Src/Compliance/ACSC.E8.json
|
{ "_meta": { "framework": "ACSC Essential Eight", "version": "2025-01", "reference": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight", "lastReviewed": "2026-03-01", "notes": "Maturity Levels: ML1 = partially aligned, ML2 = mostly aligned, ML3 = fully aligned. Status tokens: [OK] [WARN] [FAIL] [INFO]. Mapped to SharePoint Online and OneDrive for Business controls." }, "SharingPolicy": { "_section": "Restrict Microsoft Office Macros / Application Control -- External Sharing", "_reference": "Essential Eight Strategy: Restrict Administrative Privileges / Application Control", "checks": [ { "id": "E8-SP-SHARE-1", "ML": "ML1", "control": "External sharing restricted to known domains or disabled", "staticStatus": null, "statusExpression": "if ($SPExternalSharingLevel -eq 'Disabled' -or $SPExternalSharingLevel -eq 'ExistingExternalUserSharingOnly') { '[OK]' } elseif ($SPExternalSharingLevel -eq 'ExternalUserSharingOnly') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "SharePoint external sharing level: {SPExternalSharingLevel}. Unrestricted sharing (Anyone) exposes data to unauthenticated users.", "remediation": "Navigate to SharePoint Admin Center > Policies > Sharing. Set external sharing to 'New and existing guests' or stricter. Disable 'Anyone' links entirely.", "tags": ["sharing", "external-access", "ml1"] }, { "id": "E8-SP-SHARE-2", "ML": "ML1", "control": "OneDrive external sharing matches or is more restrictive than SharePoint", "staticStatus": null, "statusExpression": "if ($ODExternalSharingLevel -le $SPExternalSharingLevelNum) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "OneDrive sharing: {ODExternalSharingLevel}. SharePoint sharing: {SPExternalSharingLevel}. OneDrive must not be more permissive than SharePoint.", "remediation": "In SharePoint Admin Center > Policies > Sharing, ensure OneDrive sharing setting is equal to or more restrictive than the SharePoint setting.", "tags": ["sharing", "onedrive", "ml1"] }, { "id": "E8-SP-SHARE-3", "ML": "ML2", "control": "Anonymous 'Anyone' links disabled or link expiry enforced", "staticStatus": null, "statusExpression": "if (-not $AnyoneLinkEnabled) { '[OK]' } elseif ($AnyoneLinkEnabled -and $AnyoneLinkExpiryDays -le 7) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Anyone links: {AnyoneLinkState}. Expiry: {AnyoneLinkExpiryDays} days. Unlimited anonymous links are a significant data loss risk.", "remediation": "Disable 'Anyone' links in SharePoint Admin Center > Policies > Sharing, or enforce a maximum expiry of 7 days. Set 'Anyone link permissions' to View only.", "tags": ["sharing", "anonymous", "links", "ml2"] }, { "id": "E8-SP-SHARE-4", "ML": "ML2", "control": "Sharing limited to specific security groups or domains", "staticStatus": "[INFO]", "detailTemplate": "Verify that external sharing is restricted to approved domains via SharePoint Admin Center > Policies > Sharing > Limit external sharing by domain.", "remediation": "Enable domain-based sharing restrictions and add only approved partner domains to the allow-list.", "tags": ["sharing", "domain-restriction", "ml2"] }, { "id": "E8-SP-SHARE-5", "ML": "ML3", "control": "Guest access requires MFA and email OTP is disabled for guests", "staticStatus": "[INFO]", "detailTemplate": "Verify Conditional Access requires MFA for all guests accessing SharePoint/OneDrive. Confirm Email OTP is not the sole authentication method available to guests.", "remediation": "Create a Conditional Access policy targeting guest users with grant control: Require MFA. Disable Email OTP in Entra ID Authentication Methods for a stronger posture.", "tags": ["guest", "mfa", "authentication", "ml3"] } ] }, "ExternalAccess": { "_section": "Limit Access to External Content", "_reference": "Essential Eight Strategy: Restrict Administrative Privileges", "checks": [ { "id": "E8-SP-EXT-1", "ML": "ML1", "control": "Guest users require account authentication (not unauthenticated)", "staticStatus": null, "statusExpression": "if ($RequireAcceptingAccountMatchInvitedAccount) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Require accepting account match invited account: {RequireAcceptingAccountMatchInvitedAccount}. Without this, invitations can be accepted by any Microsoft account.", "remediation": "Enable 'Guests must sign in using the same account to which sharing invitations are sent' in SharePoint Admin Center > Policies > Sharing.", "tags": ["guest", "external-access", "ml1"] }, { "id": "E8-SP-EXT-2", "ML": "ML1", "control": "External sharing notifications enabled (email alerts to owners)", "staticStatus": null, "statusExpression": "if ($NotifyOwnersWhenItemsShared) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Notify owners when items are shared externally: {NotifyOwnersWhenItemsShared}. Without notifications, owners are unaware of external sharing activity.", "remediation": "Enable 'Send an email notification to the person who shared when:' options in SharePoint Admin Center > Policies > Sharing.", "tags": ["external-access", "notifications", "ml1"] }, { "id": "E8-SP-EXT-3", "ML": "ML2", "control": "Default sharing link type set to specific people (not organisation-wide)", "staticStatus": null, "statusExpression": "if ($DefaultSharingLinkType -eq 'None' -or $DefaultSharingLinkType -eq 'Direct') { '[OK]' } elseif ($DefaultSharingLinkType -eq 'Internal') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Default sharing link type: {DefaultSharingLinkType}. Setting defaults to 'Specific people' minimises accidental over-sharing.", "remediation": "Set default sharing link to 'Specific people' in SharePoint Admin Center > Policies > Sharing > Default link type.", "tags": ["sharing", "default-link", "ml2"] }, { "id": "E8-SP-EXT-4", "ML": "ML2", "control": "Legacy authentication blocked for SharePoint access", "staticStatus": "[INFO]", "detailTemplate": "Verify Conditional Access blocks legacy authentication protocols (Exchange Online, SharePoint, OneDrive) by targeting 'Other clients' in Entra ID Conditional Access.", "remediation": "Create a CA policy: All users, All cloud apps or SharePoint app, Client apps = Other clients, Block access.", "tags": ["legacy-auth", "conditional-access", "ml2"] }, { "id": "E8-SP-EXT-5", "ML": "ML3", "control": "Unmanaged device access restricted (no full access from personal devices)", "staticStatus": null, "statusExpression": "if ($ConditionalAccessPolicy -eq 'BlockAccess') { '[OK]' } elseif ($ConditionalAccessPolicy -eq 'AllowLimitedAccess') { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "Unmanaged device policy: {ConditionalAccessPolicy}. Full access from unmanaged devices risks data exfiltration.", "remediation": "Set unmanaged device access to 'Allow limited, web-only access' or 'Block access' in SharePoint Admin Center > Policies > Access Control > Unmanaged devices.", "tags": ["unmanaged-devices", "conditional-access", "ml3"] } ] }, "Compliance": { "_section": "Patch Applications / Daily Backups", "_reference": "Essential Eight Strategy: Daily Backups / Patch Applications", "checks": [ { "id": "E8-SP-COMP-1", "ML": "ML1", "control": "Versioning enabled on SharePoint sites (supports recovery)", "staticStatus": "[INFO]", "detailTemplate": "Verify that major versioning is enabled on all SharePoint document libraries. Versioning is critical for recovery from ransomware and accidental deletion.", "remediation": "Enable versioning on all document libraries (minimum 500 versions recommended). Use PowerShell: Set-PnPList -Identity <Library> -EnableVersioning $true.", "tags": ["versioning", "backup", "recovery", "ml1"] }, { "id": "E8-SP-COMP-2", "ML": "ML1", "control": "Recycle Bin retention configured (first and second stage)", "staticStatus": null, "statusExpression": "if ($RecycleBinEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Recycle Bin enabled: {RecycleBinEnabledStr}. Second-stage Recycle Bin provides additional recovery window before permanent deletion.", "remediation": "Ensure the Recycle Bin is enabled in SharePoint Admin Center. Educate users on the 93-day default retention (30 days first stage + 63 days second stage).", "tags": ["recycle-bin", "backup", "recovery", "ml1"] }, { "id": "E8-SP-COMP-3", "ML": "ML2", "control": "Microsoft 365 retention policies applied to SharePoint and OneDrive", "staticStatus": "[INFO]", "detailTemplate": "Verify Microsoft Purview retention policies cover SharePoint and OneDrive content. Without retention policies, content may be permanently deleted before legal/compliance holds are applied.", "remediation": "Create retention policies in Microsoft Purview Compliance portal > Data lifecycle management > Retention policies targeting SharePoint and OneDrive locations.", "tags": ["retention", "compliance", "purview", "ml2"] }, { "id": "E8-SP-COMP-4", "ML": "ML2", "control": "Audit logging enabled for SharePoint and OneDrive", "staticStatus": null, "statusExpression": "if ($AuditEnabled) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "Unified audit log enabled: {AuditEnabledStr}. Audit logs are required for incident response and forensic investigation.", "remediation": "Enable unified audit logging in Microsoft Purview Compliance portal > Audit. Ensure audit logs are retained for at least 1 year (requires E3/E5 licence).", "tags": ["audit", "logging", "compliance", "ml2"] }, { "id": "E8-SP-COMP-5", "ML": "ML3", "control": "Sensitivity labels enforced on SharePoint sites and OneDrive", "staticStatus": "[INFO]", "detailTemplate": "Verify Microsoft Purview sensitivity labels are published and enforced on SharePoint sites. Labels enable automatic protection, encryption, and access control based on data classification.", "remediation": "Publish sensitivity labels in Microsoft Purview > Information Protection > Labels. Enable sensitivity labels for SharePoint and OneDrive in the Compliance portal.", "tags": ["sensitivity-labels", "data-classification", "ml3"] } ] }, "OneDrive": { "_section": "Restrict Administrative Privileges / Application Control", "_reference": "Essential Eight Strategy: Application Control / Restrict Administrative Privileges", "checks": [ { "id": "E8-OD-1", "ML": "ML1", "control": "OneDrive sync client restricted to domain-joined devices only", "staticStatus": null, "statusExpression": "if ($AllowedDomainGuidsForSyncApp -and $AllowedDomainGuidsForSyncApp.Count -gt 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Sync client domain restriction: {SyncDomainRestrictionEnabled}. Restricting sync to managed devices prevents data exfiltration via personal machines.", "remediation": "In SharePoint Admin Center > Settings > OneDrive sync, enable 'Allow syncing only on computers joined to specific domains' and add your domain GUIDs.", "tags": ["onedrive", "sync", "managed-devices", "ml1"] }, { "id": "E8-OD-2", "ML": "ML1", "control": "Storage quota limits configured for OneDrive users", "staticStatus": null, "statusExpression": "if ($OneDriveDefaultQuotaGB -le 5120) { '[OK]' } elseif ($OneDriveDefaultQuotaGB -le 25600) { '[WARN]' } else { '[INFO]' }", "detailTemplate": "Default OneDrive quota: {OneDriveDefaultQuotaGB} GB. Unlimited or very large quotas may exceed backup capacity planning.", "remediation": "Set appropriate OneDrive storage quotas aligned with organisational data classification policies in SharePoint Admin Center > Settings > OneDrive storage.", "tags": ["onedrive", "quota", "storage", "ml1"] }, { "id": "E8-OD-3", "ML": "ML2", "control": "Block download of files from unmanaged devices", "staticStatus": null, "statusExpression": "if ($BlockDownloadLinksFileType -eq 'BlockDownload' -or $ConditionalAccessPolicy -ne 'AllowFullAccess') { '[OK]' } else { '[WARN]' }", "detailTemplate": "Unmanaged device download policy: {BlockDownloadPolicy}. Blocking downloads from unmanaged devices reduces data exfiltration risk.", "remediation": "Enable block download for unmanaged devices in SharePoint Admin Center > Policies > Access Control > Unmanaged devices.", "tags": ["onedrive", "download", "unmanaged-devices", "ml2"] } ] } } |