SHELL/5.2.3.3.ps1
|
$CheckId = "5.2.3.3" $Title = "Ensure password protection is enabled for on-prem Active Directory" $Level = "L1" $BenchmarkType = "Automated" $PwRuleSettings = "5cf42378-d67d-4f36-ba46-e8b86229381d" function Get-SettingValue { param( [AllowNull()]$Values, [string]$Name ) foreach ($Item in @($Values)) { if ($null -eq $Item) { continue } if ($Item -is [hashtable]) { foreach ($Key in $Item.Keys) { if ([string]$Key -ieq $Name) { return $Item[$Key] } } continue } $ItemName = $null $ItemValue = $null if ($Item.PSObject.Properties.Match("Name").Count -gt 0) { $ItemName = [string]$Item.Name } elseif ($Item.PSObject.Properties.Match("name").Count -gt 0) { $ItemName = [string]$Item.name } if ($Item.PSObject.Properties.Match("Value").Count -gt 0) { $ItemValue = $Item.Value } elseif ($Item.PSObject.Properties.Match("value").Count -gt 0) { $ItemValue = $Item.value } if ($ItemName -and ($ItemName -ieq $Name)) { return $ItemValue } } return $null } try { $Setting = Get-MgGroupSetting -ErrorAction Stop | Where-Object { $_.TemplateId -eq $PwRuleSettings } | Select-Object -First 1 if (-not $Setting) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "FAIL" Pass = $false Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings EnableBannedPasswordCheckOnPremises = $null BannedPasswordCheckOnPremisesMode = $null SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Password protection settings for the required template were not found." Timestamp = Get-Date } return } $Values = $Setting.Values $EnableRaw = Get-SettingValue -Values $Values -Name "EnableBannedPasswordCheckOnPremises" $ModeRaw = Get-SettingValue -Values $Values -Name "BannedPasswordCheckOnPremisesMode" $EnableText = if ($null -ne $EnableRaw) { [string]$EnableRaw } else { "" } $ModeText = if ($null -ne $ModeRaw) { [string]$ModeRaw } else { "" } $EnableOnPrem = ($EnableText -match '^(?i:true|1)$') $EnforceMode = ($ModeText -match '^(?i:enforce|enforced)$') $Pass = $EnableOnPrem -and $EnforceMode $Status = if ($Pass) { "PASS" } else { "FAIL" } [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = $Status Pass = $Pass Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings EnableBannedPasswordCheckOnPremises = $EnableText BannedPasswordCheckOnPremisesMode = $ModeText SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "EnableBannedPasswordCheckOnPremises must be True and BannedPasswordCheckOnPremisesMode must be Enforce." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ TemplateId = $PwRuleSettings SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |