ReachRolloutModules.psm1
|
# Reach basis rollout script # # Use in conjunction with connector script to deploy default features of Reach # Ensure you are connected to all services correctly for the below features to work. # # Deployed: # - 7 year retention policy # - Password Policy # - Data loss prevention (Australian Credit Card & Privacy Act) # - Full audit logging enabled (mailbox and tenant) # - Auto 12 Monthly Archiving Policy (This will only affect those with Archiving enabled) # - Archiving turned on for all mailboxes # - ATP anti-phishing # - ATP safe attachments # - ATP safe links # - Anti-Malware # - Anti-spam # - Alert Policy # - Enable custom scripting for SharePoint (required for LiveTiles) # - DKIM Powershell Component (Records for DMARC AND DKIM need to still be created) # # ---------Under Construction---------- # # - Azure Information Protection rollout # - Intune Policy Import Function enableRetention { try { Write-Host -ForegroundColor DarkCyan "Attempting to enable 7 year retention..." New-RetentionCompliancePolicy -Name "7 Year Retention, All Locations" -ExchangeLocation All ` -SharePointLocation All -ModernGroupLocation All -OneDriveLocation All -PublicFolderLocation All -Enabled $true New-RetentionComplianceRule -Name "7YearRetentionRule" -Policy "7 Year Retention, All Locations" ` -RetentionDuration 2555 -RetentionDurationDisplayHint Years Write-Host -ForegroundColor Green "Successfully enabled 7 Year Retention Policy!" } catch { Write-Host -ForegroundColor Red "Error enabling retention policy. Possibly it already exists or a different error has occured. Please check the logs ($profile\Documents\reachLog.txt) for more ` information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $domainList defined Function enablePasswordPolicy { param($domainList) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable password policy..." #sets 60 Day password policy with a 14 Day notification time Set-MsolPasswordPolicy -ValidityPeriod 60 -NotificationDays 14 Write-Host -ForegroundColor Green "Successfully enabled Password Policy!" } catch { Write-Host -ForegroundColor Red "Error enabling password policy. Possibly it already exists or a different error has occured. Please check the logs ($profile\Documents\reachLog.txt) for more ` information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } Function enableDLP { try { Write-Host -ForegroundColor DarkCyan "Attempting to enable DLP Policy for Australian Credit Cards and Australian Privacy Act..." New-DlpCompliancePolicy -Name "Australian Privacy Act" -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -Comment "DLP Policy for Australian Privacy Act" -Mode Enable New-DlpComplianceRule -Name "Driver's License and Passport Number" -Policy "Australian Privacy Act" -ContentContainsSensitiveInformation @(@{Name="Australia Driver's License Number"},@{Name="Australia Passport Number"}) -BlockAccess $true New-DlpCompliancePolicy -Name "Credit Card Data" -ExchangeLocation All -SharePointLocation All -OneDriveLocation All -Comment "DLP Policy for Australian Privacy Act" -Mode Enable New-DlpComplianceRule -Name "Credit Card Rule" -Policy "Credit Card Data" -ContentContainsSensitiveInformation @{Name="Credit Card Number"} -BlockAccess $true Write-Host -ForegroundColor Green "Successfully enabled DLP Policies!" } catch { Write-Host -ForegroundColor Red "Error enabling DLP. Possibly it already exists or a different error has occured. Please check the logs ($profile\Documents\reachLog.txt) for more ` information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } Function enableAuditLogging { try { Write-Host -ForegroundColor DarkCyan "Attempting to enabled audit logging across the tenant..." Enable-OrganizationCustomization Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true Set-OrganizationConfig -AuditDisabled $false Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox" -or RecipientTypeDetails -eq "SharedMailbox" -or RecipientTypeDetails -eq "RoomMailbox" -or RecipientTypeDetails -eq "DiscoveryMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 180 ` -AuditAdmin Copy, Create, FolderBind, HardDelete, MessageBind, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules ` -AuditDelegate Create, FolderBind, HardDelete, Move, MoveToDeletedItems, SendAs, SendOnBehalf, SoftDelete, Update, UpdateFolderPermissions, UpdateInboxRules ` -AuditOwner Create, HardDelete, MailboxLogin, Move, MoveToDeletedItems, SoftDelete, Update, UpdateCalendarDelegation, UpdateFolderPermissions, UpdateInboxRules Write-Host -ForegroundColor Green "Successfully enabled audit logging on all mailboxes on the tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling auditing. Maybe it's already enabled or a different error has occured. Please check the logs ($profile\Documents\reachLog.txt) for more ` information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } Function enableArchive { try { Write-Host -ForegroundColor DarkCyan "Attempting to enabled mailbox archiving across the tenant..." New-RetentionPolicyTag -Name "ONGC-12-Month-Archive" -RetentionAction movetoarchive -AgeLimitForRetention 365 -Type all -Comment "All mails are archived after 365 days. Users without archives are not affected." New-RetentionPolicy -Name "ONGC Archive" -RetentionPolicytagLinks "ONGC-12-Month-Archive" Get-Mailbox | Set-mailbox -RetentionPolicy "ONGC Archive" Get-Mailbox -Filter {ArchiveStatus -Eq "None" -AND RecipientTypeDetails -eq "UserMailbox"} | Enable-Mailbox -Archive Write-Host -ForegroundColor Green "Successfully enabled archiving on all mailboxes!" } catch { Write-Host -ForegroundColor Red "There was an error enabling archiving. Possibly it's already enabled or there was a different error. Please check the logs ($profile\Documents\reachLog.txt)` for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $domainList defined Function enableATP { param($domainList) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable ATP Policies (anti-phishing, safe attachments, safe links)..." # Anti-Phishing New-AntiPhishPolicy -Name "ONGC Default Anti-Phish Policy" -Enabled $true -EnableOrganizationDomainsProtection $true -EnableMailboxIntelligence $true -EnableSimilarUsersSafetyTips $false -EnableSimilarDomainsSafetyTips $false New-AntiPhishRule -Name "ONGC Default Anti-Phish Rule" -AntiPhishPolicy "ONGC Default Anti-Phish Policy" -Enabled $true -RecipientDomainIs $domainList # Safe Attachments New-SafeAttachmentPolicy -Name 'ONGC Safe Attachments Policy' -AdminDisplayName $null -Action 'Replace' -Redirect:$true -RedirectAddress: alerts@ongc.com.au -Enable:$true New-SafeAttachmentRule -Name 'ONGC Safe Attachments' -SafeAttachmentPolicy 'ONGC Safe Attachments Policy' -RecipientDomainIs $domainList Set-AtpPolicyForO365 -EnableSafeLinksForClients $true -TrackClicks $true -EnableATPForSPOTeamsODB $true # Safe Links New-SafeLinksPolicy -Name 'ONGC Safe Links Policy' -AdminDisplayName $null -IsEnabled:$true -AllowClickThrough:$false -TrackClicks:$true New-SafeLinksRule -Name 'ONGC Safe Links' -SafeLinksPolicy 'ONGC Safe Links policy' -RecipientDomainIs $domainList Write-Host -ForegroundColor Green "Successfully enabled ATP Policies on the tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling ATP Policies on the tenant. Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } function enableLitigationHold { try { Write-Host -ForegroundColor DarkCyan "Attempting to enable Litigation Hold..." #Litigation Hold Get-Mailbox | Set-Mailbox –litigationholdenabled $true Write-Host -ForegroundColor Green "Successfully enabled Litigation Hold on the tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling ATP Policies on the tenant. Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $domainList defined Function enableAntiMalware { param($domainList) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable anti-malware on the tenant..." New-MalwareFilterPolicy -Name "ONGC Default Malware Policy" -Action DeleteAttachmentAndUseDefaultAlertText ` -EnableExternalSenderNotifications $true ` -EnableInternalSenderNotifications $true ` -EnableFileFilter $true ` -FileTypes ".ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs, .zip, .rar" New-MalwareFilterRule -Priority 0 -Name "ONGC Anti-Malware" -MalwareFilterPolicy "ONGC Default Malware Policy" -RecipientDomainIs $domainList Write-Host -ForegroundColor Green "Successfully enabled anti-malware on the tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling anti-malware on the tenant. Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $domainList defined Function enableAntiSpam { param($domainList) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable anti-spam on the tenant..." $policyparams = @{ “name” = “ONGC Anti-Spam Policy”; ‘Bulkspamaction’ = ‘movetojmf’; ‘bulkthreshold’ = ‘7’; ‘highconfidencespamaction’ = ‘movetojmf’; ‘inlinesafetytipsenabled’ = $true; ‘markasspambulkmail’ = ‘on’; ‘increasescorewithimagelinks’ = ‘off’ ‘increasescorewithnumericips’ = ‘on’ ‘increasescorewithredirecttootherport’ = ‘on’ ‘increasescorewithbizorinfourls’ = ‘on’; ‘markasspamemptymessages’ =’on’; ‘markasspamjavascriptinhtml’ = ‘on’; ‘markasspamframesinhtml’ = ‘on’; ‘markasspamobjecttagsinhtml’ = ‘on’; ‘markasspamembedtagsinhtml’ =’on’; ‘markasspamformtagsinhtml’ = ‘on’; ‘markasspamwebbugsinhtml’ = ‘on’; ‘markasspamsensitivewordlist’ = ‘on’; ‘markasspamspfrecordhardfail’ = ‘on’; ‘markasspamfromaddressauthfail’ = ‘on’; ‘markasspamndrbackscatter’ = ‘on’; ‘phishspamaction’ = ‘movetojmf’; ‘spamaction’ = ‘movetojmf’; ‘zapenabled’ = $true } New-HostedContentFilterPolicy @policyparams $ruleparams = @{ ‘name’ = ‘ONGC Anti-Spam Rule’; ‘hostedcontentfilterpolicy’ = ‘ONGC Anti-Spam Policy’; ‘recipientdomainis’ = $domainList; ‘Enabled’ = $true } New-hostedcontentfilterrule @ruleparams } catch { Write-Host -ForegroundColor Red "There was an issue enabling anti-spam. Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $domainList defined - CNAME RECORD HAS TO BE CREATED PRIOR TO THIS function enableDkim { param($domainList) #DKIM #https://docs.microsoft.com/en-us/office365/SecurityCompliance/use-dkim-to-validate-outbound-email #DMARC #https://docs.microsoft.com/en-us/office365/SecurityCompliance/use-dmarc-to-validate-email try { Write-Host -ForegroundColor DarkCyan "Attempting to enable DKIM on the tenant..." $domainListArray = $domainList -split ',' Foreach ($domain in $domainListArray) { New-DKIMSigningConfig -DomainName $domain -Enabled $true } Write-Host -ForegroundColor Green "Successfully enabled DKIM on the tenant!" } catch { Write-Host -ForegroundColor Red "Error DKIM on the tenant (may have already been set). Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Requires $tenantName defined Function enableCustomScripting { param($tenantName) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable custom scripting on SharePoint..." Set-SPOSite -identity https://$tenantName.sharepoint.com/ -DenyAddAndCustomizePages $false Write-Host -ForegroundColor Green "Successfully enabled custom scripting on the tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling custom scripting on the tenant (may have already been set). Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # Pulls global administrator's username for this. function alertPolicy { param($alertEmail) try { Write-Host -ForegroundColor DarkCyan "Attempting to enable Alert Policy on tenant..." $fileandpagepolicyparams = @{ “Name” = “ONGC Alert Policy”; “operation” = @("filedeleted","folderdeleted","new-inboxrule","add member to role.", "exportjob"); “notifyuser” = $alertEmail; “userid” = $null; “Description” = “Default ONGC Alert Policy to check default security risks.”; } New-ActivityAlert @fileandpagepolicyparams Write-Host -ForegroundColor Green "Successfully enabled Alert Policy on tenant!" } catch { Write-Host -ForegroundColor Red "Error enabling Alert Policy on the tenant (may have already been set). Please check the logs ($profile\Documents\reachLog.txt) for more information.\n" $_ | Add-Content $profile\Documents\reachLog.txt } } # ---------Under Construction---------- Function enableAIP {} Function importIntunePolicies {} |