SHELL/5.2.3.2.ps1
|
$CheckId = "5.2.3.2" $Title = "Ensure custom banned passwords lists are used" $Level = "L1" $BenchmarkType = "Automated" $PwRuleSettings = "5cf42378-d67d-4f36-ba46-e8b86229381d" function Get-SettingValue { param( [AllowNull()]$Values, [string]$Name ) foreach ($Item in @($Values)) { if ($null -eq $Item) { continue } if ($Item -is [hashtable]) { foreach ($Key in $Item.Keys) { if ([string]$Key -ieq $Name) { return $Item[$Key] } } continue } $ItemName = $null $ItemValue = $null if ($Item.PSObject.Properties.Match("Name").Count -gt 0) { $ItemName = [string]$Item.Name } elseif ($Item.PSObject.Properties.Match("name").Count -gt 0) { $ItemName = [string]$Item.name } if ($Item.PSObject.Properties.Match("Value").Count -gt 0) { $ItemValue = $Item.Value } elseif ($Item.PSObject.Properties.Match("value").Count -gt 0) { $ItemValue = $Item.value } if ($ItemName -and ($ItemName -ieq $Name)) { return $ItemValue } } return $null } try { $Setting = Get-MgGroupSetting -ErrorAction Stop | Where-Object { $_.TemplateId -eq $PwRuleSettings } | Select-Object -First 1 if (-not $Setting) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings EnableBannedPasswordCheck = $null BannedPasswordListRaw = $null BannedPasswordCount = 0 SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Password protection settings for the required template were not found." Timestamp = Get-Date } return } $Values = $Setting.Values $EnableRaw = Get-SettingValue -Values $Values -Name "EnableBannedPasswordCheck" $ListRaw = Get-SettingValue -Values $Values -Name "BannedPasswordList" $EnableText = if ($null -ne $EnableRaw) { [string]$EnableRaw } else { "" } $ListText = if ($null -ne $ListRaw) { [string]$ListRaw } else { "" } $EnableBannedPasswordCheck = ($EnableText -match '^(?i:true|1)$') $BannedItems = @($ListText -split '[,;`r`n]+' | ForEach-Object { $_.Trim() } | Where-Object { $_ }) $HasBannedList = $BannedItems.Count -gt 0 $Pass = $EnableBannedPasswordCheck -and $HasBannedList $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings EnableBannedPasswordCheck = $EnableText BannedPasswordListRaw = $ListText BannedPasswordCount = $BannedItems.Count BannedPasswordListPreview = @($BannedItems | Select-Object -First 20) SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "EnableBannedPasswordCheck must be True and BannedPasswordList must contain organization-specific entries." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |