be filtered.

    ", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "The allowed IP addresses list in the connection filter policy is empty ", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_purviewlabelconsent", + "description": "\n To get work done, people in your organization collaborate with others both inside and outside the organization. Data doesn't always stay in your cloud, and often roams everywhere—across devices, apps, and services. When your data roams, you still want it to be secure in a way that meets your organization's business and compliance policies.\n
    \n
    \n Applying sensitivity labels to your content helps you keep your data secure by stating how sensitive certain data is in your organization. It also abstracts the data itself, letting you track the type of data without exposing sensitive data on other platforms.\n
    \n
    \n For example, applying the sensitivity label ‘highly confidential’ to a document that contains social security numbers and credit card numbers helps you identify the sensitivity of the document without knowing the actual data in the document.\n
    \n
    \n The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview data map. When you apply a label on an office document and then scan it into the Microsoft Purview data map, the label will be applied to the data asset.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "The setting was not enabled.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "CustomerLockBoxEnabled", + "description": "Turning on the customer lockbox feature requires that approval is obtained for datacenter operations that grants a Microsoft employee direct access to your content. Access may be needed by Microsoft support engineers if an issue arises. There's an expiration time on the request and content access is removed after the support engineer has fixed the issue.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_oauth2clientprofileenabled", + "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in 'to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.

    When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern uthentication to log in to Microsoft 365 mailboxes", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Modern authentication for Exchange Online is enabled", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "exo_mailtipsenabled", + "description": "MailTips assist end users with identifying strange patterns to emails they send.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "MailTips for end users are disabled.", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_transportrulesallowlistdomains", + "description": "You should set Spam confidence level (SCL) in your Exchange Online mail transport rules with specific domains. Allow-listing domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain. \n\t

    Note: In order to get a score for this security control, all the active transport rule that applies to specific domains must have a Spam Confidence Level (SCL) of 0 or higher.

    ", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Spam confidence level (SCL) is not configured in mail transport rules with specific domain", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mip_search_auditlog", + "description": "When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Microsoft 365 audit log search is enabled disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_mailboxaudit", + "description": "

    By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

    Rationale:

    Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.

    This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

    However, only certain mailbox types support default auditing setting 'On': User Mailboxes, Shared Mailboxes, and Microsoft 365 Group Mailboxes. The remaining mailbox types require auditing to be turned on at the mailbox level: Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox.

    Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.

    NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Mailbox auditing for all users is disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_storageproviderrestricted", + "description": "

    This setting allows users to open certain external files while working in Outlook on the
    web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy
    policies of those third-party services.

    Ensure AdditionalStorageProvidersAvailable is restricted.

    Rationale:

    By default additional storage providers are allowed in Office on the Web (such as Box,
    Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to
    information leakage and additional risk of infection from organizational non-trusted
    storage providers. Restricting this will inherently reduce risk as it will narrow
    opportunities for infection and data leakage.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Additional storage providers are restricted in Outlook on the web is not configured correctly. Please follow next steps to correctly configure the control.", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_outlookaddins", + "description": "

    Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.

    Rationale:
    Attackers exploit vulnerable or custom add-ins to access user data. Disabling user installed add-ins in Microsoft Outlook reduces this threat surface.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Installing Outlook add-ins configuration is disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapspam", + "description": "

    For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapphish", + "description": "

    For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-phishing policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapmalware", + "description": "

    Zero-hour auto purge (ZAP) quarantines the message that contains malware attachment for both read, as well as unread, messages that are found to contain malware after delivery. Only admins can view and manage messages that have been quarantined.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 6, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safeattachments", + "description": "Safe Attachments in block mode prevents messages with detected malware attachments from being delivered. These messages are quarantined and only admins (not regular users) can review, release, or delete them. This will also automatically block future malware attachments.\n\t

    \n\tMDO Built-in protection policy provides safe attachments protection for everyone by default. You could also create additional Safe Attachment policies for customized Safe Attachment operations.\n ", + "score": 8, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safelinksforemail", + "description": "MDO Built-in protection policy will provide base level safe links protection for everyone by default. You could also create additional Safe Links policies for enhanced or customized Safe Links operations.", + "score": 9, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_commonattachmentsfilter", + "description": "There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don't get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachments types are treated as malware and are automatically quarantined.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_sensitivitylabelspolicies", + "description": "Set up and use data classification policies on data stored in your users' Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups.\n
    \n
    \nThe policies will help categorize your most important data so you can effectively protect it from illicit access and will help make it easier to investigate discovered breaches.\n
    \n
    \nCreation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.\n
    \n
    \nThis information was taken from Center for Internet Security (CIS).\n ", + "score": 2, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Policies were published on 1 of the 1 users", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_autosensitivitylabelspolicies", + "description": "\n Create auto-labeling policies to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files that contain sensitive info.\n
    \n This ability to apply sensitivity labels to content automatically is important because:\n
    \n You don't need to train your users on the appropriate way to use each of your classifications.\n
    \n You don't need to rely on users to classify all content correctly.\n
    \n Users no longer need to know about your policies—they can instead focus on their work.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Policies were published on 0 of the 1 users", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_highconfidencespamaction", + "description": "Set the action that will be taken on high confidence spam detection.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_phisspamacation", + "description": "Set the action that will be taken on phishing detection.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_highconfidencephishaction", + "description": "Set the action that will be taken on high confidence phishing detection.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_bulkspamaction", + "description": "Set the action that will be taken on bulk spam detection.", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_quarantineretentionperiod", + "description": "Specifies how long to keep the message in quarantine if you selected “Quarantine message” as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_allowedsenderscombined", + "description": "Never add your own accepted domains or common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains to your organization. In addition, avoid adding specific senders that can bypass spam filtering.", + "score": 2, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_bulkthreshold", + "description": "Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the bulk spam filtering verdict that you configure on the next page. A higher value indicates that the message is less desirable (more likely to resemble spam). While the default value is 7, 6 or lower is the recommended value.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_spamaction", + "description": "Set the action that will be taken on spam detection.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_autoforwardingmode", + "description": "", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientexternallimitperhour", + "description": "Configure the maximum number of external recipients that a user can email per hour. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientinternallimitperhour", + "description": "Configure the maximum number of recipients that a user can send to per hour for internal recipients. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientlimitperday", + "description": "Configure the maximum number of recipients that a user can send to within a day. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_thresholdreachedaction", + "description": "Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_enablemailboxintelligence", + "description": "\n Turns on artificial intelligence (AI) that identifies users’ email patterns with their frequent contacts to spot potential phishing attempts.\n ", + "score": 8, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_mailboxintelligenceprotection", + "description": "\n Enables enhanced impersonation results based on each user's individual sender map and allows you to define specific actions for impersonated messages.\n
    \n
    \n This setting is available only if ‘Enable mailbox intelligence’ is selected.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_mailboxintelligenceprotectionaction", + "description": "\n This setting specifies what to do with messages for impersonation detections from mailbox intelligence results.\n
    \n
    \n If a message is detected to be an impersonated user by mailbox intelligence, no action will be applied by default. We recommend moving the message to the recipients’ junk email folder and strongly recommend quarantining it.\n
    \n
    \n This setting is available only if the ‘Ensure that intelligence for impersonation protection is enabled’ setting is properly configured.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_enabledomainstoprotect", + "description": "\n Prevents specified domains from being impersonated by the message sender's domain.\n
    \n
    \n When you add domains to the ‘Enable domains to protect’ list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if it’s sent to a recipient that the policy applies to.\n
    \n
    \n If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message.\n
    \n
    \n By default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_phishthresholdlevel", + "description": "\n The threshold controls the sensitivity with which machine learning models are applied to email messages to determine whether a phishing attempt has occurred.\n
    \n A higher value indicates greater sensitivity. The default value is 1, but 2 or 3 are the recommended values.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_similardomainssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for domain impersonation detections.\n
    \n
    \n When the ‘Show domain impersonation safety tip’ is enabled, the tip “This sender might be impersonating a domain that's associated with your organization” is shown to recipients in messages where the sender's email domain is included in domain impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_similaruserssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation safety tip’ is enabled, the tip “This sender appears to be similar to someone who previously sent you email but may not be that person” is shown to recipients in messages where the sender's email address is included in user impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targeteddomainprotectionaction", + "description": "\n This setting specifies the action to take on detected domain impersonation messages.\n
    \n
    \n If a message is detected from an impersonated domain, no action is taken by default. We recommend quarantining the message.\n
    \n
    \n This setting is available only if ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targeteduserprotectionaction", + "description": "\n This setting specifies the action to take on detected user impersonation messages.\n
    \n
    \n If a message is detected from an impersonated user, no default action will be taken. We recommend quarantining the message.\n
    \n
    \n Whenever you select ‘Quarantine the message’, a ‘Select quarantine policy’ box is available.\n
    \n Quarantine policies define who is allowed to do to quarantined messages.\n
    \n
    \n This setting is available only if ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targetedusersprotection", + "description": "\n Prevents specified internal or external email addresses from being impersonated as message senders in phishing attempts.\n
    \n By default, impersonated user protection is disabled, and no sender email addresses are covered by impersonation protection, whether in the default policy or in custom policies.\n
    \n
    \n We highly recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_unusualcharacterssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for unusual characters in domain and user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation unusual safety tip’ is enabled, the tip is shown to recipients in messages where the sender's name or email address contains characters that are not typically used together, such as a mix of mathematical symbols and plain text or a mix of uppercase and lowercase letters.\n
    \n
    \n Example tip:\n
    \n ‘The email address MARY@CoNTᴏSO.CᴏM includes unexpected letters or numbers. We recommend you do not interact with this message.’\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_spam_notifications_only_for_admins", + "description": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.

    Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as
    outlined in the highest priority policy listed.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safeattachmentpolicy", + "description": "

    The Safe Attachments policy helps protect users from malware in email attachments by
    scanning attachments for viruses, malware, and other malicious content. When an email
    attachment is received by a user, Safe Attachments will scan the attachment in a secure
    environment and provide a verdict on whether the attachment is safe or not.

    Rationale:
    Enabling Safe Attachments policy helps protect against malware threats in email
    attachments by analyzing suspicious attachments in a secure, cloud-based environment
    before they are delivered to the user's inbox. This provides an additional layer of
    security and can prevent new or unseen types of malware from infiltrating the
    organization's network.

    ", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safelinksforOfficeApps", + "description": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_antiphishingpolicies", + "description": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.

    Rationale: Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_blockmailforward", + "description": "

    Exchange Online offers several methods of managing the flow of email messages.
    These are Remote domain, Transport Rules, and Anti-spam outbound policies. These
    methods work together to provide comprehensive coverage for potential automatic
    forwarding channels:

    • Outlook forwarding using inbox rules
    • Outlook forwarding configured using OOF rule
    • OWA forwarding setting (ForwardingSmtpAddress)
    • Forwarding set by the admin using EAC (ForwardingAddress)
    • Forwarding using Power Automate / Flow

    NOTE:

    • In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
    • Any exclusions should be implemented based on organizational policy.

    Rationale:
    Attackers often create these rules to exfiltrate data from your tenancy, this could be
    accomplished via access to an end-user account or otherwise. An insider could also use
    one of these methods as an secondary channel to exfiltrate sensitive data.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "IntegratedApps", + "description": "To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have no user consent policy in place.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "PWAgePolicyNew", + "description": "Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.", + "score": 8, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "Your current policy is set to let passwords expire.", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "SelfServicePasswordReset", + "description": "With self-service password reset in Microsoft Entra ID, users no longer need to engage help desk to reset passwords. This feature works well with Microsoft Entra ID dynamically banned passwords, which prevents easily guessable passwords from being used.", + "score": 1, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 0 users who don't have self-service password reset enabled.", + "count": "0", + "total": "0", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "BlockLegacyAuthentication", + "description": "Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.", + "score": 8, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 1 users that don't have legacy authentication blocked.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "MFARegistrationV2", + "description": "Multifactor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.", + "score": 9, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 out of 1 users that aren’t registered with MFA.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "AdminMFAV2", + "description": "

    Requiring multifactor authentication (MFA) for administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed. At a minimum, protect the following roles: 

    • Global administrator 
    • Authentication administrator 
    • Billing administrator 
    • Conditional Access administrator 
    • Exchange administrator 
    • Helpdesk administrator 
    • Security administrator 
    • SharePoint administrator 
    • User administrator 
    ", + "score": 10, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 out of 1 users with administrative roles that aren’t registered and protected with MFA.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "SigninRiskPolicy", + "description": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multifactor authentication (MFA).", + "score": 7, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 1 users that don't have the sign-in risky policy turned on.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "UserRiskPolicy", + "description": "With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.", + "score": 7, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 users out of 1 that do not have user risk policy enabled.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "OneAdmin", + "description": "

    Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It's important to have a delegate or an emergency account someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

    Note:

    According to CIS O365 Benchmark 2.0.0, the suggestion is to have between two to four global admins. Currently, the condition to comply is to have more than one global administrator - This security recommendation will be updated accordingly to CIS benchmark in the future.

    Rationale:

    If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.

    ", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You currently have 1 global admins.", + "count": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "RoleOverlap", + "description": "Ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached.", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 users with least privileged administrative roles.", + "count": "0", + "scoreInPercentage": 0 + } + ] + } + ] + }, + "profiles": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Data Spillage" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": [ + "Password cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] + } +} diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json new file mode 100644 index 0000000000..0834fc37b1 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json @@ -0,0 +1,7106 @@ +{ + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Password Cracking", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Password Cracking", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Password Cracking", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": ["Password Cracking", "Account Breach"], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": ["Data Exfiltration", "Data Deletion", "Data Spillage"], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": ["Data Exfiltration", "Data Spillage"], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": ["Account breach"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": ["Data Exfiltration"], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": ["Data Exfiltration"], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": ["Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": ["Password cracking", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": ["Account breach", "Data Exfiltration", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": ["Account breach", "Data Exfiltration"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": ["Data Exfiltration", "Account breach", "Password Cracking"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": ["Data Exfiltration", "Account breach"], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] +} diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json new file mode 100644 index 0000000000..1f32e6009b --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json @@ -0,0 +1,161 @@ +{ + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores", + "value": [ + { + "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "activeUserCount": 1, + "createdDateTime": "2024-01-01T00:00:00Z", + "currentScore": 128, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "licensedUserCount": 100, + "maxScore": 1000, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "controlScores": [ + { + "controlCategory": "Apps", + "controlName": "spo_idle_session_timeout", + "description": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "spo_legacy_auth", + "description": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + } + ] + }, + { + "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-02", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "activeUserCount": 1, + "createdDateTime": "2024-01-01T00:00:00Z", + "currentScore": 128, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "licensedUserCount": 0, + "maxScore": 274, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "controlScores": [ + { + "controlCategory": "Apps", + "controlName": "McasFirewallLogUpload", + "description": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasCutomActivityPolicy", + "description": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Policy in place: false.", + "on": "false", + "scoreInPercentage": 0 + } + ] + } + ] +} diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json new file mode 100644 index 0000000000..c8ea94b058 --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore.json @@ -0,0 +1,779 @@ +{ + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores", + "value": [ + { + "id": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "activeUserCount": 1, + "createdDateTime": "2024-01-01T00:00:00Z", + "currentScore": 128, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "licensedUserCount": 0, + "maxScore": 274, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "controlScores": [ + { + "controlCategory": "Apps", + "controlName": "spo_idle_session_timeout", + "description": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "spo_legacy_auth", + "description": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "score": 0, + "lastSynced": "2024-01-01T17:12:14Z", + "implementationStatus": "The setting is not compliant.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasFirewallLogUpload", + "description": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasCutomActivityPolicy", + "description": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Policy in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasCloudAppNotification", + "description": "App discovery policies can notify you when new apps or abnormal usage is observed within your organization, based on traffic logs data.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Policy in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "McasOAuthAppNotification", + "description": "OAuth app policies can help you manage app permission and notify you when a user or an admin consents to a new Open Authorization (OAuth) app. With this information, you can investigate which permissions each app requested and which users authorized them.", + "score": 0, + "lastSynced": "2024-01-01T04:34:13Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "AATP_DefenderForIdentityIsNotInstalled", + "description": "Installing Microsoft Defender for Identity sensors provides you with the ability to detect advanced threats in your entire identity infrastructure. Actionable security alerts are generated through the analysis of network traffic and security events.", + "score": 0, + "lastSynced": "2024-01-01T14:59:53Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_atpprotection", + "description": "Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Data", + "controlName": "dlp_datalossprevention", + "description": "Data Loss Prevention (DLP) policies allows content in multiple locations, such as, devices, Exchange online and Teams chats to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "exo_individualsharing", + "description": "Users should not be allowed to share the full details of their calendars with external users.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safedocuments", + "description": "Safe Documents uses Microsoft Defender for Endpoint to scan documents and files for malicious content. To keep you protected, Safe Documents sends files to the Defender for Endpoint cloud for analysis. Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_connectionfilter", + "description": "

    If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. These options include Exchange mail flow rules (also known as transport rules), Outlook Safe Senders, the IP Allow List (connection filtering), and allowed sender lists or allowed domain lists in anti-spam policies. Collectively, you can think of these options as safe sender lists.

    The available safe sender lists are described in the following list in order from most recommended to least recommended:
    1. Mail flow rules
    2. Outlook Safe Senders
    3. IP Allow List (connection filtering)
    4. Allowed sender lists or allowed domain lists (anti-spam policies)

    Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. Since the IP Allow List doesn't prevent malware or high confidence phishing messages from being filtered, this creates a high risk of attackers successfully delivering email to an inbox that would otherwise be filtered.

    ", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "The allowed IP addresses list in the connection filter policy is empty ", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_purviewlabelconsent", + "description": "\n To get work done, people in your organization collaborate with others both inside and outside the organization. Data doesn't always stay in your cloud, and often roams everywhere—across devices, apps, and services. When your data roams, you still want it to be secure in a way that meets your organization's business and compliance policies.\n
    \n
    \n Applying sensitivity labels to your content helps you keep your data secure by stating how sensitive certain data is in your organization. It also abstracts the data itself, letting you track the type of data without exposing sensitive data on other platforms.\n
    \n
    \n For example, applying the sensitivity label ‘highly confidential’ to a document that contains social security numbers and credit card numbers helps you identify the sensitivity of the document without knowing the actual data in the document.\n
    \n
    \n The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview data map. When you apply a label on an office document and then scan it into the Microsoft Purview data map, the label will be applied to the data asset.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "The setting was not enabled.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "CustomerLockBoxEnabled", + "description": "Turning on the customer lockbox feature requires that approval is obtained for datacenter operations that grants a Microsoft employee direct access to your content. Access may be needed by Microsoft support engineers if an issue arises. There's an expiration time on the request and content access is removed after the support engineer has fixed the issue.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Feature in place: false.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_oauth2clientprofileenabled", + "description": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in 'to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.

    When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern uthentication to log in to Microsoft 365 mailboxes", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Modern authentication for Exchange Online is enabled", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "exo_mailtipsenabled", + "description": "MailTips assist end users with identifying strange patterns to emails they send.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "MailTips for end users are disabled.", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_transportrulesallowlistdomains", + "description": "You should set Spam confidence level (SCL) in your Exchange Online mail transport rules with specific domains. Allow-listing domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain. \n\t

    Note: In order to get a score for this security control, all the active transport rule that applies to specific domains must have a Spam Confidence Level (SCL) of 0 or higher.

    ", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Spam confidence level (SCL) is not configured in mail transport rules with specific domain", + "on": "true", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mip_search_auditlog", + "description": "When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Microsoft 365 audit log search is enabled disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_mailboxaudit", + "description": "

    By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

    Rationale:

    Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.

    This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

    However, only certain mailbox types support default auditing setting 'On': User Mailboxes, Shared Mailboxes, and Microsoft 365 Group Mailboxes. The remaining mailbox types require auditing to be turned on at the mailbox level: Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox.

    Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.

    NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Mailbox auditing for all users is disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_storageproviderrestricted", + "description": "

    This setting allows users to open certain external files while working in Outlook on the
    web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy
    policies of those third-party services.

    Ensure AdditionalStorageProvidersAvailable is restricted.

    Rationale:

    By default additional storage providers are allowed in Office on the Web (such as Box,
    Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to
    information leakage and additional risk of infection from organizational non-trusted
    storage providers. Restricting this will inherently reduce risk as it will narrow
    opportunities for infection and data leakage.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Additional storage providers are restricted in Outlook on the web is not configured correctly. Please follow next steps to correctly configure the control.", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "exo_outlookaddins", + "description": "

    Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.

    Rationale:
    Attackers exploit vulnerable or custom add-ins to access user data. Disabling user installed add-ins in Microsoft Outlook reduces this threat surface.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Installing Outlook add-ins configuration is disabled", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapspam", + "description": "

    For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapphish", + "description": "

    For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-phishing policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_zapmalware", + "description": "

    Zero-hour auto purge (ZAP) quarantines the message that contains malware attachment for both read, as well as unread, messages that are found to contain malware after delivery. Only admins can view and manage messages that have been quarantined.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "score": 6, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safeattachments", + "description": "Safe Attachments in block mode prevents messages with detected malware attachments from being delivered. These messages are quarantined and only admins (not regular users) can review, release, or delete them. This will also automatically block future malware attachments.\n\t

    \n\tMDO Built-in protection policy provides safe attachments protection for everyone by default. You could also create additional Safe Attachment policies for customized Safe Attachment operations.\n ", + "score": 8, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safelinksforemail", + "description": "MDO Built-in protection policy will provide base level safe links protection for everyone by default. You could also create additional Safe Links policies for enhanced or customized Safe Links operations.", + "score": 9, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_commonattachmentsfilter", + "description": "There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don't get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachments types are treated as malware and are automatically quarantined.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_sensitivitylabelspolicies", + "description": "Set up and use data classification policies on data stored in your users' Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups.\n
    \n
    \nThe policies will help categorize your most important data so you can effectively protect it from illicit access and will help make it easier to investigate discovered breaches.\n
    \n
    \nCreation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.\n
    \n
    \nThis information was taken from Center for Internet Security (CIS).\n ", + "score": 2, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Policies were published on 1 of the 1 users", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Data", + "controlName": "mip_autosensitivitylabelspolicies", + "description": "\n Create auto-labeling policies to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files that contain sensitive info.\n
    \n This ability to apply sensitivity labels to content automatically is important because:\n
    \n You don't need to train your users on the appropriate way to use each of your classifications.\n
    \n You don't need to rely on users to classify all content correctly.\n
    \n Users no longer need to know about your policies—they can instead focus on their work.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "Policies were published on 0 of the 1 users", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_highconfidencespamaction", + "description": "Set the action that will be taken on high confidence spam detection.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_phisspamacation", + "description": "Set the action that will be taken on phishing detection.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_highconfidencephishaction", + "description": "Set the action that will be taken on high confidence phishing detection.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_bulkspamaction", + "description": "Set the action that will be taken on bulk spam detection.", + "score": 3, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_quarantineretentionperiod", + "description": "Specifies how long to keep the message in quarantine if you selected “Quarantine message” as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_allowedsenderscombined", + "description": "Never add your own accepted domains or common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains to your organization. In addition, avoid adding specific senders that can bypass spam filtering.", + "score": 2, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_bulkthreshold", + "description": "Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the bulk spam filtering verdict that you configure on the next page. A higher value indicates that the message is less desirable (more likely to resemble spam). While the default value is 7, 6 or lower is the recommended value.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_spamaction", + "description": "Set the action that will be taken on spam detection.", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_autoforwardingmode", + "description": "", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientexternallimitperhour", + "description": "Configure the maximum number of external recipients that a user can email per hour. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientinternallimitperhour", + "description": "Configure the maximum number of recipients that a user can send to per hour for internal recipients. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_recipientlimitperday", + "description": "Configure the maximum number of recipients that a user can send to within a day. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "score": 1, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_thresholdreachedaction", + "description": "Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_enablemailboxintelligence", + "description": "\n Turns on artificial intelligence (AI) that identifies users’ email patterns with their frequent contacts to spot potential phishing attempts.\n ", + "score": 8, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_mailboxintelligenceprotection", + "description": "\n Enables enhanced impersonation results based on each user's individual sender map and allows you to define specific actions for impersonated messages.\n
    \n
    \n This setting is available only if ‘Enable mailbox intelligence’ is selected.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_mailboxintelligenceprotectionaction", + "description": "\n This setting specifies what to do with messages for impersonation detections from mailbox intelligence results.\n
    \n
    \n If a message is detected to be an impersonated user by mailbox intelligence, no action will be applied by default. We recommend moving the message to the recipients’ junk email folder and strongly recommend quarantining it.\n
    \n
    \n This setting is available only if the ‘Ensure that intelligence for impersonation protection is enabled’ setting is properly configured.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_enabledomainstoprotect", + "description": "\n Prevents specified domains from being impersonated by the message sender's domain.\n
    \n
    \n When you add domains to the ‘Enable domains to protect’ list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if it’s sent to a recipient that the policy applies to.\n
    \n
    \n If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message.\n
    \n
    \n By default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_phishthresholdlevel", + "description": "\n The threshold controls the sensitivity with which machine learning models are applied to email messages to determine whether a phishing attempt has occurred.\n
    \n A higher value indicates greater sensitivity. The default value is 1, but 2 or 3 are the recommended values.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_similardomainssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for domain impersonation detections.\n
    \n
    \n When the ‘Show domain impersonation safety tip’ is enabled, the tip “This sender might be impersonating a domain that's associated with your organization” is shown to recipients in messages where the sender's email domain is included in domain impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_similaruserssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation safety tip’ is enabled, the tip “This sender appears to be similar to someone who previously sent you email but may not be that person” is shown to recipients in messages where the sender's email address is included in user impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targeteddomainprotectionaction", + "description": "\n This setting specifies the action to take on detected domain impersonation messages.\n
    \n
    \n If a message is detected from an impersonated domain, no action is taken by default. We recommend quarantining the message.\n
    \n
    \n This setting is available only if ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targeteduserprotectionaction", + "description": "\n This setting specifies the action to take on detected user impersonation messages.\n
    \n
    \n If a message is detected from an impersonated user, no default action will be taken. We recommend quarantining the message.\n
    \n
    \n Whenever you select ‘Quarantine the message’, a ‘Select quarantine policy’ box is available.\n
    \n Quarantine policies define who is allowed to do to quarantined messages.\n
    \n
    \n This setting is available only if ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_targetedusersprotection", + "description": "\n Prevents specified internal or external email addresses from being impersonated as message senders in phishing attempts.\n
    \n By default, impersonated user protection is disabled, and no sender email addresses are covered by impersonation protection, whether in the default policy or in custom policies.\n
    \n
    \n We highly recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_unusualcharacterssafetytips", + "description": "\n This setting specifies whether to enable the safety tip that is shown to recipients for unusual characters in domain and user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation unusual safety tip’ is enabled, the tip is shown to recipients in messages where the sender's name or email address contains characters that are not typically used together, such as a mix of mathematical symbols and plain text or a mix of uppercase and lowercase letters.\n
    \n
    \n Example tip:\n
    \n ‘The email address MARY@CoNTᴏSO.CᴏM includes unexpected letters or numbers. We recommend you do not interact with this message.’\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_spam_notifications_only_for_admins", + "description": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.

    Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as
    outlined in the highest priority policy listed.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safeattachmentpolicy", + "description": "

    The Safe Attachments policy helps protect users from malware in email attachments by
    scanning attachments for viruses, malware, and other malicious content. When an email
    attachment is received by a user, Safe Attachments will scan the attachment in a secure
    environment and provide a verdict on whether the attachment is safe or not.

    Rationale:
    Enabling Safe Attachments policy helps protect against malware threats in email
    attachments by analyzing suspicious attachments in a secure, cloud-based environment
    before they are delivered to the user's inbox. This provides an additional layer of
    security and can prevent new or unseen types of malware from infiltrating the
    organization's network.

    ", + "score": 5, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_safelinksforOfficeApps", + "description": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_antiphishingpolicies", + "description": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.

    Rationale: Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Apps", + "controlName": "mdo_blockmailforward", + "description": "

    Exchange Online offers several methods of managing the flow of email messages.
    These are Remote domain, Transport Rules, and Anti-spam outbound policies. These
    methods work together to provide comprehensive coverage for potential automatic
    forwarding channels:

    • Outlook forwarding using inbox rules
    • Outlook forwarding configured using OOF rule
    • OWA forwarding setting (ForwardingSmtpAddress)
    • Forwarding set by the admin using EAC (ForwardingAddress)
    • Forwarding using Power Automate / Flow

    NOTE:

    • In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
    • Any exclusions should be implemented based on organizational policy.

    Rationale:
    Attackers often create these rules to exfiltrate data from your tenancy, this could be
    accomplished via access to an end-user account or otherwise. An insider could also use
    one of these methods as an secondary channel to exfiltrate sensitive data.

    ", + "score": 0, + "lastSynced": "2024-01-01T13:58:47Z", + "implementationStatus": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "count": "0", + "total": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "IntegratedApps", + "description": "To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have no user consent policy in place.", + "on": "false", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "PWAgePolicyNew", + "description": "Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.", + "score": 8, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "Your current policy is set to let passwords expire.", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "SelfServicePasswordReset", + "description": "With self-service password reset in Microsoft Entra ID, users no longer need to engage help desk to reset passwords. This feature works well with Microsoft Entra ID dynamically banned passwords, which prevents easily guessable passwords from being used.", + "score": 1, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 0 users who don't have self-service password reset enabled.", + "count": "0", + "total": "0", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "BlockLegacyAuthentication", + "description": "Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.", + "score": 8, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 1 users that don't have legacy authentication blocked.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "MFARegistrationV2", + "description": "Multifactor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.", + "score": 9, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 out of 1 users that aren’t registered with MFA.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "AdminMFAV2", + "description": "

    Requiring multifactor authentication (MFA) for administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed. At a minimum, protect the following roles: 

    • Global administrator 
    • Authentication administrator 
    • Billing administrator 
    • Conditional Access administrator 
    • Exchange administrator 
    • Helpdesk administrator 
    • Security administrator 
    • SharePoint administrator 
    • User administrator 
    ", + "score": 10, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 out of 1 users with administrative roles that aren’t registered and protected with MFA.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "SigninRiskPolicy", + "description": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multifactor authentication (MFA).", + "score": 7, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 of 1 users that don't have the sign-in risky policy turned on.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "UserRiskPolicy", + "description": "With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.", + "score": 7, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 users out of 1 that do not have user risk policy enabled.", + "count": "1", + "total": "1", + "scoreInPercentage": 100 + }, + { + "controlCategory": "Identity", + "controlName": "OneAdmin", + "description": "

    Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It's important to have a delegate or an emergency account someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

    Note:

    According to CIS O365 Benchmark 2.0.0, the suggestion is to have between two to four global admins. Currently, the condition to comply is to have more than one global administrator - This security recommendation will be updated accordingly to CIS benchmark in the future.

    Rationale:

    If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.

    ", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You currently have 1 global admins.", + "count": "1", + "scoreInPercentage": 0 + }, + { + "controlCategory": "Identity", + "controlName": "RoleOverlap", + "description": "Ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached.", + "score": 0, + "lastSynced": "2024-07-11T01:07:39Z", + "implementationStatus": "You have 0 users with least privileged administrative roles.", + "count": "0", + "scoreInPercentage": 0 + } + ] + } + ] +} diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json new file mode 100644 index 0000000000..a60996bb8d --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json @@ -0,0 +1,15228 @@ +[ + { + "platform": { + "name": "Heimdall Tools", + "release": "2.10.12" + }, + "version": "2.10.12", + "statistics": {}, + "profiles": [ + { + "name": "Microsoft Secure Score Scan", + "title": "Azure Secure Score report - Tenant ID: 12345678-1234-1234-1234-1234567890abcd - Run ID: 12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "id": "Apps:spo_idle_session_timeout", + "title": "Apps:spo_idle_session_timeout", + "desc": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:spo_legacy_auth", + "title": "Apps:spo_legacy_auth", + "desc": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + } + ], + "sha256": "f33e5712f27a63e9150745c8a2ccea0463a8b2b42962f5fffd38743d6c7f47ab" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Microsoft Secure Score", + "data": { + "reportId": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "tenantId": "12345678-1234-1234-1234-1234567890abcd", + "profiles": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Data Spillage" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": [ + "Password cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] + }, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "currentScore": 128, + "maxScore": 1000, + "secureScores": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores" + } + } + } + ] + } + }, + { + "platform": { + "name": "Heimdall Tools", + "release": "2.10.12" + }, + "version": "2.10.12", + "statistics": {}, + "profiles": [ + { + "name": "Microsoft Secure Score Scan", + "title": "Azure Secure Score report - Tenant ID: 12345678-1234-1234-1234-1234567890abcd - Run ID: 12345678-1234-1234-1234-1234567890abcd_2024-01-02", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "id": "Apps:McasFirewallLogUpload", + "title": "Deploy a log collector to discover shadow IT activity", + "desc": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 82 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "label": "fix" + }, + { + "data": "This change has no known impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasCutomActivityPolicy", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "desc": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "impact": 0.2, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 2 + ], + "rank": [ + 80 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policy in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + } + ], + "sha256": "6fca1d41d6840f9beccb7ca15cdb393acd342366067da6ff6f9631e5bd0370e3" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Microsoft Secure Score", + "data": { + "reportId": "12345678-1234-1234-1234-1234567890abcd_2024-01-02", + "tenantId": "12345678-1234-1234-1234-1234567890abcd", + "profiles": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Data Spillage" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": [ + "Password cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] + }, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "currentScore": 128, + "maxScore": 274, + "secureScores": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores" + } + } + } + ] + } + } +] \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json new file mode 100644 index 0000000000..bcc3333eba --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json @@ -0,0 +1,10548 @@ +[ + { + "platform": { + "name": "Heimdall Tools", + "release": "2.10.12" + }, + "version": "2.10.12", + "statistics": {}, + "profiles": [ + { + "name": "Microsoft Secure Score Scan", + "title": "Azure Secure Score report - Tenant ID: 12345678-1234-1234-1234-1234567890abcd - Run ID: 12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "id": "Apps:spo_idle_session_timeout", + "title": "Apps:spo_idle_session_timeout", + "desc": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:spo_legacy_auth", + "title": "Apps:spo_legacy_auth", + "desc": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasFirewallLogUpload", + "title": "Deploy a log collector to discover shadow IT activity", + "desc": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 82 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "label": "fix" + }, + { + "data": "This change has no known impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasCutomActivityPolicy", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "desc": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "impact": 0.2, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 2 + ], + "rank": [ + 80 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policy in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasCloudAppNotification", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "desc": "App discovery policies can notify you when new apps or abnormal usage is observed within your organization, based on traffic logs data.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 75 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policy in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasOAuthAppNotification", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "desc": "OAuth app policies can help you manage app permission and notify you when a user or an admin consents to a new Open Authorization (OAuth) app. With this information, you can investigate which permissions each app requested and which users authorized them.", + "impact": 0.4, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 4 + ], + "rank": [ + 57 + ], + "tiers": [ + "Defense In Depth" + ], + "threats": [ + [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:AATP_DefenderForIdentityIsNotInstalled", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "desc": "Installing Microsoft Defender for Identity sensors provides you with the ability to detect advanced threats in your entire identity infrastructure. Actionable security alerts are generated through the analysis of network traffic and security events.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 5 + ], + "rank": [ + 59 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "Azure ATP" + ], + "userImpacts": [ + "low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_atpprotection", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "desc": "Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:dlp_datalossprevention", + "title": "Ensure DLP policies are enabled", + "desc": "Data Loss Prevention (DLP) policies allows content in multiple locations, such as, devices, Exchange online and Teams chats to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Data" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MIP" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_individualsharing", + "title": "Ensure 'External sharing' of calendars is not available", + "desc": "Users should not be allowed to share the full details of their calendars with external users.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safedocuments", + "title": "Turn on Safe Documents for Office Clients", + "desc": "Safe Documents uses Microsoft Defender for Endpoint to scan documents and files for malicious content. To keep you protected, Safe Documents sends files to the Defender for Endpoint cloud for analysis. Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_connectionfilter", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "desc": "

    If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. These options include Exchange mail flow rules (also known as transport rules), Outlook Safe Senders, the IP Allow List (connection filtering), and allowed sender lists or allowed domain lists in anti-spam policies. Collectively, you can think of these options as safe sender lists.

    The available safe sender lists are described in the following list in order from most recommended to least recommended:
    1. Mail flow rules
    2. Outlook Safe Senders
    3. IP Allow List (connection filtering)
    4. Allowed sender lists or allowed domain lists (anti-spam policies)

    Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. Since the IP Allow List doesn't prevent malware or high confidence phishing messages from being filtered, this creates a high risk of attackers successfully delivering email to an inbox that would otherwise be filtered.

    ", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "The allowed IP addresses list in the connection filter policy is empty ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_purviewlabelconsent", + "title": "Data:mip_purviewlabelconsent", + "desc": "\n To get work done, people in your organization collaborate with others both inside and outside the organization. Data doesn't always stay in your cloud, and often roams everywhere—across devices, apps, and services. When your data roams, you still want it to be secure in a way that meets your organization's business and compliance policies.\n
    \n
    \n Applying sensitivity labels to your content helps you keep your data secure by stating how sensitive certain data is in your organization. It also abstracts the data itself, letting you track the type of data without exposing sensitive data on other platforms.\n
    \n
    \n For example, applying the sensitivity label ‘highly confidential’ to a document that contains social security numbers and credit card numbers helps you identify the sensitivity of the document without knowing the actual data in the document.\n
    \n
    \n The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview data map. When you apply a label on an office document and then scan it into the Microsoft Purview data map, the label will be applied to the data asset.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting was not enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:CustomerLockBoxEnabled", + "title": "Ensure the customer lockbox feature is enabled", + "desc": "Turning on the customer lockbox feature requires that approval is obtained for datacenter operations that grants a Microsoft employee direct access to your content. Access may be needed by Microsoft support engineers if an issue arises. There's an expiration time on the request and content access is removed after the support engineer has fixed the issue.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 127 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "label": "fix" + }, + { + "data": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_oauth2clientprofileenabled", + "title": "Ensure modern authentication for Exchange Online is enabled", + "desc": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in 'to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.

    When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern uthentication to log in to Microsoft 365 mailboxes", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Account breach", + "Data Exfiltration" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "label": "fix" + }, + { + "data": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Modern authentication for Exchange Online is enabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_mailtipsenabled", + "title": "Ensure MailTips are enabled for end users", + "desc": "MailTips assist end users with identifying strange patterns to emails they send.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "label": "fix" + }, + { + "data": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "MailTips for end users are disabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_transportrulesallowlistdomains", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "desc": "You should set Spam confidence level (SCL) in your Exchange Online mail transport rules with specific domains. Allow-listing domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain. \n\t

    Note: In order to get a score for this security control, all the active transport rule that applies to specific domains must have a Spam Confidence Level (SCL) of 0 or higher.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "label": "fix" + }, + { + "data": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Spam confidence level (SCL) is not configured in mail transport rules with specific domain", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mip_search_auditlog", + "title": "Apps:mip_search_auditlog", + "desc": "When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Microsoft 365 audit log search is enabled disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_mailboxaudit", + "title": "Ensure mailbox auditing for all users is Enabled", + "desc": "

    By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

    Rationale:

    Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.

    This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

    However, only certain mailbox types support default auditing setting 'On': User Mailboxes, Shared Mailboxes, and Microsoft 365 Group Mailboxes. The remaining mailbox types require auditing to be turned on at the mailbox level: Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox.

    Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.

    NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Mailbox auditing for all users is disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_storageproviderrestricted", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "desc": "

    This setting allows users to open certain external files while working in Outlook on the
    web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy
    policies of those third-party services.

    Ensure AdditionalStorageProvidersAvailable is restricted.

    Rationale:

    By default additional storage providers are allowed in Office on the Web (such as Box,
    Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to
    information leakage and additional risk of infection from organizational non-trusted
    storage providers. Restricting this will inherently reduce risk as it will narrow
    opportunities for infection and data leakage.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "label": "fix" + }, + { + "data": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Additional storage providers are restricted in Outlook on the web is not configured correctly. Please follow next steps to correctly configure the control.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_outlookaddins", + "title": "Ensure users installing Outlook add-ins is not allowed", + "desc": "

    Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.

    Rationale:
    Attackers exploit vulnerable or custom add-ins to access user data. Disabling user installed add-ins in Microsoft Outlook reduces this threat surface.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "label": "fix" + }, + { + "data": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Installing Outlook add-ins configuration is disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapspam", + "title": "Apps:mdo_zapspam", + "desc": "

    For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapphish", + "title": "Apps:mdo_zapphish", + "desc": "

    For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-phishing policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapmalware", + "title": "Apps:mdo_zapmalware", + "desc": "

    Zero-hour auto purge (ZAP) quarantines the message that contains malware attachment for both read, as well as unread, messages that are found to contain malware after delivery. Only admins can view and manage messages that have been quarantined.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safeattachments", + "title": "Turn on Safe Attachments in block mode", + "desc": "Safe Attachments in block mode prevents messages with detected malware attachments from being delivered. These messages are quarantined and only admins (not regular users) can review, release, or delete them. This will also automatically block future malware attachments.\n\t

    \n\tMDO Built-in protection policy provides safe attachments protection for everyone by default. You could also create additional Safe Attachment policies for customized Safe Attachment operations.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safelinksforemail", + "title": "Apps:mdo_safelinksforemail", + "desc": "MDO Built-in protection policy will provide base level safe links protection for everyone by default. You could also create additional Safe Links policies for enhanced or customized Safe Links operations.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_commonattachmentsfilter", + "title": "Ensure the Common Attachment Types Filter is enabled", + "desc": "There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don't get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachments types are treated as malware and are automatically quarantined.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_sensitivitylabelspolicies", + "title": "Data:mip_sensitivitylabelspolicies", + "desc": "Set up and use data classification policies on data stored in your users' Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups.\n
    \n
    \nThe policies will help categorize your most important data so you can effectively protect it from illicit access and will help make it easier to investigate discovered breaches.\n
    \n
    \nCreation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.\n
    \n
    \nThis information was taken from Center for Internet Security (CIS).\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Policies were published on 1 of the 1 users", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_autosensitivitylabelspolicies", + "title": "Data:mip_autosensitivitylabelspolicies", + "desc": "\n Create auto-labeling policies to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files that contain sensitive info.\n
    \n This ability to apply sensitivity labels to content automatically is important because:\n
    \n You don't need to train your users on the appropriate way to use each of your classifications.\n
    \n You don't need to rely on users to classify all content correctly.\n
    \n Users no longer need to know about your policies—they can instead focus on their work.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policies were published on 0 of the 1 users", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_highconfidencespamaction", + "title": "Set action to take on high confidence spam detection", + "desc": "Set the action that will be taken on high confidence spam detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_phisspamacation", + "title": "Set action to take on phishing detection", + "desc": "Set the action that will be taken on phishing detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_highconfidencephishaction", + "title": "Set action to take on high confidence phishing detection", + "desc": "Set the action that will be taken on high confidence phishing detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_bulkspamaction", + "title": "Set action to take on bulk spam detection", + "desc": "Set the action that will be taken on bulk spam detection.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_quarantineretentionperiod", + "title": "Retain spam in quarantine for 30 days", + "desc": "Specifies how long to keep the message in quarantine if you selected “Quarantine message” as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_allowedsenderscombined", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "desc": "Never add your own accepted domains or common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains to your organization. In addition, avoid adding specific senders that can bypass spam filtering.", + "impact": 0.2, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 2 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_bulkthreshold", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "desc": "Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the bulk spam filtering verdict that you configure on the next page. A higher value indicates that the message is less desirable (more likely to resemble spam). While the default value is 7, 6 or lower is the recommended value.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_spamaction", + "title": "Apps:mdo_spamaction", + "desc": "Set the action that will be taken on spam detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_autoforwardingmode", + "title": "Set automatic email forwarding rules to be system controlled", + "desc": "", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientexternallimitperhour", + "title": "Set maximum number of external recipients that a user can email per hour", + "desc": "Configure the maximum number of external recipients that a user can email per hour. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientinternallimitperhour", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "desc": "Configure the maximum number of recipients that a user can send to per hour for internal recipients. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientlimitperday", + "title": "Set a daily message limit", + "desc": "Configure the maximum number of recipients that a user can send to within a day. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_thresholdreachedaction", + "title": "Apps:mdo_thresholdreachedaction", + "desc": "Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_enablemailboxintelligence", + "title": "Ensure that mailbox intelligence is enabled", + "desc": "\n Turns on artificial intelligence (AI) that identifies users’ email patterns with their frequent contacts to spot potential phishing attempts.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_mailboxintelligenceprotection", + "title": "Ensure that intelligence for impersonation protection is enabled", + "desc": "\n Enables enhanced impersonation results based on each user's individual sender map and allows you to define specific actions for impersonated messages.\n
    \n
    \n This setting is available only if ‘Enable mailbox intelligence’ is selected.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_mailboxintelligenceprotectionaction", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "desc": "\n This setting specifies what to do with messages for impersonation detections from mailbox intelligence results.\n
    \n
    \n If a message is detected to be an impersonated user by mailbox intelligence, no action will be applied by default. We recommend moving the message to the recipients’ junk email folder and strongly recommend quarantining it.\n
    \n
    \n This setting is available only if the ‘Ensure that intelligence for impersonation protection is enabled’ setting is properly configured.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_enabledomainstoprotect", + "title": "Enable impersonated domain protection", + "desc": "\n Prevents specified domains from being impersonated by the message sender's domain.\n
    \n
    \n When you add domains to the ‘Enable domains to protect’ list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if it’s sent to a recipient that the policy applies to.\n
    \n
    \n If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message.\n
    \n
    \n By default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_phishthresholdlevel", + "title": "Set the phishing email level threshold at 2 or higher", + "desc": "\n The threshold controls the sensitivity with which machine learning models are applied to email messages to determine whether a phishing attempt has occurred.\n
    \n A higher value indicates greater sensitivity. The default value is 1, but 2 or 3 are the recommended values.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_similardomainssafetytips", + "title": "Apps:mdo_similardomainssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for domain impersonation detections.\n
    \n
    \n When the ‘Show domain impersonation safety tip’ is enabled, the tip “This sender might be impersonating a domain that's associated with your organization” is shown to recipients in messages where the sender's email domain is included in domain impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_similaruserssafetytips", + "title": "Apps:mdo_similaruserssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation safety tip’ is enabled, the tip “This sender appears to be similar to someone who previously sent you email but may not be that person” is shown to recipients in messages where the sender's email address is included in user impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targeteddomainprotectionaction", + "title": "Apps:mdo_targeteddomainprotectionaction", + "desc": "\n This setting specifies the action to take on detected domain impersonation messages.\n
    \n
    \n If a message is detected from an impersonated domain, no action is taken by default. We recommend quarantining the message.\n
    \n
    \n This setting is available only if ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targeteduserprotectionaction", + "title": "Apps:mdo_targeteduserprotectionaction", + "desc": "\n This setting specifies the action to take on detected user impersonation messages.\n
    \n
    \n If a message is detected from an impersonated user, no default action will be taken. We recommend quarantining the message.\n
    \n
    \n Whenever you select ‘Quarantine the message’, a ‘Select quarantine policy’ box is available.\n
    \n Quarantine policies define who is allowed to do to quarantined messages.\n
    \n
    \n This setting is available only if ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targetedusersprotection", + "title": "Apps:mdo_targetedusersprotection", + "desc": "\n Prevents specified internal or external email addresses from being impersonated as message senders in phishing attempts.\n
    \n By default, impersonated user protection is disabled, and no sender email addresses are covered by impersonation protection, whether in the default policy or in custom policies.\n
    \n
    \n We highly recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_unusualcharacterssafetytips", + "title": "Apps:mdo_unusualcharacterssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for unusual characters in domain and user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation unusual safety tip’ is enabled, the tip is shown to recipients in messages where the sender's name or email address contains characters that are not typically used together, such as a mix of mathematical symbols and plain text or a mix of uppercase and lowercase letters.\n
    \n
    \n Example tip:\n
    \n ‘The email address MARY@CoNTᴏSO.CᴏM includes unexpected letters or numbers. We recommend you do not interact with this message.’\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_spam_notifications_only_for_admins", + "title": "Apps:mdo_spam_notifications_only_for_admins", + "desc": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.

    Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as
    outlined in the highest priority policy listed.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safeattachmentpolicy", + "title": "Ensure Safe Attachments policy is enabled", + "desc": "

    The Safe Attachments policy helps protect users from malware in email attachments by
    scanning attachments for viruses, malware, and other malicious content. When an email
    attachment is received by a user, Safe Attachments will scan the attachment in a secure
    environment and provide a verdict on whether the attachment is safe or not.

    Rationale:
    Enabling Safe Attachments policy helps protect against malware threats in email
    attachments by analyzing suspicious attachments in a secure, cloud-based environment
    before they are delivered to the user's inbox. This provides an additional layer of
    security and can prevent new or unseen types of malware from infiltrating the
    organization's network.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "label": "fix" + }, + { + "data": "Delivery of email with attachments may be delayed while scanning is occurring.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safelinksforOfficeApps", + "title": "Apps:mdo_safelinksforOfficeApps", + "desc": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_antiphishingpolicies", + "title": "Ensure that an anti-phishing policy has been created", + "desc": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.

    Rationale: Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "label": "fix" + }, + { + "data": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_blockmailforward", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "desc": "

    Exchange Online offers several methods of managing the flow of email messages.
    These are Remote domain, Transport Rules, and Anti-spam outbound policies. These
    methods work together to provide comprehensive coverage for potential automatic
    forwarding channels:

    • Outlook forwarding using inbox rules
    • Outlook forwarding configured using OOF rule
    • OWA forwarding setting (ForwardingSmtpAddress)
    • Forwarding set by the admin using EAC (ForwardingAddress)
    • Forwarding using Power Automate / Flow

    NOTE:

    • In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
    • Any exclusions should be implemented based on organizational policy.

    Rationale:
    Attackers often create these rules to exfiltrate data from your tenancy, this could be
    accomplished via access to an end-user account or otherwise. An insider could also use
    one of these methods as an secondary channel to exfiltrate sensitive data.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "label": "fix" + }, + { + "data": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:IntegratedApps", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "desc": "To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.", + "impact": 0.4, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 4 + ], + "rank": [ + 35 + ], + "tiers": [ + "Defense In Depth" + ], + "threats": [ + [ + "Data Exfiltration", + "Data Spillage" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "label": "fix" + }, + { + "data": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You have no user consent policy in place.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:PWAgePolicyNew", + "title": "Identity:PWAgePolicyNew", + "desc": "Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Your current policy is set to let passwords expire.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:SelfServicePasswordReset", + "title": "Identity:SelfServicePasswordReset", + "desc": "With self-service password reset in Microsoft Entra ID, users no longer need to engage help desk to reset passwords. This feature works well with Microsoft Entra ID dynamically banned passwords, which prevents easily guessable passwords from being used.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 0 users who don't have self-service password reset enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:BlockLegacyAuthentication", + "title": "Enable Conditional Access policies to block legacy authentication", + "desc": "Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 8 + ], + "rank": [ + 68 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Password Cracking", + "Account Breach" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "label": "fix" + }, + { + "data": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 1 users that don't have legacy authentication blocked.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:MFARegistrationV2", + "title": "Identity:MFARegistrationV2", + "desc": "Multifactor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 out of 1 users that aren’t registered with MFA.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:AdminMFAV2", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "desc": "

    Requiring multifactor authentication (MFA) for administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed. At a minimum, protect the following roles: 

    • Global administrator 
    • Authentication administrator 
    • Billing administrator 
    • Conditional Access administrator 
    • Exchange administrator 
    • Helpdesk administrator 
    • Security administrator 
    • SharePoint administrator 
    • User administrator 
    ", + "impact": 1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 10 + ], + "rank": [ + 1 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "label": "fix" + }, + { + "data": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 out of 1 users with administrative roles that aren’t registered and protected with MFA.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:SigninRiskPolicy", + "title": "Identity:SigninRiskPolicy", + "desc": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multifactor authentication (MFA).", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 1 users that don't have the sign-in risky policy turned on.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:UserRiskPolicy", + "title": "Identity:UserRiskPolicy", + "desc": "With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 users out of 1 that do not have user risk policy enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:OneAdmin", + "title": "Identity:OneAdmin", + "desc": "

    Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It's important to have a delegate or an emergency account someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

    Note:

    According to CIS O365 Benchmark 2.0.0, the suggestion is to have between two to four global admins. Currently, the condition to comply is to have more than one global administrator - This security recommendation will be updated accordingly to CIS benchmark in the future.

    Rationale:

    If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You currently have 1 global admins.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:RoleOverlap", + "title": "Identity:RoleOverlap", + "desc": "Ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You have 0 users with least privileged administrative roles.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + } + ], + "sha256": "e34570699cb31e407b8e8444d1db0d5b0a12614b69ee9b5ba5e8b1068b556907" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Microsoft Secure Score", + "data": { + "reportId": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "tenantId": "12345678-1234-1234-1234-1234567890abcd", + "profiles": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Data Spillage" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": [ + "Password cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] + }, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "currentScore": 128, + "maxScore": 274, + "secureScores": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores" + } + } + } + ] + } + } +] \ No newline at end of file diff --git a/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json new file mode 100644 index 0000000000..bcc3333eba --- /dev/null +++ b/libs/hdf-converters/sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json @@ -0,0 +1,10548 @@ +[ + { + "platform": { + "name": "Heimdall Tools", + "release": "2.10.12" + }, + "version": "2.10.12", + "statistics": {}, + "profiles": [ + { + "name": "Microsoft Secure Score Scan", + "title": "Azure Secure Score report - Tenant ID: 12345678-1234-1234-1234-1234567890abcd - Run ID: 12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "supports": [], + "attributes": [], + "groups": [], + "status": "loaded", + "controls": [ + { + "id": "Apps:spo_idle_session_timeout", + "title": "Apps:spo_idle_session_timeout", + "desc": "\n\t\t\tIdle session sign-out lets you specify a time at which users are warned and are later signed out of Microsoft 365 after a period of browser inactivity in SharePoint and OneDrive.\n
    \n\t\t\tThis policy is one of several you can use with SharePoint and OneDrive to balance security and user productivity and help keep your data safe, regardless of where users access the data from, what device they're working on, and how secure their network connection is.\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:spo_legacy_auth", + "title": "Apps:spo_legacy_auth", + "desc": "\n\t\t\tModern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers.\n\t\t\t
    \n\t\t\tStrong authentication controls, such as the use of multifactor authentication, may be circumvented if basic authentication is used by SharePoint applications. Requiring modern authentication for SharePoint applications ensures strong authentication mechanisms are used when establishing sessions between these applications, SharePoint, and connecting users.\n\t\t\t
    \n\t\t\tThis information was taken from Center for Internet Security (CIS).\n\t\t", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting is not compliant.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasFirewallLogUpload", + "title": "Deploy a log collector to discover shadow IT activity", + "desc": "Log collectors provide visibility into cloud app usage so you can identify if there are any apps that run without official approval, or if there is anomalous behavior. Log collectors automatically upload reports and parse the firewall/ proxy traffic logs to see if there is a match with your services in the Cloud App Catalog.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 82 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "label": "fix" + }, + { + "data": "This change has no known impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasCutomActivityPolicy", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "desc": "Activity policies help you monitor specific activities carried out by users, or follow unexpectedly high rates of certain types of activities. After you set an activity detection policy, it starts to generate alerts. Alerts are only generated on activities that occur after you create the policy.", + "impact": 0.2, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 2 + ], + "rank": [ + 80 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policy in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasCloudAppNotification", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "desc": "App discovery policies can notify you when new apps or abnormal usage is observed within your organization, based on traffic logs data.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 75 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policy in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:McasOAuthAppNotification", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "desc": "OAuth app policies can help you manage app permission and notify you when a user or an admin consents to a new Open Authorization (OAuth) app. With this information, you can investigate which permissions each app requested and which users authorized them.", + "impact": 0.4, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 4 + ], + "rank": [ + 57 + ], + "tiers": [ + "Defense In Depth" + ], + "threats": [ + [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ] + ], + "services": [ + "MCAS" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "label": "fix" + }, + { + "data": "This change will have a moderate impact on your users.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:AATP_DefenderForIdentityIsNotInstalled", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "desc": "Installing Microsoft Defender for Identity sensors provides you with the ability to detect advanced threats in your entire identity infrastructure. Actionable security alerts are generated through the analysis of network traffic and security events.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 5 + ], + "rank": [ + 59 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "Azure ATP" + ], + "userImpacts": [ + "low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_atpprotection", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "desc": "Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:dlp_datalossprevention", + "title": "Ensure DLP policies are enabled", + "desc": "Data Loss Prevention (DLP) policies allows content in multiple locations, such as, devices, Exchange online and Teams chats to be scanned for specific types of data like social security numbers, credit card numbers, or passwords.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Data" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MIP" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_individualsharing", + "title": "Ensure 'External sharing' of calendars is not available", + "desc": "Users should not be allowed to share the full details of their calendars with external users.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safedocuments", + "title": "Turn on Safe Documents for Office Clients", + "desc": "Safe Documents uses Microsoft Defender for Endpoint to scan documents and files for malicious content. To keep you protected, Safe Documents sends files to the Defender for Endpoint cloud for analysis. Files sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_connectionfilter", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "desc": "

    If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. These options include Exchange mail flow rules (also known as transport rules), Outlook Safe Senders, the IP Allow List (connection filtering), and allowed sender lists or allowed domain lists in anti-spam policies. Collectively, you can think of these options as safe sender lists.

    The available safe sender lists are described in the following list in order from most recommended to least recommended:
    1. Mail flow rules
    2. Outlook Safe Senders
    3. IP Allow List (connection filtering)
    4. Allowed sender lists or allowed domain lists (anti-spam policies)

    Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. Since the IP Allow List doesn't prevent malware or high confidence phishing messages from being filtered, this creates a high risk of attackers successfully delivering email to an inbox that would otherwise be filtered.

    ", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "The allowed IP addresses list in the connection filter policy is empty ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_purviewlabelconsent", + "title": "Data:mip_purviewlabelconsent", + "desc": "\n To get work done, people in your organization collaborate with others both inside and outside the organization. Data doesn't always stay in your cloud, and often roams everywhere—across devices, apps, and services. When your data roams, you still want it to be secure in a way that meets your organization's business and compliance policies.\n
    \n
    \n Applying sensitivity labels to your content helps you keep your data secure by stating how sensitive certain data is in your organization. It also abstracts the data itself, letting you track the type of data without exposing sensitive data on other platforms.\n
    \n
    \n For example, applying the sensitivity label ‘highly confidential’ to a document that contains social security numbers and credit card numbers helps you identify the sensitivity of the document without knowing the actual data in the document.\n
    \n
    \n The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview data map. When you apply a label on an office document and then scan it into the Microsoft Purview data map, the label will be applied to the data asset.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "The setting was not enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:CustomerLockBoxEnabled", + "title": "Ensure the customer lockbox feature is enabled", + "desc": "Turning on the customer lockbox feature requires that approval is obtained for datacenter operations that grants a Microsoft employee direct access to your content. Access may be needed by Microsoft support engineers if an issue arises. There's an expiration time on the request and content access is removed after the support engineer has fixed the issue.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 127 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "label": "fix" + }, + { + "data": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Feature in place: false.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_oauth2clientprofileenabled", + "title": "Ensure modern authentication for Exchange Online is enabled", + "desc": "Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. When you enable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use modern authentication to log in 'to Microsoft 365 mailboxes. When you disable modern authentication in Exchange Online, Outlook 2016 and Outlook 2013 use basic authentication to log in to Microsoft 365 mailboxes.

    When users initially configure certain email clients, like Outlook 2013 and Outlook 2016, they may be required to authenticate using enhanced authentication mechanisms, such as multifactor authentication. Other Outlook clients that are available in Microsoft 365 (for example, Outlook Mobile and Outlook for Mac 2016) always use modern uthentication to log in to Microsoft 365 mailboxes", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Account breach", + "Data Exfiltration" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "label": "fix" + }, + { + "data": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Modern authentication for Exchange Online is enabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_mailtipsenabled", + "title": "Ensure MailTips are enabled for end users", + "desc": "MailTips assist end users with identifying strange patterns to emails they send.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "label": "fix" + }, + { + "data": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "MailTips for end users are disabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_transportrulesallowlistdomains", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "desc": "You should set Spam confidence level (SCL) in your Exchange Online mail transport rules with specific domains. Allow-listing domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain. \n\t

    Note: In order to get a score for this security control, all the active transport rule that applies to specific domains must have a Spam Confidence Level (SCL) of 0 or higher.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "label": "fix" + }, + { + "data": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Spam confidence level (SCL) is not configured in mail transport rules with specific domain", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mip_search_auditlog", + "title": "Apps:mip_search_auditlog", + "desc": "When audit log search in the Microsoft Purview compliance portal is enabled, user and admin activity from your organization is recorded in the audit log and retained for 90 days. However, your organization might be using a third-party security information and event management (SIEM) application to access your auditing data. In that case, a global admin can turn off audit log search in Microsoft 365.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Microsoft 365 audit log search is enabled disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_mailboxaudit", + "title": "Ensure mailbox auditing for all users is Enabled", + "desc": "

    By turning on mailbox auditing, Microsoft 365 back office teams can track logons to a mailbox as well as what actions are taken while the user is logged on. After you turn on mailbox audit logging for a mailbox, you can search the audit log for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default.

    Rationale:

    Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations.

    This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. When mailbox auditing on by default is turned on for the organization, the AuditEnabled property for affected mailboxes won't be changed from False to True. In other words, mailbox auditing on by default ignores the AuditEnabled property on mailboxes.

    However, only certain mailbox types support default auditing setting 'On': User Mailboxes, Shared Mailboxes, and Microsoft 365 Group Mailboxes. The remaining mailbox types require auditing to be turned on at the mailbox level: Resource Mailboxes, Public Folder Mailboxes, and DiscoverySearch Mailbox.

    Whether it is for regulatory compliance or for tracking unauthorized configuration changes in Microsoft 365, enabling mailbox auditing allows for Microsoft 365 back office teams to run security operations, forensics or general investigations on mailbox activities.

    NOTE: Without advanced auditing (E5 function) the logs are limited to 90 days.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Mailbox auditing for all users is disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_storageproviderrestricted", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "desc": "

    This setting allows users to open certain external files while working in Outlook on the
    web. If allowed, keep in mind that Microsoft doesn't control the use terms or privacy
    policies of those third-party services.

    Ensure AdditionalStorageProvidersAvailable is restricted.

    Rationale:

    By default additional storage providers are allowed in Office on the Web (such as Box,
    Dropbox, Facebook, Google Drive, OneDrive Personal, etc.). This could lead to
    information leakage and additional risk of infection from organizational non-trusted
    storage providers. Restricting this will inherently reduce risk as it will narrow
    opportunities for infection and data leakage.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "label": "fix" + }, + { + "data": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Additional storage providers are restricted in Outlook on the web is not configured correctly. Please follow next steps to correctly configure the control.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:exo_outlookaddins", + "title": "Ensure users installing Outlook add-ins is not allowed", + "desc": "

    Specify the administrators and users who can install and manage add-ins for Outlook in Exchange Online By default, users can install add-ins in their Microsoft Outlook Desktop client, allowing data access within the client application.

    Rationale:
    Attackers exploit vulnerable or custom add-ins to access user data. Disabling user installed add-ins in Microsoft Outlook reduces this threat surface.

    ", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "EXO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "label": "fix" + }, + { + "data": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Installing Outlook add-ins configuration is disabled", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapspam", + "title": "Apps:mdo_zapspam", + "desc": "

    For unread messages that are identified as spam after delivery, the ZAP outcome depends on the action that's configured for the Spam filtering verdict in the applicable anti-spam policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapphish", + "title": "Apps:mdo_zapphish", + "desc": "

    For read or unread messages that are identified as phishing after delivery, the ZAP outcome depends on the action that's configured for a Phishing email filtering verdict in the applicable anti-phishing policy.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_zapmalware", + "title": "Apps:mdo_zapmalware", + "desc": "

    Zero-hour auto purge (ZAP) quarantines the message that contains malware attachment for both read, as well as unread, messages that are found to contain malware after delivery. Only admins can view and manage messages that have been quarantined.

    \n

    For additional information, see Zero-hour auto purge (ZAP) in Exchange Online.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safeattachments", + "title": "Turn on Safe Attachments in block mode", + "desc": "Safe Attachments in block mode prevents messages with detected malware attachments from being delivered. These messages are quarantined and only admins (not regular users) can review, release, or delete them. This will also automatically block future malware attachments.\n\t

    \n\tMDO Built-in protection policy provides safe attachments protection for everyone by default. You could also create additional Safe Attachment policies for customized Safe Attachment operations.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safelinksforemail", + "title": "Apps:mdo_safelinksforemail", + "desc": "MDO Built-in protection policy will provide base level safe links protection for everyone by default. You could also create additional Safe Links policies for enhanced or customized Safe Links operations.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_commonattachmentsfilter", + "title": "Ensure the Common Attachment Types Filter is enabled", + "desc": "There are certain types of files that are risker to send and receive via email due to the likelihood that they contain malware (for example, executable files). To make sure these file types don't get through, enable the common attachment filter. You can use the default list of file types or customize it. The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs. Messages with the specified attachments types are treated as malware and are automatically quarantined.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "High" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_sensitivitylabelspolicies", + "title": "Data:mip_sensitivitylabelspolicies", + "desc": "Set up and use data classification policies on data stored in your users' Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups.\n
    \n
    \nThe policies will help categorize your most important data so you can effectively protect it from illicit access and will help make it easier to investigate discovered breaches.\n
    \n
    \nCreation of data classification policies will not cause a significant impact to an organization. However, ensuring long term adherence with policies can potentially be a significant training and ongoing compliance effort across an organization. Organizations should ensure that training and compliance planning is part of the classification policy creation process.\n
    \n
    \nThis information was taken from Center for Internet Security (CIS).\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Policies were published on 1 of the 1 users", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Data:mip_autosensitivitylabelspolicies", + "title": "Data:mip_autosensitivitylabelspolicies", + "desc": "\n Create auto-labeling policies to automatically apply sensitivity labels to email messages or OneDrive and SharePoint files that contain sensitive info.\n
    \n This ability to apply sensitivity labels to content automatically is important because:\n
    \n You don't need to train your users on the appropriate way to use each of your classifications.\n
    \n You don't need to rely on users to classify all content correctly.\n
    \n Users no longer need to know about your policies—they can instead focus on their work.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "Policies were published on 0 of the 1 users", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_highconfidencespamaction", + "title": "Set action to take on high confidence spam detection", + "desc": "Set the action that will be taken on high confidence spam detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_phisspamacation", + "title": "Set action to take on phishing detection", + "desc": "Set the action that will be taken on phishing detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_highconfidencephishaction", + "title": "Set action to take on high confidence phishing detection", + "desc": "Set the action that will be taken on high confidence phishing detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_bulkspamaction", + "title": "Set action to take on bulk spam detection", + "desc": "Set the action that will be taken on bulk spam detection.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_quarantineretentionperiod", + "title": "Retain spam in quarantine for 30 days", + "desc": "Specifies how long to keep the message in quarantine if you selected “Quarantine message” as the action for a spam filtering verdict. After the time period expires, the message is deleted, and is not recoverable.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_allowedsenderscombined", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "desc": "Never add your own accepted domains or common domains (for example, microsoft.com or office.com) to the allowed domains list. If these domains are allowed to bypass spam filtering, attackers can easily send messages that spoof these trusted domains to your organization. In addition, avoid adding specific senders that can bypass spam filtering.", + "impact": 0.2, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 2 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_bulkthreshold", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "desc": "Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the bulk spam filtering verdict that you configure on the next page. A higher value indicates that the message is less desirable (more likely to resemble spam). While the default value is 7, 6 or lower is the recommended value.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_spamaction", + "title": "Apps:mdo_spamaction", + "desc": "Set the action that will be taken on spam detection.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_autoforwardingmode", + "title": "Set automatic email forwarding rules to be system controlled", + "desc": "", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientexternallimitperhour", + "title": "Set maximum number of external recipients that a user can email per hour", + "desc": "Configure the maximum number of external recipients that a user can email per hour. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientinternallimitperhour", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "desc": "Configure the maximum number of recipients that a user can send to per hour for internal recipients. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_recipientlimitperday", + "title": "Set a daily message limit", + "desc": "Configure the maximum number of recipients that a user can send to within a day. After an account is compromised, attackers commonly use the account to generate spam and phish. Configuring recommended values can reduce the amount of spam and phishing emails, while also allowing you to be notified when these thresholds have been reached.", + "impact": 0.1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 1 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_thresholdreachedaction", + "title": "Apps:mdo_thresholdreachedaction", + "desc": "Configure action to take when any of the limits specified in the outbound anti-spam policy are reached. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_enablemailboxintelligence", + "title": "Ensure that mailbox intelligence is enabled", + "desc": "\n Turns on artificial intelligence (AI) that identifies users’ email patterns with their frequent contacts to spot potential phishing attempts.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_mailboxintelligenceprotection", + "title": "Ensure that intelligence for impersonation protection is enabled", + "desc": "\n Enables enhanced impersonation results based on each user's individual sender map and allows you to define specific actions for impersonated messages.\n
    \n
    \n This setting is available only if ‘Enable mailbox intelligence’ is selected.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_mailboxintelligenceprotectionaction", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "desc": "\n This setting specifies what to do with messages for impersonation detections from mailbox intelligence results.\n
    \n
    \n If a message is detected to be an impersonated user by mailbox intelligence, no action will be applied by default. We recommend moving the message to the recipients’ junk email folder and strongly recommend quarantining it.\n
    \n
    \n This setting is available only if the ‘Ensure that intelligence for impersonation protection is enabled’ setting is properly configured.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_enabledomainstoprotect", + "title": "Enable impersonated domain protection", + "desc": "\n Prevents specified domains from being impersonated by the message sender's domain.\n
    \n
    \n When you add domains to the ‘Enable domains to protect’ list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if it’s sent to a recipient that the policy applies to.\n
    \n
    \n If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message.\n
    \n
    \n By default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_phishthresholdlevel", + "title": "Set the phishing email level threshold at 2 or higher", + "desc": "\n The threshold controls the sensitivity with which machine learning models are applied to email messages to determine whether a phishing attempt has occurred.\n
    \n A higher value indicates greater sensitivity. The default value is 1, but 2 or 3 are the recommended values.\n ", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 8 + ], + "rank": [ + 128 + ], + "tiers": [ + "Core" + ], + "threats": [ + [] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "label": "fix" + }, + { + "data": "Unknown", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_similardomainssafetytips", + "title": "Apps:mdo_similardomainssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for domain impersonation detections.\n
    \n
    \n When the ‘Show domain impersonation safety tip’ is enabled, the tip “This sender might be impersonating a domain that's associated with your organization” is shown to recipients in messages where the sender's email domain is included in domain impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_similaruserssafetytips", + "title": "Apps:mdo_similaruserssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation safety tip’ is enabled, the tip “This sender appears to be similar to someone who previously sent you email but may not be that person” is shown to recipients in messages where the sender's email address is included in user impersonation protection.\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targeteddomainprotectionaction", + "title": "Apps:mdo_targeteddomainprotectionaction", + "desc": "\n This setting specifies the action to take on detected domain impersonation messages.\n
    \n
    \n If a message is detected from an impersonated domain, no action is taken by default. We recommend quarantining the message.\n
    \n
    \n This setting is available only if ‘Enable impersonated domain protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targeteduserprotectionaction", + "title": "Apps:mdo_targeteduserprotectionaction", + "desc": "\n This setting specifies the action to take on detected user impersonation messages.\n
    \n
    \n If a message is detected from an impersonated user, no default action will be taken. We recommend quarantining the message.\n
    \n
    \n Whenever you select ‘Quarantine the message’, a ‘Select quarantine policy’ box is available.\n
    \n Quarantine policies define who is allowed to do to quarantined messages.\n
    \n
    \n This setting is available only if ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_targetedusersprotection", + "title": "Apps:mdo_targetedusersprotection", + "desc": "\n Prevents specified internal or external email addresses from being impersonated as message senders in phishing attempts.\n
    \n By default, impersonated user protection is disabled, and no sender email addresses are covered by impersonation protection, whether in the default policy or in custom policies.\n
    \n
    \n We highly recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_unusualcharacterssafetytips", + "title": "Apps:mdo_unusualcharacterssafetytips", + "desc": "\n This setting specifies whether to enable the safety tip that is shown to recipients for unusual characters in domain and user impersonation detections.\n
    \n
    \n When the ‘Show user impersonation unusual safety tip’ is enabled, the tip is shown to recipients in messages where the sender's name or email address contains characters that are not typically used together, such as a mix of mathematical symbols and plain text or a mix of uppercase and lowercase letters.\n
    \n
    \n Example tip:\n
    \n ‘The email address MARY@CoNTᴏSO.CᴏM includes unexpected letters or numbers. We recommend you do not interact with this message.’\n
    \n
    \n This setting is available only if the ‘Enable impersonated user protection’ setting is configured properly.\n ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_spam_notifications_only_for_admins", + "title": "Apps:mdo_spam_notifications_only_for_admins", + "desc": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.

    Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as
    outlined in the highest priority policy listed.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safeattachmentpolicy", + "title": "Ensure Safe Attachments policy is enabled", + "desc": "

    The Safe Attachments policy helps protect users from malware in email attachments by
    scanning attachments for viruses, malware, and other malicious content. When an email
    attachment is received by a user, Safe Attachments will scan the attachment in a secure
    environment and provide a verdict on whether the attachment is safe or not.

    Rationale:
    Enabling Safe Attachments policy helps protect against malware threats in email
    attachments by analyzing suspicious attachments in a secure, cloud-based environment
    before they are delivered to the user's inbox. This provides an additional layer of
    security and can prevent new or unseen types of malware from infiltrating the
    organization's network.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "label": "fix" + }, + { + "data": "Delivery of email with attachments may be delayed while scanning is occurring.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "

    100% of users are affected by policies that are configured securely 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_safelinksforOfficeApps", + "title": "Apps:mdo_safelinksforOfficeApps", + "desc": "Enabling Safe Links policy for Office applications allows URL's that exist inside of Office documents and email applications opened by Office, Office Online and Office mobile to be processed against Defender for Office time-of-click verification and rewritten if required.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Built-In Protection Policy - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_antiphishingpolicies", + "title": "Ensure that an anti-phishing policy has been created", + "desc": "By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization, and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.

    Rationale: Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.", + "impact": 0.3, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 3 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "label": "fix" + }, + { + "data": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Office365 AntiPhish Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Apps:mdo_blockmailforward", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "desc": "

    Exchange Online offers several methods of managing the flow of email messages.
    These are Remote domain, Transport Rules, and Anti-spam outbound policies. These
    methods work together to provide comprehensive coverage for potential automatic
    forwarding channels:

    • Outlook forwarding using inbox rules
    • Outlook forwarding configured using OOF rule
    • OWA forwarding setting (ForwardingSmtpAddress)
    • Forwarding set by the admin using EAC (ForwardingAddress)
    • Forwarding using Power Automate / Flow

    NOTE:

    • In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically.
    • Any exclusions should be implemented based on organizational policy.

    Rationale:
    Attackers often create these rules to exfiltrate data from your tenancy, this could be
    accomplished via access to an end-user account or otherwise. An insider could also use
    one of these methods as an secondary channel to exfiltrate sensitive data.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Apps" + ], + "maxScore": [ + 5 + ], + "rank": [ + 10 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Data Exfiltration", + "Account breach" + ] + ], + "services": [ + "MDO" + ], + "userImpacts": [ + "Unknown" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "label": "fix" + }, + { + "data": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "

    100% of users are affected by policies that are configured less securely than is recommended 

    • Default - 1 users (100%) 
    ", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:IntegratedApps", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "desc": "To reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, we recommend that you allow user consent only for applications that have been published by a verified publisher.", + "impact": 0.4, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 4 + ], + "rank": [ + 35 + ], + "tiers": [ + "Defense In Depth" + ], + "threats": [ + [ + "Data Exfiltration", + "Data Spillage" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "label": "fix" + }, + { + "data": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You have no user consent policy in place.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:PWAgePolicyNew", + "title": "Identity:PWAgePolicyNew", + "desc": "Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "Your current policy is set to let passwords expire.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:SelfServicePasswordReset", + "title": "Identity:SelfServicePasswordReset", + "desc": "With self-service password reset in Microsoft Entra ID, users no longer need to engage help desk to reset passwords. This feature works well with Microsoft Entra ID dynamically banned passwords, which prevents easily guessable passwords from being used.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 0 users who don't have self-service password reset enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:BlockLegacyAuthentication", + "title": "Enable Conditional Access policies to block legacy authentication", + "desc": "Today, most compromising sign-in attempts come from legacy authentication. Older office clients such as Office 2010 don’t support modern authentication and use legacy protocols such as IMAP, SMTP, and POP3. Legacy authentication does not support multifactor authentication (MFA). Even if an MFA policy is configured in your environment, bad actors can bypass these enforcements through legacy protocols.", + "impact": 0.8, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 8 + ], + "rank": [ + 68 + ], + "tiers": [ + "Advanced" + ], + "threats": [ + [ + "Password Cracking", + "Account Breach" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Moderate" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "label": "fix" + }, + { + "data": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 1 users that don't have legacy authentication blocked.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:MFARegistrationV2", + "title": "Identity:MFARegistrationV2", + "desc": "Multifactor authentication (MFA) helps protect devices and data that are accessible to these users. Adding more authentication methods, such as the Microsoft Authenticator app or a phone number, increases the level of protection if one factor is compromised.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 out of 1 users that aren’t registered with MFA.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:AdminMFAV2", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "desc": "

    Requiring multifactor authentication (MFA) for administrative roles makes it harder for attackers to access accounts. Administrative roles have higher permissions than typical users. If any of those accounts are compromised, your entire organization is exposed. At a minimum, protect the following roles: 

    • Global administrator 
    • Authentication administrator 
    • Billing administrator 
    • Conditional Access administrator 
    • Exchange administrator 
    • Helpdesk administrator 
    • Security administrator 
    • SharePoint administrator 
    • User administrator 
    ", + "impact": 1, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ], + "category": [ + "Identity" + ], + "maxScore": [ + 10 + ], + "rank": [ + 1 + ], + "tiers": [ + "Core" + ], + "threats": [ + [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ] + ], + "services": [ + "AzureAD" + ], + "userImpacts": [ + "Low" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "label": "fix" + }, + { + "data": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 out of 1 users with administrative roles that aren’t registered and protected with MFA.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:SigninRiskPolicy", + "title": "Identity:SigninRiskPolicy", + "desc": "Turning on the sign-in risk policy ensures that suspicious sign-ins are challenged for multifactor authentication (MFA).", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 of 1 users that don't have the sign-in risky policy turned on.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:UserRiskPolicy", + "title": "Identity:UserRiskPolicy", + "desc": "With the user risk policy turned on, Microsoft Entra ID detects the probability that a user account has been compromised. As an administrator, you can configure a user risk Conditional Access policy to automatically respond to a specific user risk level. For example, you can block access to your resources or require a password change to get a user account back into a clean state.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "passed", + "code_desc": "You have 0 users out of 1 that do not have user risk policy enabled.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:OneAdmin", + "title": "Identity:OneAdmin", + "desc": "

    Having more than one global administrator helps if you are unable to fulfill the needs or obligations of your organization. It's important to have a delegate or an emergency account someone from your team can access if necessary. It also allows admins the ability to monitor each other for signs of a breach.

    Note:

    According to CIS O365 Benchmark 2.0.0, the suggestion is to have between two to four global admins. Currently, the condition to comply is to have more than one global administrator - This security recommendation will be updated accordingly to CIS benchmark in the future.

    Rationale:

    If there is only one global tenant administrator, he or she can perform malicious activity without the possibility of being discovered by another admin. If there are numerous global tenant administrators, the more likely it is that one of their accounts will be successfully breached by an external attacker.

    ", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You currently have 1 global admins.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + }, + { + "id": "Identity:RoleOverlap", + "title": "Identity:RoleOverlap", + "desc": "Ensure that your administrators can accomplish their work with the least amount of privilege assigned to their account. Assigning users roles like Password Administrator or Exchange Online Administrator, instead of Global Administrator, reduces the likelihood of a global administrative privileged account being breached.", + "impact": 0.5, + "refs": [], + "tags": { + "nist": [ + "SA-11", + "RA-5" + ] + }, + "source_location": {}, + "descriptions": [ + { + "data": "", + "label": "fix" + }, + { + "data": "", + "label": "rationale" + } + ], + "results": [ + { + "status": "failed", + "code_desc": "You have 0 users with least privileged administrative roles.", + "start_time": "2024-01-01T00:00:00Z" + } + ] + } + ], + "sha256": "e34570699cb31e407b8e8444d1db0d5b0a12614b69ee9b5ba5e8b1068b556907" + } + ], + "passthrough": { + "auxiliary_data": [ + { + "name": "Microsoft Secure Score", + "data": { + "reportId": "12345678-1234-1234-1234-1234567890abcd_2024-01-01", + "tenantId": "12345678-1234-1234-1234-1234567890abcd", + "profiles": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScoreControlProfiles", + "@odata.nextLink": "https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles?$skiptoken=00000000-0000-0000-0000-00000000", + "value": [ + { + "id": "aad_admin_accounts_separate_unassigned_cloud_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/add-users?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure Administrative accounts are separate and cloud-only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    1. Navigate to Microsoft 365 admin center
    2. Click to expand Users select Active users.
    3. Sort by the Licenses column.
    4. For each user account in an administrative role verify the following:
    The account is Cloud only (not synced)
    The account is assigned a license that is not associated with applications i.e. (Microsoft Entra ID P1, Microsoft Entra ID P2)

    ", + "remediationImpact": "Administrative users will have to switch accounts and utilizing login/logout functionality when performing Administrative tasks, as well as not benefiting from SSO.", + "service": "AzureAD", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_admin_consent_workflow", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings", + "controlCategory": "Apps", + "title": "Ensure the admin consent workflow is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center, Select Admin Centers, and Microsoft Entra ID.
    2. Select Enterprise applications from the Azure Navigation pane.
    3. Under Security select Consent and permissions.
    4. Under Manage select Admin consent settings and set Users can request admin consent to apps they are unable to consent to Yes.
    5. Under the Reviewers choose the Roles, Groups that you would like to review user generated app consent requests.
    6. Select Save at the top of the window.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_custom_banned_passwords", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-configure-custom-password-protection", + "controlCategory": "Apps", + "title": "Ensure custom banned passwords lists are used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Create a custom banned password list:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Protect & Secure > Authentication methods
    3. Select Password protection
    4. Set Enforce custom list to Yes
    5. In Custom banned password list create a list using suggestions outlined in this document.
    6. Click Save

    NOTE: Below is a list of examples that can be used as a starting place. Check the references section for more.

    • Brand names
    • Product names
    • Locations, such as company headquarters
    • Company-specific internal terms
    • Abbreviations that have specific company meaning
    ", + "remediationImpact": "

    If a custom banned password list includes too many common dictionary words, or short words that are part of compound words, then perfectly secure passwords may be blocked. The organization should consider a balance between security and usability when creating a list.

    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_limited_administrative_roles", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps", + "controlCategory": "Apps", + "title": "Ensure 'Microsoft Azure Management' is limited to administrative roles", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable Microsoft Azure Management restrictions:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click expand Protection > Conditional Access select Policies.
    3. Click New Policy and then name the policy.
    4. Select Users > Include > All Users
    5. Select Users > Exclude > Directory roles and select only administrative roles (See below).
    6. Select Cloud apps or actions > Select apps > Select then click the box next to Microsoft Azure Management.
    7. Click Select.
    8. Select Grant > Block access and click Select.
    9. Ensure Enable Policy is On then click Create.

    WARNING: Exclude Global Administrator at a minimum to avoid being locked out. Report-only is a good option to use when testing any Conditional Access policy for the first time.

    Below is an example list of Administrator roles that could be excluded:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    Default Value:

    No - Non-administrators can access the Microsoft Entra ID administration portal.

    ", + "remediationImpact": "

    Because the policy is applied to the Azure management portal and API, services, or clients with an Azure API service dependency, can indirectly be impacted. For example:

    • Classic deployment model APIs
    • Azure PowerShell
    • Azure CLI
    • Azure DevOps
    • Azure Data Factory portal
    • Azure Event Hubs
    • Azure Service Bus
    • Azure SQL Database
    • SQL Managed Instance
    • Azure Synapse
    • Visual Studio subscriptions administrator portal
    • Microsoft IoT Central
    ", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_linkedin_connection_disables", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration", + "controlCategory": "Apps", + "title": "Ensure 'LinkedIn account connections' is disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To disable LinkedIn account connections:

    1. Navigate to Microsoft Entra ID admin center https://entra.microsoft.com/
    2. Click to expand Microsoft Entra ID > Users select User settings.
    3. Under LinkedIn account connections select No.
    4. Click Save at the top of the page.
    ", + "remediationImpact": "Users will not be able to sync contacts or use LinkedIn integration.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_managed_approved_public_groups_only", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide#microsoft-365-groups", + "controlCategory": "Apps", + "title": "Ensure that only organizationally managed/approved public groups exist", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    In the Microsoft 365 Administration portal, go to:

    1. Teams & groups -> Active teams & groups. 
    2. For each group, under Settings, make sure Privacy is set to 'Private'.


    ", + "remediationImpact": "If the recommendation is applied, group owners could receive more access requests than usual, especially regarding groups originally meant to be public.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_password_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-operations", + "controlCategory": "Apps", + "title": "Ensure password protection is enabled for on-prem Active Directory", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To setup Microsoft Entra ID Password Protection, use the following steps: 

    1. Download and install the Microsoft Entra ID Password Proxies and DC Agents from the following location: https://www.microsoft.com/download/details.aspx?id=57071
    2. After the installation is complete, login to https://admin.microsoft.com as a Global Administrator.
    3. Go to Admin centers and click on Microsoft Entra ID.
    4. Select Microsoft Entra ID then Security on the left side navigation followed by Authentication methods.
    5. Select Password protection and toggle Enable password protection on Windows Server Active Directory to Yes and Mode to Enforced
    6. Click Save at the top of the right pane.


    ", + "remediationImpact": "The potential impact associated with implementation of this setting is dependent upon the existing password policies in place in the environment. For environments that have strong password policies in place, the impact will be minimal. For organizations that do not have strong password policies in place, implementation of Microsoft Entra ID Password Protection may require users to change passwords, and adhere to more stringent requirements than they have been accustomed to.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_phishing_MFA_strength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy", + "controlCategory": "Apps", + "title": "Ensure 'Phishing-resistant MFA strength' is required for Administrators", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To create a phishing-resistant MFA CA policy for users in administrative roles:

    1. Navigate to the Microsoft Entra ID admin center https://entra.microsoft.com.
    2. Click to expand Microsoft Entra ID > Applications select Enterprise Applications.
    3. Under Security, select Conditional Access.
    4. Click New policy.
    5. Go to Users > Users and groups > Include > Select users and groups > Directory roles
    6. Add at least the Directory roles listed after these steps.
    7. Select Cloud apps or actions > All cloud apps (and don't exclude any apps).
    8. Grant > Grant Access with Require authentication strength (Preview): Phishing-resistant MFA
    9. Click 'Select'
    10. Set Enable policy to Report-only and click Create

    At minimum these directory roles should be included for the policy:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator

    WARNING: Ensure administrators are pre-registered with strong authentication before enforcing the policy. After which the policy must be set to “On”.

    ", + "remediationImpact": "If administrators aren't pre-registered for a strong authentication method prior to a conditional access policy is created then a condition could occur where a user can't register for strong authentication because they don't meet the conditional access policy requirements, and therefore are prevented from signing in.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Password Cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_sign_in_freq_session_timeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aad.portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PolicyBlade", + "controlCategory": "Apps", + "title": "Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To configure Sign-in frequency and browser sessions persistence for Administrative users:

    1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
    2. Click to Protection > Conditional Access.
    3. Click New policy
    4. Click Users and groups
    5. Under Include select Select users and groups and then select Directory roles.
    6. At a minimum, select the roles in the section below:
    7. Go to Target resources > Cloud apps > Include > select All cloud apps (and don't exclude any apps).
    8. Under Access controls > Grant > select Grant access > check Require multi-factor authentication (and nothing else).
    9. Under Session select Sign-in frequency and set to at most 4 hours for E3 tenants. E5 tenants with PIM can be set to a maximum value of 24 hours.
    10. Check Persistent browser session then select Never persistent in the drop-down menu.
    11. For Enable Policy select On and click Save


    At minimum these directory roles should be included for MFA:

    • Application administrator
    • Authentication administrator
    • Billing administrator
    • Cloud application administrator
    • Conditional Access administrator
    • Exchange administrator
    • Global administrator
    • Global reader
    • Helpdesk administrator
    • Password administrator
    • Privileged authentication administrator
    • Privileged role administrator
    • Security administrator
    • SharePoint administrator
    • User administrator
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "aad_third_party_apps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/enterprise/integrated-apps-and-azure-ads?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure third party integrated applications are not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "
    1. In the Microsoft 365 Admin Center Select Admin Centers and Microsoft Entra ID.
    2. Select Users from the Azure navigation pane
    3. Select Users settings.
    4. Set App registrations is set to No.
    5. Click Save.
    ", + "remediationImpact": "None.", + "service": "AzureAD", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSCertificateTemplateEnrolementSuppliesSubject", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc1", + "controlCategory": "Identity", + "title": "Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1. Disable the “Supply in the request” configuration.
    2. Remove EKU’s enabling user authentication (e.g Client Authentication).
    3.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    4.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings can lead to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSInsecureCertificateEnrollmentIisEndpoints", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8IIS", + "controlCategory": "Identity", + "title": "Edit insecure certificate enrollment IIS endpoints (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "For each endpoint, follow these steps:
    1. Determine whether the endpoint is necessary and in regular use. If it is not used, it is advisable to disable it.
    2. Deactivate NTLM and Negotiate authentication providers for the IIS endpoint.
    3. If NTLM cannot be disabled, enable \"Require SSL\" and \"Require Extended Protection\" for the IIS endpoint.
    For more information, please refer to the security advisory in the \"Learn More\" section.", + "remediationImpact": "If the IIS endpoint allows NTLM authentication without enforcing protocol signing (HTTPS) or without enforcing Extended Protection for Authentication (EPA), it becomes vulnerable to NTLM relay attacks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateAuthorityAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc7", + "controlCategory": "Identity", + "title": "Edit misconfigured Certificate Authority ACL (ESC7)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the misconfigured ACL entry (for example - “Manage CA” permission granted to the “authenticated users” built-in group) and remove any unnecessary permissions granting built-in groups “Mange CA” or/and “Manage certificates” permissions.", + "remediationImpact": "The impact of a misconfigured ACL varies based on the type of ACL applied. If an unprivileged user holds the \"Manage Certificates\" right, they can approve pending certificate requests without manager approval. With the \"Manage CA\" right, they can modify CA settings, such as adding the \"User specifies SAN\" flag, leading to a complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateAcl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4ACL", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates ACL (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template, and remove overly permissive modifications permissions (e.g. WriteProperty), which allows any user to change the settings of that certificate template.", + "remediationImpact": "Badly configured modification permissions allows non-privileged user to modify the settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEku", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc2", + "controlCategory": "Identity", + "title": "Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove EKU’s enabling arbitrary usage (e.g. Any purpose).
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement. ", + "remediationImpact": "Each certificate template per AD CS servers with these settings can be enrolled by an attacker and be used for multiple abuses affecting code integrity, server integrity, AD FS and IPSec (as they are relying on certificates).", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateEnrollmentAgent", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc3", + "controlCategory": "Identity", + "title": "Edit misconfigured enrollment agent certificate template (ESC3)", + "deprecated": false, + "implementationCost": "medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Identify the vulnerable certificate template. Perform at least one of the following possible remediations:
    1.Remove enrollment agent EKU.
    2.Remove overly permissive enrollment permissions, which allows any user to enroll certificate based on that certificate template.
    3.Enable “CA certificate manager approval” requirement.", + "remediationImpact": "Each certificate template per AD CS servers with these settings may enable arbitrary certificates issuance ability by an adversary, leading to full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredCertificateTemplateOwner", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc4", + "controlCategory": "Identity", + "title": "Edit misconfigured certificate templates owner (ESC4)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "Edit misconfigured certificate templates owner (ESC4)", + "remediationImpact": "Badly configured owner allows non-privileged users to modify the permissions and settings of the template, creating an artificial misconfiguration later used for privilege escalation.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSMisconfiguredRpcEnrollmentSigning", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc8", + "controlCategory": "Identity", + "title": "Enforce encryption for RPC certificate enrollment interface (ESC8)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To require packet encryption for RPC enrollment, execute the following command and then restart the certsvc service: \ncertutil -setreg CA\\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST\nnet stop certsvc & net start certsvc", + "remediationImpact": "An RPC enrollment interface that does not mandate encryption is vulnerable to NTLM relay attacks, potentially leading to unauthorized certificate enrollment and, possibly, complete domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "medium", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ADCSSanSpecifiedByUserEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/mdiesc6", + "controlCategory": "Identity", + "title": "Edit vulnerable Certificate Authority setting (ESC6)", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "To disable “user specifying SAN” setting, execute the following command and then restart the certsvc service: \ncertutil -setreg policy\\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 \nnet stop certsvc & net start certsvc", + "remediationImpact": "When this setting is activated on the Certificate Authority server and an unprivileged user can enroll a certificate template (which is available by default), such users can enroll a certificate valid for any user, including administrators, resulting in full domain compromise.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_AdminSDHolder", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmsdholder", + "controlCategory": "Identity", + "title": "Remove access rights on suspicious accounts with the Admin SDHolder permission", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review the list of exposed entities to discover which of your non-sensitive accounts have the Admin SDHolder permission.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Having non-sensitive accounts with Admin SDholder (security descriptor holder) permissions can have significant security implications. It can lead to unauthorized privilege escalation, where attackers can exploit these accounts to gain administrative access and compromise sensitive systems or data. Additionally, it increases the attack surface and makes it harder to track and mitigate security incidents, potentially exposing the organization to greater risks.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_ClearText", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123179", + "controlCategory": "Identity", + "title": "Stop clear text credentials exposure", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why those entities are using LDAP in clear text.
    3. Remediate the issues and stop the exposure.
    4. After confirming remediation, we recommend you configure the requirement of domain controller level LDAP signing.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of clear text authentication may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DefenderForIdentityIsNotInstalled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=sensor", + "controlCategory": "Identity", + "title": "Start your Defender for Identity deployment, installing Sensors on Domain Controllers and other eligible servers.", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 59, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DomainControllerLocalUsers", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmt0assets", + "controlCategory": "Identity", + "title": "Remove local admins on identity assets", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 65, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have local admin rights on your identity assets.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Accounts with indirect control over an Identity system, such as AD FS, Active Directory, and so on, have the rights to escalate their privileges within the environment, which can lead to obtaining Domain Admin access or equivalent. Every local admin on a Tier-0 system is an indirect Domain Admin from an attacker's point of view.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_DormantAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123908", + "controlCategory": "Identity", + "title": "Remove dormant accounts from sensitive groups", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your sensitive accounts are dormant..
    2. Take appropriate action on those entities by removing their privileged access rights or by deleting the account.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these dormant privileges may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_EntitiesWithOldPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmoldpw", + "controlCategory": "Identity", + "title": "Manage accounts with passwords more than 180 days old", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have a password more than 180 days old.
    2. Take appropriate action on those entities either by making them change their password or restricting their access to sensitive resources. To achieve the full score,remediate all exposed entities.", + "remediationImpact": "Passwords more than 180 days old increase vulnerability to password attacks, heighten the risk of credential theft, may lead to non-compliance with security standards, reduce accountability and user awareness, and impede incident response efforts in case of a security breach.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_HoneyToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=entityTags", + "controlCategory": "Identity", + "title": "Set a honeytoken account", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 61, + "remediation": "Go to the Honeytoken Settings page >, and set at least one honeytoken account.​", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_KerberosDelegations", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123722", + "controlCategory": "Identity", + "title": "Modify unsecure Kerberos delegations to prevent impersonation", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.
    2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure kerberos configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_NonAdminDCSyncAccounts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://aka.ms/ispmdcsync", + "controlCategory": "Identity", + "title": "Remove non-admin accounts with DCSync permissions ", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 66, + "remediation": "1. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also non-domain admins.
    2. Take appropriate action on those entities by removing their privileged access rights. To achieve the full score, remediate all exposed entities.", + "remediationImpact": "Listed accounts have permissions to initiate domain replication, which can potentially be exploited by attackers to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment. It is crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "high", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PathRisk", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123182", + "controlCategory": "Identity", + "title": "Reduce lateral movement path risk to sensitive entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "Review this security control list of exposed entities displaying sensitive entities with lateral movement paths risk with recommended actions on how to reduce the number of non-sensitive accounts for each path.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on removed privileges associated with risky lateral movement paths may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PrintSpooler", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123723", + "controlCategory": "Identity", + "title": "Disable Print spooler service on domain controllers", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities to discover which of your domain controllers has the Print spooler service enabled.
    2. Take appropriate action on the at-risk domain controllers and actively remove the Print spooler service either manually, through group policy or other types of remote commands. Make sure to investigate your Print spooler settings, configurations and dependencies before disabling this service and preventing active printing workflows.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "Stopping the print spooler service will prevent printing directly from domain controllers or the running of orphaned printers published to Active Directory.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_PwdLAPS", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123725", + "controlCategory": "Identity", + "title": "Protect and manage local admin passwords with Microsoft LAPS", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of domains and devices not configured for Microsoft LAPS.
    2. Deploy Microsoft LAPS to actively manage the local administrator password of your devices. This is done through Active Directory along with Group Policy client- side extensions that will be installed on each Windows operating system.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on local administrator passwords will need access to the LAPS UI to retrieve the current password for the local administrator account.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Sensor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2117505", + "controlCategory": "Identity", + "title": "Install Defender for Identity Sensor on all Domain Controllers", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 60, + "remediation": "Go to the sensor page in Settings, you can view the already installed sensors in your environment and download the install package to deploy them on your remaining domain controllers.
    You will be scored as a precentage of your deployment progress.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_SIDHistory", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123183", + "controlCategory": "Identity", + "title": "Remove unsecure SID history attributes from entities", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure SID history attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of SID history entries may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureAccount", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123364", + "controlCategory": "Identity", + "title": "Resolve unsecure account attributes", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities that has unsecure account attributes.
    2. Take appropriate action on those entities by removing their unsecure settings.
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_UnsecureDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2196300", + "controlCategory": "Identity", + "title": "Resolve unsecure domain configurations", + "deprecated": false, + "implementationCost": "high", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 60, + "remediation": "1. Review this security control list of exposed domains that have unsecure configurations.
    2. Take appropriate action on those domains by remediating their unsecure settings. To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of unsecure account configurations may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_Vpn", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/settings/identities?tabid=radius", + "controlCategory": "Identity", + "title": "Configure VPN integration", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 63, + "remediation": "Go to the Settings page >, and configure the VPN radius accounting to enable VPN based detections.", + "remediationImpact": "Unknown", + "service": "Azure ATP", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AATP_WeakCipher", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2123721", + "controlCategory": "Identity", + "title": "Stop weak cipher usage", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 67, + "remediation": "1. Review this security control list of exposed entities.
    2. Research why the identified clients and servers are using weak ciphers.
    3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
    To achieve a full score, you must remediate all exposed entities.", + "remediationImpact": "A user or an application that relies on these types of weak ciphers may stop functioning.", + "service": "Azure ATP", + "threats": [], + "tier": "Core", + "userImpact": "low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "admincenter_owned_apps_and_services", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure 'User owned apps and services' is restricted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Office Store add-ins and starting 365 trials:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. Click to expand Settings Select Org settings.
      3. Under Services select User owned apps and services.
      4. Uncheck Let users access the Office Store and Let users start trials on behalf of your organization.
      5. Click Save.

    Note - Due to temporary limitations, only \"Let users access the Office Store\" will be taken into account in scoring this control. It is suggested to uncheck both settings for the sake of better posture.

    ", + "remediationImpact": "Implementation of this change will impact both end users and administrators. End users will not be able to install add-ins that they may want to install.", + "service": "Admincenter", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AdminMFAV2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Ensure multifactor authentication is enabled for all users in administrative roles", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 10, + "rank": 1, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right MFA method for your organization in the Microsoft 365 admin center. Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    5. Keep track of your admin’s progress of registering authentication methods by going to Microsoft Entra ID > Security > Authentication methods > User registration details (requires Microsoft Entra ID Premium P1 or P2 licenses). Go to User registration details 
    ", + "remediationImpact": "First, users with administrative roles need to register for MFA. After each admin is registered, your policies then determine when they’re prompted for the additional authentication factors.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach", + "Elevation of Privilege" + ], + "tier": "Core", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_regulate_access_to_sensitive_data", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate cloud app access to sensitive data", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 9, + "remediation": "\n In app governance, open the predefined policy \"Access to sensitive data\" and activate it.\n
    \n
    \n You can edit the predefined policy to specify an action and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "AppG_unusual_activity_with_priority_account", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/app-governance?viewid=policies&objid=true&filter=%7B%22source%22:%5B%22Predefined%22%5D%7D", + "controlCategory": "Apps", + "title": "Regulate apps with priority account consent", + "deprecated": false, + "implementationCost": "low", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "\n In app governance, open the predefined \"Unusual activity from an app with priority account consent\" policy and activate it.\n
    \n
    \n While you have the policy open, you can add an action to take on unused apps and add exceptions.\n ", + "remediationImpact": "Unknown", + "service": "AppG", + "threats": [], + "tier": "Core", + "userImpact": "moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "BlockLegacyAuthentication", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095010", + "controlCategory": "Identity", + "title": "Enable Conditional Access policies to block legacy authentication", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 68, + "remediation": "
    1. We provide step-by-step guidance to select and enable the right method to block legacy authentication for your organization in the Microsoft 365 admin center (part of the MFA wizard). Go to the Microsoft 365 MFA wizard 
    2. If you would like to perform the implementation yourself, first check what Microsoft Entra ID license you have under “Prerequisites” in Microsoft Secure Score or see your license type under \"Basic information\" in the Microsoft Entra ID Overview
    3. If you’ve invested in Microsoft Entra ID Premium P1 or P2 licenses, you can create a Conditional Access policy from scratch or by using a template. Follow these steps to create a Conditional Access policy from scratch or by using a template 
    4. If you would like to perform the implementation yourself and you’re using Microsoft Entra ID Free, turn on security defaults. Note: Security defaults and Conditional Access can’t be used side by side. Enable security defaults 
    ", + "remediationImpact": "Users accessing apps that don't support modern authentication will no longer be able to access them with this policy enabled.", + "service": "AzureAD", + "threats": [ + "Password Cracking", + "Account Breach" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "CustomerLockBoxEnabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2095515", + "controlCategory": "Apps", + "title": "Ensure the customer lockbox feature is enabled", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 127, + "remediation": " Turn on customer lockbox by:
    1. Using a work or school account that has either the global administrator or the Customer Lockbox access approver role assigned, go to https://admin.microsoft.com and sign in.
    2. Choose Settings > Org Settings.
    3. Select Security & Privacy > Customer Lockbox > Edit, and then move the toggle to On or Off to turn the feature on or off.
    ", + "remediationImpact": "Until the request is approved, the Microsoft engineer will not be granted access to customer data.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Data Deletion", + "Data Spillage" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "dlp_datalossprevention", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://compliance.microsoft.com/datalossprevention?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Data", + "title": "Ensure DLP policies are enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "\n Ensure that at least one Microsoft 365 DLP policy exists in the Microsoft 365 Compliance portal\n
    \n Learn more\n \n ", + "remediationImpact": "Unknown", + "service": "MIP", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_individualsharing", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/sharing", + "controlCategory": "Apps", + "title": "Ensure 'External sharing' of calendars is not available", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "
      \n
    1. In the Microsoft 365 Exchange admin center, go to Organization > Sharing.
      2. \n
    2. Under Individual Sharing, make sure all policies are unticked.
      3. \n
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailboxaudit", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-mailboxes?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure mailbox auditing for all users is Enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable mailbox auditing for all users:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:
      Set-OrganizationConfig -AuditDisabled $false
    3. For each unconfigured MailBox of type Resource Mailboxes, Public Folder Mailboxes or DiscoverySearch Mailbox run:
      Get-Mailbox -Filter \"Name -eq 'MailBox name'\" | Set-Mailbox -AuditEnabled $true
    ", + "remediationImpact": "Unknown", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_mailtipsenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "controlCategory": "Apps", + "title": "Ensure MailTips are enabled for end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable MailTips, use the Exchange Online PowerShell Module:

    1. Run Microsoft Exchange Online PowerShell Module
    2. Connect using "Connect-ExchangeOnline"
    3. Run the following PowerShell command:

    Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold '25'


    ", + "remediationImpact": "Setting up MailTips gives a visual aid to users when they send emails to large groups of recipients or send emails to recipients not within the tenant.", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_oauth2clientprofileenabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online?redirectSourcePath=%252fen-us%252farticle%252fenable-or-disable-modern-authentication-in-exchange-online-58018196-f918-49cd-8238-56f57f38d662", + "controlCategory": "Apps", + "title": "Ensure modern authentication for Exchange Online is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To enable modern authentication, use the Exchange Online PowerShell Module:

    1. Run the Microsoft Exchange Online PowerShell Module.
    2. Connect to Exchange Online using \"Connect-ExchangeOnline.\"
    3. Run the following PowerShell command: Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    ", + "remediationImpact": "Users of older email clients, such as Outlook 2013 and Outlook 2016, will no longer be able to authenticate to Exchange using Basic Authentication, which will necessitate migration to modern authentication practices.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_outlookaddins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure users installing Outlook add-ins is not allowed", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To prohibit users installing Outlook add-ins:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Roles select User roles.
    3. Select Default Role Assignment Policy.
    4. In the properties pane on the right click on Manage permissions.
    5. Under Other roles uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps.
    6. Click Save changes.

    Note - This security control will take into account only the default policy. It is suggested to set the above for all the policies.

    ", + "remediationImpact": "Implementing this change will impact both end users and administrators. End users will be unable to integrate third-party applications they desire, and administrators may receive requests to grant permission for necessary third-party apps

    ", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_SPF_records_for_all_domains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide", + "controlCategory": "Apps", + "title": "Ensure that SPF records are published for all Exchange Domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    follow the instructions on Set up SPF to help prevent spoofing - Office 365 | Microsoft Learn 

    ", + "remediationImpact": "None.", + "service": "EXO", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_storageproviderrestricted", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.microsoft.com/en-us/topic/3rd-party-cloud-storage-services-supported-by-office-apps-fce12782-eccc-4cf5-8f4b-d1ebec513f72", + "controlCategory": "Apps", + "title": "Ensure additional storage providers are restricted in Outlook on the web", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Restrict additional storage providers are restricted using PowerShell:

    1. Connect to Exchange Online using Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false
    3. Run the following Powershell command to verify that the value is now False:

      Get-OwaMailboxPolicy | Format-Table Name, AdditionalStorageProvidersAvailable
    ", + "remediationImpact": "Impact associated with this change is highly dependent upon current practices in the tenant. If users do not use other storage providers, then minimal impact is likely. However, if users do regularly utilize providers outside of the tenant this will affect their ability to continue to do so", + "service": "EXO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "exo_transportrulesallowlistdomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://admin.exchange.microsoft.com/#/transportrules", + "controlCategory": "Apps", + "title": "Ensure Spam confidence level (SCL) is configured in mail transport rules with specific domains", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    To modify SCL in mail transport rules so they do not allow any specific domains:

    1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.
    2. Click to expand Mail Flow and then select Rules.
    3. For each rule that allows specific domains, set the spam confident level (SCL) to 0 or greater.
      • In \"Do the following\" section, select \"Modify the message properties\" and \"set the spam confidence level (SCL)\" and set to at least 0 (specifying the action for this domain, read more in the references attached below, some options may entirely block mail from this domain).

