OfficeDev / O365-InvestigationTooling

MIT License
574 stars 360 forks source link

Clarify purpose in comments, fix removal of 'UpdateFolderPermissions' default action #23

Open cc-bb opened 6 years ago

cc-bb commented 6 years ago

Comment in line 1 is true but misleading:

#This script will enable non-owner mailbox access auditing on every mailbox in your tenancy

It does, in fact, enable auditing of some (but not all) non-owner (i.e., administrator or delegate) mailbox actions, but it also enables auditing for some (but not all) owner actions as well.

So if the purpose is to only enable non-owner mailbox auditing (and its associated default logging actions), then this snippet should be removed:

-AuditOwner Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update

But if the purpose is to enable both non-owner and owner mailbox auditing, the description of the script should be adjusted to clarify its purpose and the code should be revised so that it doesn't overwrite/remove a default logging action ('UpdateFolderPermissions') that is otherwise turned on for mailbox owners when mailbox auditing is enabled.

This article has a handy table showing available mailbox auditing options for the three user logon types: https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918#ID0EABAAA=Mailbox_auditing_actions

To keep the default logging action ('UpdateFolderPermissions') and add the other actions contemplated by the existing script, replace the snippet above with: -AuditOwner @{Add="Create","HardDelete","MailboxLogin","MoveToDeletedItems","SoftDelete","Update"}

But perhaps a more comprehensive approach is desirable to enable logging of every auditable action across all user logon types (as listed in the MS Support article)? (I also noticed that the existing code inexplicably leaves out the 'Move' action for owner auditing.) So maybe something like:

-AuditOwner @{Add="Create","HardDelete","MailboxLogin","Move","MoveToDeletedItems","SoftDelete","Update"} -AuditAdmin @{Add="Copy","MessageBind"} -AuditDelegate @{Add="Move","MoveToDeletedItems","SendOnBehalf"}

In any case, the comment should clarify that this script is only enabling logging for certain actions and is not comprehensively doing so for all auditable mailbox actions across all user login types. Users should be cautioned that they may need to add or remove options to fit their auditing objectives.

(Thanks for all the effort thus far! I stumbled across this script from the Secure Score dashboard in O365 which was a pleasant surprise but also somewhat concerning as being officially-sanctioned guidance...)

wmmyers commented 6 years ago

+1 above. I'm assuming this is meant as a baseline auditing rule set. It'd be much clearer if you used splatting to define the options you are setting:

$mbxauditpolicies = @{ 'AuditEnabled' = $true; 'AuditLogAgeLimit' = 180; 'AuditAdmin' = @('Update', 'MoveToDeletedItems', 'SoftDelete', 'HardDelete', 'SendAs', 'SendOnBehalf', 'Create', 'UpdateFolderPermissions'); 'AuditDelegate' = @('Update', 'MoveToDeletedItems', 'SoftDelete', 'HardDelete', 'SendAs', 'SendOnBehalf', 'Create', 'UpdateFolderPermissions'); 'AuditOwner' = @('MailboxLogin', 'MoveToDeletedItems', 'HardDelete','SoftDelete', 'Create', 'Update', 'UpdateFolderPermissions'); } Set-Mailbox -identity <> @mbxauditpolicies;

There is also a typo if you don't want to splat -- the AuditAdmin and AuditOwner should have UpdateFolderPermissions (it's singular in the code)