    References:

    1. Spam confidence level | Microsoft Learn
    2. Best practices for configuring mail flow rules in Exchange Online | Microsoft Learn
    3. Mail flow rules (transport rules) in Exchange Online | Microsoft Learn
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case allow-listing. Modifying allow-listed domains could affect incoming mail flow to an organization although modern systems sending legitimate mail should have no issue with this. Note - While specifying the action for each domain, some options may entirely block mail from this domain", + "service": "EXO", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "forms_phishing_protection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-US/microsoft-forms/review-unblock-forms-users-detected-blocked-potential-phishing", + "controlCategory": "Apps", + "title": "Ensure internal phishing protection for Forms is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To enable internal phishing protection for Forms:

    1. Navigate to Microsoft 365 admin center https://admin.microsoft.com.
    2. 2. Click to expand Settings then select Org settings.
      3. Under Services select Microsoft Forms.
      4. Click the checkbox labeled Add internal phishing protection under Phishing protection.
      5. Click Save.
    ", + "remediationImpact": "If potential phishing was detected, the form will be temporarily blocked and cannot be distributed and response collection will not happen until it is unblocked by the administrator or keywords were removed by the creator.", + "service": "FORMS", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "IntegratedApps", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://go.microsoft.com/fwlink/?linkid=2119526", + "controlCategory": "Identity", + "title": "Ensure user consent to apps accessing company data on their behalf is not allowed", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 35, + "remediation": "
    1. Go to Microsoft Entra ID > Enterprise applications > Consent and permissions. Go to Consent and permissions 
    2. Select “Allow user consent for apps from verified publishers, for selected permissions (Recommended)“ to follow Microsoft’s best practice. Learn more 
    3. Configure the low-impact permissions that users are allowed to consent to. Click “Select permissions to classify as low impact”. Learn more 
    4. Optionally, you can help your users to consent to apps that require admin consent by setting up the admin consent workflow. This step is recommended but not required to get full score. Learn how to configure the admin consent workflow 
    ", + "remediationImpact": "When the consent policy is triggered, users cannot consent to unreliable apps. However, if the admin consent request is configured, it gives admins a secure way to review apps before granting access.", + "service": "AzureAD", + "threats": [ + "Data Exfiltration", + "Data Spillage" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_AV_firewall_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that devices connecting have AV and a local firewall enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that devices connecting have AV and a local firewall enabled, use the Microsoft Intune admin center

    1. Select Endpoint Manager under Admin Centers
    2. Select Devices, then under Policy select Compliance Policies.
    3. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate machine (PC/MAC) Platform.
      2. Click on the policy name.
      3. Under Configuration settings click Edit.
      4. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    4. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. Under Device Security set the values for Firewall, Antivirus, and Antispyware all to Require (Depending on the platform chosen, some configurations may be hidden). 
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_conection_from_jail_broken_rooted_devices", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that users cannot connect from devices that are jail broken or rooted", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that users cannot connect from devices that are jail broken or rooted, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Compliance Policies.
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform.
      2. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block
    3. In case there are existing policies -
      1. Under Settings and Device Health ensure that Jailbroken devices (for iOS devices) or Rooted devices (for Android devices) are set to Block

    To comply, all relevant mobile policies should be set this way.", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_advanced_security_configuration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are set to require advanced security configurations", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles 
    2. Select Create profile to create a new profile.
    3. Select the appropriate Platform (iOS or Android).
      • Choose, based on your organization's needs, the desired settings from the configuration screens.
      • Note that the condition to comply is the mere existence of such profile, the specific settings should be decided according to your organization's needs.
    4. To comply, there should be at least one configuration policy for mobile devices.
    5. It is suggested to create two policies for both iOS and Android.
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_alphanumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Type = Alphanumeric)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device complex password profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Required password type is set to Alphanumeric
    3. If the are existing policies, per each policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Required password type is set to Alphanumeric

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_complex_password_simple_password_blocked", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require complex passwords (Simple Passwords = Blocked)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose MacOS in the Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Simple Passwords is set to Blocked
    3. If there are existing policies, per each MacOS policy -
      1. Click on the policy name.
      2. Under Configuration settings click Edit.
      3. In the Password section, ensure that Simple Passwords is set to Blocked

    Note: this setting is only for MacOS policies.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_encryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Encryption is set to Require
    3. If the are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Encryption is set to Require

    Note: To comply, there should be at least one device configuration for Android with device password encryption.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_device_lock_after_inactivity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure devices lock after a period of inactivity to prevent unauthorized access", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center:

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Profile.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that -
        1. For iOS/Mac devices - Maximum minutes after screen lock before password is required is set to Immediately.
        2. For all other types of devices Maximum minutes of inactivity until screen lock is set to 5
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_email_profiles_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile device management policies are required for email profiles - iOS/iPadOS only", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Compliance policies
    2. For all the policies that are applied to \"iOS/iPadOS\" complete the following
      1. Select the policy by clickin on its name.
      2. Under Manage select Properties
      3. Select Edit next to Compliance settings
      4. Under Email ensure that Unable to set up email on the device is set to Require
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_minimum_password_length", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices require a minimum password length to prevent brute force attacks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices require a complex password, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Minimum password length is set to 6.
    3. In case there are existing policies -
      1. Per each policy, in the Password section, ensure that Minimum password length is set to 6.

    Note: The required value to comply is not the default value.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_never_expires_password", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure that mobile devices are set to never expire passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure that mobile devices are set to never expire passwords:

    1. Use the Microsoft Intune admin center
    2. Select Devices, then under Policy.
    3. select Configuration profiles Review the list of profiles.
    4. From there, go to the device policies page to remove any device security policies that expire passwords.

    Note: The default configuration is sufficient.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_requirement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices require the use of a password", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device management profiles, use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and under Profile type select Device restrictions.
      2. Click on the new policy name.
      3. Under Configuration settings click Edit.
      4. In the Password section, ensure that Password is set to Require.  
    3. If there are existing policies, per each policy -
      1. Select the policy by clicking on it.
      2. Select Edit next to Configuration settings.
      3. In the Password section, ensure that Password is set to Require.  
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_mobile_password_reused_prohibited", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-configure", + "controlCategory": "Apps", + "title": "Ensure that mobile device password reuse is prohibited", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set mobile device password reuse is prohibited, go to the Microsoft Intune admin center

    1. Select Devices and then under Policy select Configuration profiles.
    2. If there are no configurations -
      1. select Create profile.
      2. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      3. In the Password section, ensure that Prevent reuse of previous passwords is set to 5 or above
    3. If there is existing configuration -
      1. Select the policy by clicking on its name.
      2. Click Edit next to Configuration settings.
      3. Under Password change Prevent reuse of previous passwords and set to 5 or above
    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "intune_wipe_on_multiple_signin_failures", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create", + "controlCategory": "Apps", + "title": "Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To ensure mobile devices are set to wipe on multiple sign-in failures , use the Microsoft Intune admin center

    1. Select Devices, then under Policy select Configuration profiles 
    2. If there are no policies, select Create Policy.
      1. Set a Name for the policy, choose the appropriate Platform and select Device restrictions.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.
    3. In case there are existing policies -
      1. For each policy, Select by clicking on the name.
      2. In the Password section, ensure that Number of sign-in failures before wiping device is set to 10.

    Note: This option is not available for all types of devices.

    ", + "remediationImpact": "Unknown", + "service": "Intune", + "threats": [ + "Account breach" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mcas_mda_enabled", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/defender-cloud-apps/get-started", + "controlCategory": "Apps", + "title": "Ensure Microsoft Defender for Cloud Apps is enabled and configured", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Enable Defender for Cloud Apps by the following instructions: https://learn.microsoft.com/en-us/defender-cloud-apps/get-started

    ", + "remediationImpact": "None.", + "service": "MCAS", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": null, + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCloudAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/discovery/create", + "controlCategory": "Apps", + "title": "Create an app discovery policy to identify new and trending cloud apps in your org ", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 75, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the App discovery policy page.
    2. Select the policy severity.
    3. Select filters according to your business requirements, then select the reports this policy will apply to.
    4. (Optional) Configure alerts settings such as email and text messages notifications.
    5. (Optional) Configure governance actions to tag apps.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasCutomActivityPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/activity/create", + "controlCategory": "Apps", + "title": "Create a custom activity policy to get alerts about suspicious usage patterns", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 80, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Create activity policy page.
    2. Select the policy severity.
    3. Configure filters according to your business requirements.
    4. (Optional) Configure alert settings such as email and text message notifications.
    5. (Optional) Configure governance actions as required.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Advanced", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasFirewallLogUpload", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/settings?tabid=discovery-autoUpload", + "controlCategory": "Apps", + "title": "Deploy a log collector to discover shadow IT activity", + "deprecated": false, + "implementationCost": "Moderate", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 82, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the Automatic log upload page.
    2. In the Data sources tab, select Add data source to create a data source for your appliance.
    3. In the Log collector tab, select Add log collector to add a new one.
    4. Follow the instructions provided to deploy Docker and the log collector container.
    ", + "remediationImpact": "This change has no known impact on your users.", + "service": "MCAS", + "threats": [ + "Data Exfiltration" + ], + "tier": "Advanced", + "userImpact": "Low", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "McasOAuthAppNotification", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/cloudapps/policy/app-permission/create", + "controlCategory": "Apps", + "title": "Create an OAuth app policy to notify you about new OAuth applications", + "deprecated": false, + "implementationCost": "Low", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 57, + "remediation": "
    1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
    2. Select the policy severity and application (if relevant).
    3. Select filters according to your business requirements.
    4. (Optional) Configure alerts settings such as email and text message notifications.
    5. (Optional) Configure governance actions to revoke the app.
    ", + "remediationImpact": "This change will have a moderate impact on your users.", + "service": "MCAS", + "threats": [ + "Account Breach", + "Elevation of Privilege", + "Malicious Insider" + ], + "tier": "Defense In Depth", + "userImpact": "Moderate", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/enforce-two-step-verification/", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-step verification from an authentication policy:

    1. Go to admin.atlassian.com.

    2. Select your organization if you have more than one.

    3. Select Security > Authentication policies.

    4. Select Edit for the policy you want to modify.

    5. On the Settings page, select Mandatory for \"Two-step verification\".

    • All policies must be configured this way to comply.
    ", + "remediationImpact": "This setting enforces multi-factor authentication for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/configure-saml-single-sign-on/", + "controlCategory": "Apps", + "title": "Enable Single Sing On (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Copy details from your identity provider to your Atlassian organization

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Identity providers.

    3. Select your identity provider Directory.

    4. Select Set up SAML single sign-on.

    5. Add SAML details.

    6. Save SAML configuration.

    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all Atlassian users.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To select an idle session duration from an authentication policy:

    1. Go to admin.atlassian.com. Select your organization if you have more than one.

    2. Select Security > Authentication policies.

    3. Select Edit for the policy you want to modify.

    4. On the Settings page, select length of time for Idle session duration.

    5. The value should be equal to or lower than 2 hours.
    ", + "remediationImpact": "When you save changes to the session duration, users don't get logged out of their accounts. The new idle session duration will apply the next time a user logs in.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_access", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App access requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Block compromised devices.
    • Require data encryption.
    • Require biometric authentication or a device passcode.
    1. Note that all the three options must be checked in order to comply.
    2. Note that the 'minimum OS version' is not mandatory for this control, but the recommendation is to set it to the latest.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_dataprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - App data protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Mark all the three options:
    • Disable sharing, saving or backing up content from the mobile app.
    • Disable screenshots and screen recording of the mobile app.
    • Disable cutting or copying content from the mobile app.
    1. Note that all the three options must be checked in order to comply.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_mobile_UsersAffected", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/security-and-access-policies/docs/mobile-policy-mam-security-controls-and-supported-apps/", + "controlCategory": "Apps", + "title": "Atlassian mobile app security - Users that are affected by policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set this policy:

    1. Go to Security and Mobile app policy in the Atlassian admin dashboard.
    2. Click on \"Create mobile app policy\" or \"edit\" (in case a policy already exists).
    3. Set the policy to apply to \"All users with access to your organization's products\"
    ", + "remediationImpact": "If your policy applies to all users - both managed and unmanaged - within your organization, including any new users that are added after the policy is created.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Atlassian_passwordExpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.atlassian.com/opsgenie/docs/enable-password-policies/", + "controlCategory": "Apps", + "title": "Enable Password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set this policy:

    In Atlassian admin dashboard Go to Security and Authentication policies for every policy select edit and go to \"Passwords expire every\", check it and set the day to 30 days or lower.

    ", + "remediationImpact": "See learn more link.", + "service": "MDA_Atlassian", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#two-step-verification", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Two-step verification" set the option on.
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_ForceSSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#single-sign-on-sso", + "controlCategory": "Apps", + "title": "Enable Single Sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Single sign-on / SAML 2.0 Configuration" set the option on.
    ", + "remediationImpact": "This setting enforce Single Sign On (SSO) for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Authentication" set "log inactive users out after" at least 1 hour.
    ", + "remediationImpact": "This setting enforce Session time out for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailLockoutSecs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Lockout timer", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least three hundred in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out time configuration for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_LoginFailMaxAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#login-and-security-policy", + "controlCategory": "Apps", + "title": "Enhance 'login maximum attempts' - Number of attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Login & Security Policy".
    3. In "Account lock-out configuration" and set at least five in "failed log in attempts".
    ", + "remediationImpact": "This setting enforce Account lock-out configuration when incorrect logging attempts occurs for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 8 in password minimum characters.
    ", + "remediationImpact": "This setting enforce minimum characters length for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumNumeric", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum numeric characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in number characters.
    ", + "remediationImpact": "This setting enforce minimum numeric characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_MinimumSpecialCharacters", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password minimum special characters", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 1 in special characters.
    ", + "remediationImpact": "This setting enforce minimum special characters for password for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_CitrixSF_PasswordMaxAgeDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.citrix.com/en-us/sharefile/configure/admin-settings/security.html#password-requirements", + "controlCategory": "Apps", + "title": "Enable password expiration policies", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Citrix | Share file dashboard-

    1. Go to "Settings>Admin Settings".
    2. Go to "Security>Password Requirements".
    3. In "Requirements" set at least 90 in "The password expires after".
    ", + "remediationImpact": "This setting enforce password expiry time in days for all Citrix Share File users.", + "service": "MDA_CitrixSF", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=yfn1583277328637.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Login Requirements" -
      1. Minimum password length of 9 characters.
      2. Password must include at least: 
        1. At least one uppercase character.
        2. At least one lowercase character.
        3. At least one digit.
        4. At least one special character (!, @, #...).
      3. Have a minimum password age of 8 days.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=lut1644434676152.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In DocuSign dashboard - 

    1. Go to Account > Security setting in the side panel.
    2. In Password Security, click on "Show Password Rules" button.
    3. In the pop-up window, set "Days until password expires" to 180 days.
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_DocuSign_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=pik1583277475390&topicId=tuw1583277327743.html&_LANG=enus", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In DocuSign dashboard -

    1. Go to Account > Security setting in the side panel.
    2. Set "Web App Session Timeout (minutes)" up to 120 minutes.
    3. Set "Mobile App Session Timeout (minutes)" up to 120 minutes.
    4. " Suppress In Session Certificate Enforcement" option must be set to false.
    ", + "remediationImpact": "This setting enforce session timeout for all DocuSign web users.", + "service": "MDA_DocuSign", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Dropbox_InactiveTimeoutMins", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.dropbox.com/help/business/web-session-control", + "controlCategory": "Apps", + "title": "Enable web session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    How to require session policies for Dropbox users

    1. Sign in to dropbox.com with your admin credentials.
    2. Click Admin Console.
    3. Click Settings.
    4. Under Additional Settings, click Web session control.
    5. Set the setting next to Fixed session length to 1 week or less.
    6. It is also suggested, but not mandatory for compliance, to set the setting next to Idle session length to 30 minutes or less.
    7. Click Save changes.
    ", + "remediationImpact": "Once configured, some users may be automatically logged out and will be asked to log back in to Dropbox.", + "service": "MDA_Dropbox", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_DependencyInsights", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/changing-the-visibility-of-your-organizations-dependency-insights", + "controlCategory": "Apps", + "title": "Disable 'Allow members to view dependency insights'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to view dependency insights" option in the "Member organization permissions" section.


    ", + "remediationImpact": "This setting blocks users from seeing dependencies insights for their repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_EmailNotificationRestrictedToVerifiedOrApprovedDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise", + "controlCategory": "Apps", + "title": "Enabled 'email notification delivery for this enterprise is restricted to verified or approved domains'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Verified & approved domains.
    3. Add a new domain and verify it.
    4. Check "Restrict email notifications to only approved or verified domains." option.


    ", + "remediationImpact": "This setting restricts email notifications only to verified or approved domains.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_IPallowListConfigurationForOrgResources", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization", + "controlCategory": "Apps", + "title": "Enforce IP allow list configuration for org resources", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Enable IP allow list configuration for installed GitHub Apps" option.


    ", + "remediationImpact": "This setting blocks users to login from specific IP addresses.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Security > Authentication security.
    3. Check "Require two-factor authentication" option.


    ", + "remediationImpact": "This setting enforce multi factor authentication for all GitHUb users.", + "service": "MDA_GitHub", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_OutsideCollabInvitation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators", + "controlCategory": "Apps", + "title": "Disable 'Allow repository administrators to invite outside collaborators to repositories for this organization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow repository administrators to delete issues for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories admins to add outside collaborators.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PrivateRepositoryForkingSetting", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/managing-the-forking-policy-for-your-organization", + "controlCategory": "Apps", + "title": "Disable private repository forking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow forking of private and internal repositories" option.


    ", + "remediationImpact": "This setting disable users to fork private repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_PublicRepoCreation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-creation-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Members will be able to create public repositories, visible to anyone'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Public" option in the "Repository creation" section.


    ", + "remediationImpact": "This setting blocks users from creating public repositories.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoTransferOrDeletion", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/setting-permissions-for-deleting-or-transferring-repositories", + "controlCategory": "Apps", + "title": "Disable 'members with admin permissions for repositories can delete or transfer repositories'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to delete or transfer repositories for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks repositories transferring and deletion.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_RepoVisibility_change", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization", + "controlCategory": "Apps", + "title": "Disable 'Allow members to change repository visibilities for this organization'", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. In top right corner of GitHub, click your profile photo, then click Your organizations > Next to the organization, click Settings.
    2. Go to Access > Member privileges.
    3. Disable "Allow members to change repository visibilities for this organization" option in the "Admin repository permissions" section.


    ", + "remediationImpact": "This setting blocks users from changing repositories visibility (public/ private access).", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_GitHub_SAML", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on", + "controlCategory": "Apps", + "title": "Enable single sign on (SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    On GitHub Enterprise organization page-

    1. Go to Settings > Organization security
    2. Select Enable SAML authentication
    3. Fill the fields with the values found in the Admin Portal
    ", + "remediationImpact": "This setting enforce Single Sing On (SSO) for all GitHub users.", + "service": "MDA_GitHub", + "threats": [ + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Google_EnableTwoFactorAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.google.com/a/answer/175197?hl=en&fl=1&sjid=9841521343371348963-NA", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication (MFA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    Ensure password expiry policy for Google -

    1. Navigate to Google admin center - http://admin.google.com/
    2. Click Security > Password Management.
    3. Chcek Allow users to turn on 2-Step Verification.
    4. Check On under Enforcement.
    5. Click Save.

    Follow steps 3-4 for every organizational unit.

    ", + "remediationImpact": "

    Follow the guideline.

    ", + "service": "MDA_Google", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_NetDocuments_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.netdocuments.com/s/article/205220410", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in netDocuments", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "How does an organization start using federated identity with NetDocuments?

    1. In the upper-right corner, select your name > Admin > repository name. In the Navigation Pane, select Security Center Advanced Authentication.
    2. The Advanced Authentication Configuration page has a section titled Federated Identity. Choose the type of federated identity server you will use and configure it.
    3. Note: In order to comply with this control, at least 80% of the users must be using SSO.
    ", + "remediationImpact": "See learn more link.", + "service": "MDA_NetDocuments", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_EnhancedPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-policy", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional complexity requirement options.
    4. Lower case, letter Upper case, letter Number (0-9), Symbol (e.g., !@#$%^&*), Does not contain part of username, Does not contain first name and Does not contain last name.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#multifactor-mfa-enrollment-policy", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Multifactor panel.
    2. Go to \"Factor Enrollment\" and select \"Add Multifactor Policy\".
    3. Note: In order to comply, you must configure default policies as \"required\" (\"optional\" is not sufficient).
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_PasswordExpires", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#password-object", + "controlCategory": "Apps", + "title": "Password expiry requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    In Okta's dashboard - 

    1. Go to Security > Authentication panel.
    2. Under the "Password" tab. 
    3. Select "Edit" the policy and check the additional Password age options -
      1. Enforce password history for last [Minimum of 3] passwords.
      2. Minimum password age is [Minimum of one day].
      3. Password expires after [Minimum of 180 days] days.
      4. Prompt user [Minimum of five days] days before password expires.
      5. Lock out user after [Maximum of 5 attempts] unsuccessful attempts.
      6. Account is automatically unlocked after [Minimum of 15] minutes
    ", + "remediationImpact": "This settings specified password expiry requirements.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Okta_SessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://developer.okta.com/docs/reference/api/policy/#global-session-policy", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    In Okta's dashboard -

    1. Go to Security > Authentication panel.
    2. Go to "Sign On"
      1. If there isn't a policy - select "Add New Okta Sing-on Policy".
      2. If a policy exists - select "Add rule "
    3. In the window, go to "Session management" and set the properties as following -
      1. Maximum Okta session lifetime to 30 days or below.
      2. Expire session after user has been idle on Okta for 120 minutes or below.
      3. Persist session cookies across browser sessions to Disable.
    ", + "remediationImpact": "This setting enforce Session time out for all Okta users.", + "service": "MDA_Okta", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_disableProtocolSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://portal.cloudappsecurity.com/#/connected-apps?tab=appConnectors", + "controlCategory": "Apps", + "title": "Remote Site", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "", + "remediationImpact": "Unknown", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableAdminLoginAsAnyUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.controlling_login_access.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Administrators Can Log In As Any User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Login Access Policies in the Quick Findbox, then select Login Access Policies.
    2. Deselect Administrators Can Log in as Any User.", + "remediationImpact": "You users must grant access before admins can log into their users.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Elevation of Privilege", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCacheAndAutocomplete", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Disable Caching and Autocomplete on Login Page via Session settings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Uncheck Enable caching and autocomplete on login page.", + "remediationImpact": "If enabled, after initial login, usernames are automatically populated into the Username field on the login page. If the user selects Remember me on the login page, the username persists after the session expires or the user logs out. The username also displays on the Switcher.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupSFDC", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for non-Setup for Salesforce pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for non-Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUser", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with standard headers", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with standard headers.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackNonsetupUserHeaderless", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for customer VisualForce pages with headers disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable clickjack protection for customer Visualforce pages with headers disabled.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableClickjackSetup", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable clickjack protection for Setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Under Clickjack Protection, select Enable clickjack protection for Setup pages.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableContentSniffingProtection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Sniffing protection", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Content Sniffing protectio.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSPOnEmail", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable Content Security Policy protection for email templates", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable Stricter Content Security Policy.", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnGet", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on GET requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on GET requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableCSRFOnPost", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enable CSRF protection on POST requests on non-setup pages", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enable CSRF protection on POST requests on non-setup pages..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableMultipleSamlConfigs", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.salesforce.com/mfa-requirement-check", + "controlCategory": "Apps", + "title": "Require identity verification during multi-factor authentication (MFA) registration", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 33, + "remediation": "From Setup, in the Quick Find box, enter Identity, and then click Identity Verification. Make sure the field: \"Require identity verification during multi-factor authentication (MFA) registration\" is enabled.", + "remediationImpact": "When you register and challenge your users for MFA, they will be prompted to authenticate with a second factor when accessing an application or other resource.", + "service": "MDA_SF", + "threats": [ + "Password cracking", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enableSMSIdentity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Let users verify their identity by text (SMS)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Let users verify their identity by text (SMS).", + "remediationImpact": "Salesforce challenges users to verify with text message their identity when they log in from an unrecognized browser or device or an IP address outside of a trusted range. ", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_enforceIpRangesEveryRequest", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce login IP ranges on every request", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Enforce login IP ranges on every request.", + "remediationImpact": "You users will be logout if try to perform an activity outside the IP ranges defined in Salesforce settings.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceLogoutOnSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force logout on session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force logout on session timeout.", + "remediationImpact": "The browser refreshes and returns to the login page, and the user must log in again for access.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_forceRelogin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Force (admin) relogin after Login-As-User", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Force relogin after Login-As-Use..", + "remediationImpact": "Your users will not be impacted by this setting.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_identityConfirmationOnEmailChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.security_auth_setup_identity_verification.htm&type=5", + "controlCategory": "Apps", + "title": "Require identity verification for change of email address", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Identity, and then click Identity Verification.
    2. Select Require identity verification for email address changes.", + "remediationImpact": "User must login again before changing their email address.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_lockSessionsToDomain", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Lock sessions to the domain in which they were first used", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Lock sessions to the domain in which they were first used.", + "remediationImpact": "Your users cannot change their domain inside a session.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_maxLoginAttempts", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Maximum invalid login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Maximum invalid login attempts, select 3.", + "remediationImpact": "You users will be locked if they attemp to login with failure after 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_minimumPasswordLifetime", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Require a minimum 1 day password lifetime", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Require a minimum 1 day password lifetime.", + "remediationImpact": "Your users will not be able to change their password more than one time a day.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_complexity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password complexity requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password complexity requirement, select Must mix alpha, numeric, and special characters, or more complex.", + "remediationImpact": "Your users must have complexed passwords.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_expiration", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "User passwords expire in 90 days or less", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under User passwords expire in, select 90 days or less.", + "remediationImpact": "Your users must changed password every 90 days.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_historyRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Enforce password history", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Enforce password history, select 3 or more passwords rememebered.", + "remediationImpact": "Your users could not set new password that was already used in the last 3 times.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_lockoutInterval", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Lockout effective period", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Lockout effective period, select 30 minutes or more.", + "remediationImpact": "A locked-out user must wait until the lockout period expires. Alternatively, a user with the Reset User Passwords and Unlock Users permission can unlock a user from Setup.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_minimumPasswordLength", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Minimum password length", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Minimum password length, select 8 or more.", + "remediationImpact": "Your users must set passwword at least in this length.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_obscureSecretAnswer", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Obscure secret answer for password resets", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Select Obscure secret answer for password resets.", + "remediationImpact": "Your users will not see their answers to their security questions password reset when typing.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_questionRestriction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_password.htm&type=5", + "controlCategory": "Apps", + "title": "Password question requirement", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, enter Password Policies in the Quick Find box, then select Password Policies.
    2. Under Password question requirement, select Cannot contain password.", + "remediationImpact": "User will not be allowed to contain password in the password question.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_password_sessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Timeout Value to be 2 hours or less.", + "remediationImpact": "Users cannot have a session longer than the defined timeout value.", + "service": "MDA_SF", + "threats": [ + "Account breach", + "Data Exfiltration", + "Data Deletion", + "Malicious Insider" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SF_requireHttpOnly", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://help.salesforce.com/s/articleView?id=sf.admin_sessions.htm&type=5", + "controlCategory": "Apps", + "title": "Require HttpOnly attribute", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "1. From Setup, in the Quick Find box, enter Session Settings, then select Session Settings.
    2. Select Require HttpOnly attribut..", + "remediationImpact": "If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the AJAX Toolkit debugging window isn’t available.", + "service": "MDA_SF", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authenticateMultifactor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/multi-factor-authentication.html", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.authenticate.multifactor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Enabling this property requires from the user to have an extra layer of authentication.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredJson2", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-jsonv2-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing JSONv2 requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.jsonv2' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of JSON data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredSOAP", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/basic-auth-soap-requests.html", + "controlCategory": "Apps", + "title": "Enable enforcing SOAP requests with basic authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.soap' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "

    1. It performs authentication while retrieving data from tables/pages in the form of SOAP data on the instance.
    2. It restricts any guest users who are currently accessing this data.
    3. Create an account for a user who needs access to this content, with the necessary access control permissions.

    ", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_authRequiredUnl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/unload-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable unload request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.unl' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces a combination of authentication methods, in the form of basic authentication and system level access control. It performs this authentication while retrieving data from tables/pages in the form of unload data on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_cauthRequiredScriptedProcessor", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/script-request-authorization.html", + "controlCategory": "Apps", + "title": "Enable script request authorization", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.basicauth.required.scriptedprocessor' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the basic authentication while processing script requests on the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_concourseOnmessageEnforceSameOrigin", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enable-url-whitelist-for-cross-origin-iframe-communication.html", + "controlCategory": "Apps", + "title": "Enable URL allow list for cross-origin iframe communication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.concourse.onmessage_enforce_same_origin' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "If you do not inclusion list intended domains, the ability to embed other pages within Now Platform instances may be limited.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_enablePasswordPolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enforce-strong-passwords.html", + "controlCategory": "Apps", + "title": "Enable Password Reset Policy Checks", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.enable.password_policy' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting the property to true turns on password policy checks when a user resets their password.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_highSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/high-security-plugin.html", + "controlCategory": "Apps", + "title": "Enable high security plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.high_security' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This plugin enables several system security configurations, which may impact UI and functionality as well.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_httpCacheControl", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/cache-control-http-header-value.html", + "controlCategory": "Apps", + "title": "Set default cache-control HTTP header value to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.http.cache_control' as private.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "None.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_loginNoBlankPassword", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/disable-password-less-authentication.html", + "controlCategory": "Apps", + "title": "Disable password-less authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.login.no_blank_password' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Operations should not use blank passwords because it is viewed as a critical security risk. However, if there is a valid case for such usage, there is a possibility of an outage. Users with blank passwords wouldn't be able to log in to the instance.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_roleManagement", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/contextual-security.html", + "controlCategory": "Apps", + "title": "Enable Contextual Security: Role Management plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Navigate to System Applications > All Available Applications All.
    2. Find the 'com.glide.role_management' plugin using the filter criteria and search bar. 
    3. Click Install, and then in the Activate Plugin dialog box, click Activate. 
    ", + "remediationImpact": "This remediation enforces functional level of access controls, which would let application determine the access restrictions based on ACL table alone.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptCcsiIsPublic", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html", + "controlCategory": "Apps", + "title": "Set client-callable script includes to private", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.ccsi.ispublic' as false.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Privacy on client-callable script includes.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptSecureAjaxgliderecord", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/enabling-ajaxgliderecord-acl-checking.html", + "controlCategory": "Apps", + "title": "Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.secure.ajaxgliderecord' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces the ACL relationship with server-side records when the requests are made using the AJAXGlideRecord API calls. If the ACL configuration is not properly configured, then there is potential impact.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_scriptUseSandbox", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/client-generated-scripts-sandbox.html", + "controlCategory": "Apps", + "title": "Enable client generated scripts sandbox", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.script.use.sandbox' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "There is a potential impact if a user has customizations that include hard-coded JavaScript queries to perform CRUD operations.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_smDefaultMode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/default-deny.html", + "controlCategory": "Apps", + "title": "Enable default deny with new ACL rules", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    Set the following property 'glide.sm.default_mode' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Setting this prperty for deny value, will restrict the read, write, create, and delete operations on all tables, unless the user has the admin role or meets the requirements of another table ACL rule.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_sncUserLockoutCheck", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html", + "controlCategory": "Apps", + "title": "Enable managing failed login attempts", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Navigate to System Policy > Script Actions.
    2. Search for the name *SNC User.
    3. To enable management of failed login attempts, change the Active state of either the SNC User Lockout Check with Auto Unlock or SNC User Lockout Check scripts actions from false to true.
    4. To reset the failed login counter after a successful login, you can activate the SNC User Clear script action.
    ", + "remediationImpact": "This remediation would enable administrator of the instance to monitor and report any malicious user access.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapRequireContentTypeXml", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-content-type-checking.html", + "controlCategory": "Apps", + "title": "Enable SOAP content type checking", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.soap.require_content_type_xml' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables validation of SOAP content type for all the inbound SOAP requests. If you are using a content type other than text/xml for inbound requests, it may cause potential failure of SOAP transactions.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_soapStrictSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/soap-request-strict-security.html", + "controlCategory": "Apps", + "title": "Enable SOAP request strict security", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property ' glide.soap.strict_security' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "f there are users currently accessing this data, they are restricted/allowed to access the data based on the ACL rules.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_systemSecurity", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/security-jump-start-acl-rules.html", + "controlCategory": "Apps", + "title": "Activate security jump start (ACL rules) plugin", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "If this plugin is not activated on your instance, contact ServiceNow Support. Activating the plugin at this point might modify security access to tables already in use in a production environment. If an administrator is interested in the new ACL rules the plugin provides, you can manually create one or more of them in an existing instance if needed. This list of ACLs may be used as a guideline in that case.", + "remediationImpact": "There is significant functional impact if this plugin is installed without auditing of the existing ACLs on the instance. Customer is required to outreach ServiceNow before the remediation can occur.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_uiSessionTimeout", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/session-activity-timeout.html", + "controlCategory": "Apps", + "title": "Enable session activity timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.session_timeout' as 60 or below.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enforces timely expiration of user account.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_useCsrfToken", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/anti-csrf-token.html", + "controlCategory": "Apps", + "title": "Enable anti-CSRF token", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    Set the following property 'glide.security.use_csrf_token' as true.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "This remediation enables an extra validation step before the instance user submits a write request to the instance. Every write request contains a CSRF token (i.e a validation/CSRF ID tied to the user session). When the user session expires, the secure token expires with it.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_SNOW_userCookieMaxLifeSpanInDays", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://docs.servicenow.com/bundle/rome-platform-administration/page/administer/security/reference/absolute-session-timeout.html", + "controlCategory": "Apps", + "title": "Enable absolute session timeout", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "

    Set the following property 'glide.ui.user_cookie.max_life_span_in_days' below 180.

    For setting ServiceNow properties, see Add system property documentation.

    ", + "remediationImpact": "Forcing the user to relogin after specific days.", + "service": "MDA_SNOW", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Workplace_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://www.workplace.com/resources/tech/authentication/sso", + "controlCategory": "Apps", + "title": "Adopt SSO (Single sign on) in Workplace by Meta", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    In order to enable SSO authentication in Workplace you will need to:

    • Have access to your Identity Provider's configuration settings.
    • Have a System Administrator role assigned in Workplace.
    • Have a corresponding account in the Identity Provider with the same email as the Workplace user you are logged in with (i.e. which uses the same email address to authenticate both in Workplace and in the Identity Provider). This is essential to test SSO and complete Workplace configuration correctly.
    1. In the Admin Panel, select Security.
    2. Click on the Authentication tab.
    3. Check the Single Sign-On (SSO) checkbox.
    4. Click +Add New SSO Provider.
    5. Type in the values provided by your Identity Provider into the relevant fields: SAML URL, SAML Issuer URL, SAML Logout Redirect (Optional), SAML Certificate.
    6. Scroll to the bottom of the section and click the Test SSO button. This will result in a popup window appearing with your Identity Provider login page presented. Enter your credentials to authenticate.
    7. Once the test has been completed successfully, scroll to the bottom of the page and click Save button.
    8. If required, Configure SSO as the default authentication for new users by selecting SSO in the Default to new users drop-down.

    To comply with the control, the adoption rate must be above 80%.

    ", + "remediationImpact": "None.", + "service": "MDA_Workplace", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_AdminPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Block admins to set passwords", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To let administrators set passwords for users

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, verify Enable admins to set passwords is not selected.

      You must be the account owner to see this setting.

    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_BlockAccountAssumption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408824477082-Granting-Zendesk-temporary-access-to-assume-your-account", + "controlCategory": "Apps", + "title": "Block account assumption", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Account assumption tab, verify Enable account assumption is not checked.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_bypassIPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Block customers to bypass IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To Block customers to bypass IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. In IP Restrictions tab, verify Allowed IP Ranges is Enabled.
    3. Verify Allow customers to bypass IP restrictions is not checked.
    4. Click Save.
    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_EmailNotificationsforPassChange", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274-Managing-security-settings-in-Admin-Center#topic_a5b_q3v_gfb", + "controlCategory": "Apps", + "title": "Send a notification on password change for admins, agents, and end users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To send password-change notifications

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Passwords tab, select Email notifications.
    3. Click Save.
    ", + "remediationImpact": "End users will get email notifications when their passwords change.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_enableapp", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846407066-About-the-Zendesk-Support-mobile-app", + "controlCategory": "Apps", + "title": "Admins and agents can use the Zendesk Support mobile app", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Allow admins and agents can use the Zendesk Support mobile app

    1. In Admin Center, click Account in the sidebar, then select Security > More settings.
    2. On the Zendesk Support tab, Check Mobile app.
    3. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_IPrestrictions", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable IP restrictions", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    To set IP restrictions

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the IP Restrictions tab, select Enabled, then enter the Allowed IP Ranges you want to restrict.
    3. Click Save.

    For more information, see Restricting access to Zendesk Support using IP restrictions.

    ", + "remediationImpact": "Enabling IP-based access restrictions can break third-party integrations that access your account. Make sure to create an allowlist for all external IPs that access your account through the Zendesk APIs. Some integrations use variable IP addresses that can't be included in an allowlist. If you want to use these integrations, you must disable IP restrictions.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408826974874", + "controlCategory": "Apps", + "title": "Enable and adopt two-factor authentication (2FA)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To require two-factor authentication

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select Require two-factor authentication.
    3. Click Save.
    ", + "remediationImpact": "

    Team members who haven't set up 2FA will be required to do so next time they sign in to Zendesk. Password-based authentication to the Zendesk API is disabled when 2FA is required.

    Before enabling two-factor authentication, make sure you understand the following important considerations:

    • You can use two-factor authentication on the Zendesk website or with the Zendesk iOS or Android apps. However, the Zendesk REST API doesn't currently support two-factor authentication. See Using the API when 2-factor authentication is enabled in the Developers guide.
    • Requiring two-factor authentication disables password-based authentication to the Zendesk API.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_sessionexpiry", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408832533274-Understanding-your-Zendesk-session-time", + "controlCategory": "Apps", + "title": "Enable session timeout for users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "

    To set an inactivity time-out period

    1. In Admin Center, click Account in the sidebar, then select Security > Advanced.
    2. On the Authentication tab, select a session expiration period for team members and end users under Session expiration.
    3. Maximun valid value is 2 hours for both.
    4. Click Save.
    ", + "remediationImpact": "There are other technical differences and edge cases, but the main idea is that if a user is active, they will never be signed out. If they are inactive, the session will last as long as configured.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_SSO", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable external Authentication (google or microsoft or SSO)", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure External authentication is selected.
    3. follow the authentication steps.
    4. Click Save.
    ", + "remediationImpact": "See in learn more link.", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zendesk_ZanAuth", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zendesk.com/hc/en-us/articles/4408846853274", + "controlCategory": "Apps", + "title": "Enable Zendesk authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "

    To enable Zendesk authentication

    1. Open Admin Center, click Account in the sidebar, then select Security > Team member authentication.
    2. Make sure Zendesk Authentication is selected.
    3. Set the password security level High.
    4. Click Save.
    ", + "remediationImpact": "

    For Team memebers, the following conditions must be met before they can use Zendesk authentication:

    • Help center must be activated. Help center is the only publicly accessible side of Support and Chat for team members. See Getting started with Guide in the Support help center.
    • Team members must register. After registering, a team member is prompted to verify their email address and create a password, which the user can then use to sign in. See Requiring users to register in the Support help center.
    ", + "service": "MDA_Zendesk", + "threats": [ + "Account breach", + "Data Exfiltration", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_BlockDomains", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/4403624900109-Blocking-users-in-specific-domains", + "controlCategory": "Apps", + "title": "Block users in specific domains from joining meetings and webinars", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Block users in specific domains from joining meetings and webinars.
    5. Enter the domains that you want to block from joining meetings and webinars.
    6. Click the lock icon and then click Lock to confirm the setting.
    7. Click Save.
    ", + "remediationImpact": "This setting block users to signin from specific domains.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MeetingE2eEncryption", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings", + "controlCategory": "Apps", + "title": "Enforce end to end encryption in all Zoom meetings", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom web portal as an admin with the privilege to edit account settings.
    2. In the navigation panel, click Account Management then Account Settings.
    3. Click the Meeting tab.
    4. Under Security, enable Allow use of end-to-end encryption and then click Turn On to verify the change.
    5. For making this setting mandatory for all users in your account, click the lock icon, and then click Lock to confirm the setting.
    6. Under Security, choose the Default encryption type.
    7. Click Save.
    ", + "remediationImpact": "This setting enforce end to end encryption in all Zoom meetings.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_MFA", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication", + "controlCategory": "Apps", + "title": "Enable multi-factor authentication", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 7, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Make sure the Sign in with Two-Factor Authentication option is enabled.
    4. Select All users in your account. This will enable Two-Factor Authentication for all users.
    5. Click ‘Save’ to confirm your 2FA settings. 
    ", + "remediationImpact": "This setting enforce multi factor authentication for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_PasswordReq", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enhance password requirements", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 4, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Have a minimum password length with at least 10 characters.
    4. Enable Have at least 1 special character (!, @, #...).
    5. Enable
    6. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce enhanced password requirements in users' next signin.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutClient", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for client users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on Zoom client (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active client users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "MDA_Zoom_SessionTimeoutWeb", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://support.zoom.us/hc/en-us/articles/115005756143-Changing-account-security-settings", + "controlCategory": "Apps", + "title": "Enable session timeout for web users", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 6, + "rank": 10, + "remediation": "
    1. Sign in to the Zoom Dashboard 
    2. In the navigation menu, click Advanced, then Security. 
    3. Enable Set period for inactivity on the web (minutes) with maximum value of 120 minutes.
    4. Click ‘Save’ to confirm.
    ", + "remediationImpact": "This setting enforce logout for in-active web users for all Zoom users.", + "service": "MDA_Zoom", + "threats": [ + "Account breach", + "Data Exfiltration" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_allowedsenderscombined", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that no sender domains are allowed for anti-spam policies", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 2, + "rank": 128, + "remediation": "Remove all allowed domains and allowed senders from all your inbound anti-spam policies.", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_antiphishingpolicies", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that an anti-phishing policy has been created", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 10, + "remediation": "

    Note: Audit and Remediation guidance may focus on the Default policy however, if a
    Custom Policy exists in the organization's tenant then ensure the setting is set as
    outlined in the highest priority policy listed.


    To set the anti-phishing policy -

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand Email & collaboration select Policies & rules
    3. Select Threat policies.
    4. Under Policies select Anti-phishing.
    5. Select the Office365 AntiPhish Default (Default) policy and click Edit
      protection settings.
    6. Set the Phishing email threshold to at least 2 - Aggressive.
      1. Under Impersonation
        • Check Enable mailbox intelligence (Recommended).
        • Check Enable Intelligence for impersonation protection (Recommended).
      2. Under Spoof
        • Check Enable spoof intelligence (Recommended).
    7. Click Save.

    To create an anti-phishing policy using PowerShell:

    1. Connect to Exchange Online service using Connect-ExchangeOnline.
    2. Run the following Exchange Online PowerShell command:


    New-AntiPhishPolicy -Name \"Office365 AntiPhish Policy\"

    ", + "remediationImpact": "Turning on Anti-Phishing should not cause an impact, messages will be displayed when applicable", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach", + "Password Cracking" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_atpprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Microsoft Defender for Office 365 in SharePoint, OneDrive, and Microsoft Teams", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the following global tenant setting for ‘Safe Attachments’ is enabled:

    \n
      \n
    • Turn on the Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams
      • \n
    \n

    For detailed implementation instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams - Office 365 | Microsoft Docs.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_autoforwardingmode", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set automatic email forwarding rules to be system controlled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Automatic forwarding rules’ option set to recommended values which is “Automatic – System-controlled” or to “Off - Forwarding is disabled”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_blockmailforward", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rule-procedures?view=exchserver-2019&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure all forms of mail forwarding are blocked and/or disabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    NOTE: In this control, remediation is carried out in two stages - Step 1 is manual and will not be monitored automatically by secure score, whereas Step 2 is monitored automatically:

    STEP 1: Transport rules

    To alter the mail transport rules so they do not forward email to external domains, use the Microsoft 365 Admin Center:

    1. Select Exchange to open the Exchange admin center.
    2. Select Mail Flow then Rules.
    3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.

    To perform remediation you may also use the Exchange Online PowerShell
    Module:

    1. Connect to Exchange Online user Connect-ExchangeOnline.
    2. Run the following PowerShell command:

      Remove-TransportRule {RuleName}

    3. To verify this worked you may re-run the audit command as follows:

      Get-TransportRule | Where-Object {$_.RedirectMessageTo -ne $null} | ft
      Name,RedirectMessageTo


    STEP 2: Anti-spam outbound policy

    Configure an anti-spam outbound policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com/
    2. Expand E-mail & collaboration then select Policies & rules.
    3. Select Threat policies > Anti-spam.
    4. Select Anti-spam outbound policy (default)
    5. Click Edit protection settings
    6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save
    7. Repeat steps 4-6 for any additional higher priority, custom policies.
    ", + "remediationImpact": "Care should be taken before implementation to ensure there is no business need for case-by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization. Any exclusions should be implemented based on organizational policy.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkspamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on bulk spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 3, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk complaint level (BCL) met or exceeded’ option set to “Move message to Junk Email folder”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_bulkthreshold", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the email bulk complaint level (BCL) threshold to be 6 or lower", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Bulk email spam action’ option enabled and the ‘Bulk email threshold’ option set to 6 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_commonattachmentsfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antimalwarev2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure the Common Attachment Types Filter is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Update your existing policies or create new ones to ensure that all users have an assigned anti-malware policy with the ‘Enable common attachments filter’ option turned on .

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_connectionfilter", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Don't add allowed IP addresses in the connection filter policy ", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    1. Open Anti-spam policies page in Microsoft 365 Defender portal
    2. Remove all allowed IP addresses from the default connection filter policy

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enabledomainstoprotect", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Enable impersonated domain protection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.\n
    \n
    \n We recommend adding sender domains that you frequently interact with, even if you don't own them.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_enablemailboxintelligence", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that mailbox intelligence is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ option enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencephishaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_highconfidencespamaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on high confidence spam detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘High confidence spam message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotection", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure that intelligence for impersonation protection is enabled", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_mailboxintelligenceprotectionaction", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Move messages that are detected as impersonated users by mailbox intelligence", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled by either updating your existing policies or creating new ones.\n
    \n
    \n For those policies, ensure that the ‘If mailbox Intelligence detects an impersonated user’ option set to ‘Quarantine the message’ or ‘Move message to the recipients’ junk email folders’.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phishthresholdlevel", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antiphishing?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set the phishing email level threshold at 2 or higher", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "\n Ensure that all users have an assigned anti-phishing policy with the ‘Phishing email threshold’ option set to 2 or 3, by either updating your existing policies or creating new ones.\n ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_phisspamacation", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set action to take on phishing detection", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Phishing message action’ option set to “Quarantine message”, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_quarantineretentionperiod", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Retain spam in quarantine for 30 days", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned inbound anti-spam policy with the ‘Retain spam in quarantine for this many days’ option set to 30, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientexternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of external recipients that a user can email per hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy by setting the ‘Restrict sending to external recipients (per hour)’ option to a recommended values which is 500 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientinternallimitperhour", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set maximum number of internal recipients that a user can send to within an hour", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Restrict sending to internal recipients (per hour)’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_recipientlimitperday", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/antispam?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Set a daily message limit", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 1, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned outbound anti-spam policy with the ‘Maximum recipient limit per day’ option set to recommended values which is 1000 or lower, by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachmentpolicy", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide&tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Ensure Safe Attachments policy is enabled", + "deprecated": false, + "implementationCost": "Unknown", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 10, + "remediation": "

    To enable the Safe Attachments policy:

    1. Navigate to Microsoft 365 Defender https://security.microsoft.com.
    2. Click to expand E-mail & Collaboration select Policies & rules.
    3. On the Policies & rules page select Threat policies.
    4. Under Policies select Safe Attachments.
    5. Click + Create.
    6. Create a Policy Name and Description, and then click Next.
    7. Select all valid domains and click Next.
    8. Select Block.
    9. Quarantine policy is AdminOnlyAccessPolicy.
    10. Leave Enable redirect unchecked.
    11. Click Next and finally Submit.
    ", + "remediationImpact": "Delivery of email with attachments may be delayed while scanning is occurring.", + "service": "MDO", + "threats": [ + "Data Exfiltration", + "Account breach" + ], + "tier": "Core", + "userImpact": "Unknown", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safeattachments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Attachments in block mode", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 8, + "rank": 128, + "remediation": "

    Ensure that all users have an assigned ‘Safe Attachments’ policy in Block mode by either updating your existing policies or creating new ones.

    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + }, + { + "id": "mdo_safedocuments", + "azureTenantId": "12345678-1234-1234-1234-1234567890abcd", + "actionType": "Config", + "actionUrl": "https://security.microsoft.com/safeattachmentv2?tid=12345678-1234-1234-1234-1234567890abcd", + "controlCategory": "Apps", + "title": "Turn on Safe Documents for Office Clients", + "deprecated": false, + "implementationCost": "Medium", + "lastModifiedDateTime": null, + "maxScore": 5, + "rank": 128, + "remediation": "

    Ensure that the global tenant settings for ‘Safe Attachments’ are configured as follows:

    \n
      \n
    • ‘Turn on Safe Documents for Office clientsshould be Turned On
      • \n
    • ‘Allow people to click through Protected View even if Safe Documents identified the file as malicious’ should be Turned Off
      • \n
    ", + "remediationImpact": "Unknown", + "service": "MDO", + "threats": [], + "tier": "Core", + "userImpact": "High", + "vendorInformation": { + "provider": "SecureScore", + "providerVersion": null, + "subProvider": null, + "vendor": "Microsoft" + }, + "complianceInformation": [], + "controlStateUpdates": [ + { + "assignedTo": null, + "comment": null, + "state": "Default", + "updatedBy": null, + "updatedDateTime": null + } + ] + } + ] + }, + "enabledServices": [ + "HasOCAS", + "HasCLB", + "HasMDOP1", + "HasMDOP2", + "HasEXOP2", + "HasSPOP2", + "HasAADFree" + ], + "averageComparativeScores": [ + { + "basis": "AllTenants", + "averageScore": 54.65, + "appsScore": 29.65, + "appsScoreMax": 79, + "dataScore": 0.46, + "dataScoreMax": 3.27, + "deviceScore": 9.13, + "deviceScoreMax": 16.76, + "identityScore": 36.02, + "identityScoreMax": 59.42, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + }, + { + "basis": "TotalSeats", + "averageScore": 48.98, + "SeatSizeRangeLowerValue": "1", + "SeatSizeRangeUpperValue": "100", + "appsScore": 34.15, + "appsScoreMax": 94.46, + "dataScore": 0.5, + "dataScoreMax": 3.97, + "deviceScore": 6.87, + "deviceScoreMax": 12.65, + "identityScore": 34.16, + "identityScoreMax": 59.5, + "infrastructureScore": 0, + "infrastructureScoreMax": 0 + } + ], + "currentScore": 128, + "maxScore": 274, + "secureScores": { + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/secureScores" + } + } + } + ] + } + } +] \ No newline at end of file diff --git a/libs/hdf-converters/src/msft-secure-score-mapper.ts b/libs/hdf-converters/src/msft-secure-score-mapper.ts new file mode 100644 index 0000000000..f10faf3a3b --- /dev/null +++ b/libs/hdf-converters/src/msft-secure-score-mapper.ts @@ -0,0 +1,352 @@ +import { + SecureScore, + ControlScore, + SecureScoreControlProfile +} from '@microsoft/microsoft-graph-types'; +import {ExecJSON} from 'inspecjs'; +import {version as HeimdallToolsVersion} from '../package.json'; +import {BaseConverter, ILookupPath, MappedTransform} from './base-converter'; +import * as _ from 'lodash'; +import { + conditionallyProvideAttribute, + DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS +} from './utils/global'; + +export type ProfileResponse = { + '@odata.context': string; + '@odata.nextLink': string; + value: SecureScoreControlProfile[]; +}; + +export type SecureScoreResponse = { + '@odata.context': string; + '@odata.nextLink': string; + value: SecureScore[]; +}; + +export type CombinedResponse = { + secureScore: SecureScoreResponse; + profiles: ProfileResponse; +}; + +export class MsftSecureScoreResults { + data: CombinedResponse; + withRaw: boolean; + + constructor(combinedJson: string, withRaw = false) { + this.data = JSON.parse(combinedJson); + this.withRaw = withRaw; + } + + toHdf(): ExecJSON.Execution[] { + return this.data.secureScore.value.map((element) => + new MsftSecureScoreMapper( + JSON.stringify({ + secureScore: { + value: [element], + ..._.pick(this.data.secureScore, [ + '@odata.context', + '@odata.context' + ]) + }, + profiles: this.data.profiles + }), + this.withRaw + ).toHdf() + ); + } +} + +export class MsftSecureScoreMapper extends BaseConverter { + withRaw: boolean; + rawData: CombinedResponse; + getProfiles: (controlName: string) => SecureScoreControlProfile[]; + + memoizedGetProfiles(): (controlName: string) => SecureScoreControlProfile[] { + const cache: Record = {}; + + return (controlName: string): SecureScoreControlProfile[] => { + if (Object.prototype.hasOwnProperty.call(cache, controlName)) { + return cache[controlName]; + } + return (cache[controlName] = this.rawData.profiles.value.filter( + (profile) => profile.id === controlName + )); + }; + } + + mappings: MappedTransform< + ExecJSON.Execution & {passthrough: unknown}, + ILookupPath + > = { + platform: { + name: 'Heimdall Tools', + release: HeimdallToolsVersion + }, + version: HeimdallToolsVersion, + statistics: {}, + profiles: [ + { + name: 'Microsoft Secure Score Scan', + title: { + transformer: (data: SecureScore) => + `Azure Secure Score report - Tenant ID: ${data.azureTenantId} - Run ID: ${data.id}` + }, + supports: [], + attributes: [], + groups: [], + status: 'loaded', + controls: [ + { + path: 'controlScores', + id: { + transformer: (data: ControlScore) => + `${data.controlCategory}:${data.controlName}` + }, + title: { + transformer: (data: ControlScore) => { + const titles = this.getProfiles(data.controlName || '') + .filter((profile) => profile.title !== undefined) + .map((profile) => profile.title); + + if (titles.length > 0) { + return titles.join('\n'); + } else { + return [data.controlCategory || '', data.controlName || ''] + .filter((title) => title) + .join(':'); + } + } + }, + desc: {path: 'description'}, + impact: { + transformer: (data: ControlScore) => { + // return controlCategory from the profile document where its id matches the controlName + const knownMaxScores = this.getProfiles( + data.controlName || '' + ).map((profile) => profile.maxScore || 0); + + if (knownMaxScores.length === 0) { + return 0.5; + } + + const highMaxScore = Math.max(...knownMaxScores); + return highMaxScore / 10.0; + } + }, + refs: [], + tags: { + transformer: (data: ControlScore) => ({ + ...conditionallyProvideAttribute( + 'category', + this.getProfiles(data.controlName || '').map( + (profile) => profile.controlCategory + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.controlCategory) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'maxScore', + this.getProfiles(data.controlName || '').map( + (profile) => profile.maxScore + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.maxScore) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'rank', + this.getProfiles(data.controlName || '').map( + (profile) => profile.rank + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.rank) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'tiers', + this.getProfiles(data.controlName || '').map( + (profile) => profile.tier + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.tier) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'threats', + _.uniq( + this.getProfiles(data.controlName || '').map( + (profile) => profile.threats + ) + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.threats) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'services', + _.uniq( + this.getProfiles(data.controlName || '').map( + (profile) => profile.service + ) + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.service) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ), + ...conditionallyProvideAttribute( + 'userImpacts', + _.uniq( + this.getProfiles(data.controlName || '').map( + (profile) => profile.userImpact + ) + ), + (() => { + const result = this.getProfiles(data.controlName || '') + .map((profile) => profile.userImpact) + .filter((v) => Boolean(v)); + return result.length > 0; + })() + ) + }), + nist: DEFAULT_STATIC_CODE_ANALYSIS_NIST_TAGS + }, + source_location: {}, + descriptions: [ + { + data: { + transformer: ( + data: ControlScore & {implementationStatus: string} + ) => { + const profiles = this.getProfiles(data.controlName || ''); + const remediationSteps = profiles + .map((profile: SecureScoreControlProfile) => + profile.remediation?.toString() + ) + .filter( + (remediation: string | undefined) => + remediation !== undefined + ); + + return remediationSteps.join('\n'); + } + }, + label: 'fix' + }, + { + data: { + transformer: ( + data: ControlScore & {implementationStatus: string} + ) => { + const profiles = this.getProfiles(data.controlName || ''); + const impact = profiles + .map((profile: SecureScoreControlProfile) => + profile.remediationImpact?.toString() + ) + .filter( + (remediationImpact: string | undefined) => + remediationImpact !== undefined + ); + + return impact.join('\n'); + } + }, + label: 'rationale' + } + ], + results: [ + { + status: { + transformer: ( + data: ControlScore & {scoreInPercentage: number} + ) => { + if (data.scoreInPercentage === 100) { + return ExecJSON.ControlResultStatus.Passed; + } + + const knownMaxScores = this.getProfiles( + data.controlName || '' + ).map((profile) => profile.maxScore || 0); + + const highMaxScore = Math.max(...knownMaxScores); + + if (knownMaxScores.length === 0) { + // no Profile found matching the controlName + return ExecJSON.ControlResultStatus.Failed; + } else if (data.score === undefined) { + return ExecJSON.ControlResultStatus.Error; + } else if (data.score === highMaxScore) { + return ExecJSON.ControlResultStatus.Passed; + } else { + return ExecJSON.ControlResultStatus.Failed; + } + } + }, + code_desc: { + transformer: ( + data: ControlScore & {implementationStatus: string} + ) => data.implementationStatus + }, + start_time: {transformer: () => this.data.createdDateTime} + } + ] + } + ], + sha256: '' + } + ], + passthrough: { + transformer: (): Record => { + return { + auxiliary_data: [ + { + name: 'Microsoft Secure Score', + data: { + reportId: this.rawData.secureScore.value[0].id, + tenantId: this.rawData.secureScore.value[0].azureTenantId, + profiles: this.rawData.profiles, + enabledServices: + this.rawData.secureScore.value[0].enabledServices, + averageComparativeScores: + this.rawData.secureScore.value[0].averageComparativeScores, + currentScore: this.rawData.secureScore.value[0].currentScore, + maxScore: this.rawData.secureScore.value[0].maxScore, + secureScores: _.pick(this.rawData.secureScore, [ + '@odata.context', + '@odata.nextLink' + ]) + } + } + ], + ...(this.withRaw && {raw: this.rawData}) + }; + } + } + }; + constructor(secureScore_and_profiles_combined: string, withRaw = false) { + const rawParams = JSON.parse(secureScore_and_profiles_combined); + super(rawParams.secureScore.value[0]); + this.withRaw = withRaw; + this.rawData = rawParams; + this.getProfiles = this.memoizedGetProfiles(); + } +} diff --git a/libs/hdf-converters/src/utils/fingerprinting.ts b/libs/hdf-converters/src/utils/fingerprinting.ts index 83082967b6..64dc43c9e1 100644 --- a/libs/hdf-converters/src/utils/fingerprinting.ts +++ b/libs/hdf-converters/src/utils/fingerprinting.ts @@ -9,6 +9,7 @@ export enum INPUT_TYPES { GOSEC = 'gosec', IONCHANNEL = 'ionchannel', JFROG = 'jfrog', + MSFT_SEC_SCORE = 'msft_secure_score', NIKTO = 'nikto', SARIF = 'sarif', SNYK = 'snyk', @@ -37,6 +38,7 @@ const fileTypeFingerprints: Record = { 'trigger_hash' ], [INPUT_TYPES.JFROG]: ['total_count', 'data'], + [INPUT_TYPES.MSFT_SEC_SCORE]: ['secureScore', 'profiles'], [INPUT_TYPES.NIKTO]: ['banner', 'host', 'ip', 'port', 'vulnerabilities'], [INPUT_TYPES.SARIF]: ['$schema', 'version', 'runs'], [INPUT_TYPES.SNYK]: [ diff --git a/libs/hdf-converters/test/mappers/forward/msft_secure_score_mapper.spec.ts b/libs/hdf-converters/test/mappers/forward/msft_secure_score_mapper.spec.ts new file mode 100644 index 0000000000..647a3e3dbc --- /dev/null +++ b/libs/hdf-converters/test/mappers/forward/msft_secure_score_mapper.spec.ts @@ -0,0 +1,103 @@ +import fs from 'fs'; +import { + MsftSecureScoreResults, + CombinedResponse +} from '../../../src/msft-secure-score-mapper'; +import {omitVersions} from '../../utils'; + +describe('msft_secure_score_mapper', () => { + it('Successfully converts Microsoft Secure Score reports', () => { + const mapper = new MsftSecureScoreResults( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json', + {encoding: 'utf-8'} + ) + ); + + // fs.writeFileSync( + // 'sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json', + // JSON.stringify(mapper.toHdf(), null, 2) + // ); + + const expectedHdfReports = JSON.parse( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/secure_score-hdfs.json', + {encoding: 'utf-8'} + ) + ); + + for (const [idx, hdfReport] of mapper.toHdf().entries()) { + expect(omitVersions(hdfReport)).toEqual( + omitVersions(expectedHdfReports[idx]) + ); + } + }); +}); + +describe('msft_secure_score_mapper_withraw', () => { + it('Successfully converts withRaw flagged Microsoft Secure Score reports', () => { + const mapper = new MsftSecureScoreResults( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/sample_input_report/combined.json', + {encoding: 'utf-8'} + ) + ); + + // fs.writeFileSync( + // 'sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json', + // JSON.stringify(mapper.toHdf(), null, 2) + // ); + + const expectedHdfReports = JSON.parse( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/secure_score-hdf-withraws.json', + {encoding: 'utf-8'} + ) + ); + + for (const [idx, hdfReport] of mapper.toHdf().entries()) { + expect(omitVersions(hdfReport)).toEqual( + omitVersions(expectedHdfReports[idx]) + ); + } + }); +}); + +describe('msft_secure_score_mapper_multiple_reports', () => { + it('Successfully converts multiple Microsoft Secure Score reports into multiple ohdf files', () => { + const input_data: CombinedResponse = { + profiles: JSON.parse( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/sample_input_report/profiles.json', + {encoding: 'utf-8'} + ) + ), + secureScore: JSON.parse( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/sample_input_report/secureScore-multiple.json', + {encoding: 'utf-8'} + ) + ) + }; + + const mapper = new MsftSecureScoreResults(JSON.stringify(input_data)); + + // fs.writeFileSync( + // 'sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json', + // JSON.stringify(mapper.toHdf(), null, 2) + // ); + + const expectedHdfReports = JSON.parse( + fs.readFileSync( + 'sample_jsons/msft_secure_score_mapper/secure_score-hdf-multi.json', + {encoding: 'utf-8'} + ) + ); + + for (const [idx, hdfReport] of mapper.toHdf().entries()) { + expect(omitVersions(hdfReport)).toEqual( + omitVersions(expectedHdfReports[idx]) + ); + } + }); +}); diff --git a/yarn.lock b/yarn.lock index 73a8dc7190..f6de71e0f8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2770,6 +2770,11 @@ resolved "https://registry.npmjs.org/@mdi/js/-/js-7.4.47.tgz#7d8a4edc9631bffeed80d1ec784f9beae559a76a" integrity sha512-KPnNOtm5i2pMabqZxpUz7iQf+mfrYZyKCZ8QNz85czgEt7cuHcGorWfdzUMWYA0SD+a6Hn4FmJ+YhzzzjkTZrQ== +"@microsoft/microsoft-graph-types@^2.40.0": + version "2.40.0" + resolved "https://registry.yarnpkg.com/@microsoft/microsoft-graph-types/-/microsoft-graph-types-2.40.0.tgz#65f51600ab45ace97d7b1368c47f9e0f835fddca" + integrity sha512-1fcPVrB/NkbNcGNfCy+Cgnvwxt6/sbIEEFgZHFBJ670zYLegENYJF8qMo7x3LqBjWX2/Eneq5BVVRCLTmlJN+g== + "@mitre/jsonix@^3.0.7": version "3.0.7" resolved "https://registry.npmjs.org/@mitre/jsonix/-/jsonix-3.0.7.tgz#f1e33599c1cddb9b865618a04a6a99c343c14764"