Closed schrolla closed 1 year ago
schrolla
commented
1 year ago As part of testing for #112 this appears to be addressed with that PR for item 2.3. Quick testing showed it is likely also addressed for 2.2 but recommend @ahuynhMITRE review after that PR is merged to main to validate it has been fully addressed with reporter prior to closing this issue.
Dylan-MITRE
commented
1 year ago Per discussion with @schrolla. we realized that #112 only fixed policy 2.3 but not 2.2. Changing expiration date was not reflected on the report.
Currently 2.2 are inspecting RequiredExpirationDatePolicy and ExpirationDatePolicy;
after a quick check we found out that the actual field that associated with policy 2.2 is actually RequireAnonymousLinksExpireInDays and OneDriveRequestFilesLinkExpirationInDays (Might still need further investigation/testing to verify since only a quick test was ran)
Dylan-MITRE
commented
1 year ago Just did a detailed test. Current 2.2 are checking RequiredExpirationDatePolicy (doesnt exit in the json at all) and ExternalUserExpireInDays (it is relevant to the option about "Guess access to a site or OneDrive will expire automatically after this many days", but it is current not include in the baseline document);
look like those two options should be added to the baseline doc under 2.2 but will leave it to you for potential future adjument to the baseline @ahuynhMITRE
For this issue: i will fix based on the current baseline about the expire days for AnyLinks: Shouldn't have separate checks for the two settings: RequireAnonymousLinksExpireInDays 30 OneDriveRequestFilesLinkExpirationInDays 30
tkol2022
commented
1 year ago Via testing and research I confirm that policy 2.2 is looking at the wrong field so that need to be fixed as well. I believe the correct field that should be inspected is RequireAnonymousLinksExpireInDays. According to Microsoft, this field is defined as "Specifies all anonymous links that have been created (or will be created) will expire after the set number of days."
It looks like this single field can indicate both that Anyone links expire and that there is an expiration date set to a specific value. Here are the technical requirements:
tkol2022
commented
1 year ago Even though we found that 2.2 was not implemented correctly, the core problem that this GitHub issue was created for still exists and must be corrected as part of this work. Here is a summary.
If policy 2.1 passes, which indicates that Anyone links are not enabled, then policies 2.2 and 2.3 should also Pass no matter what. This is because if Anyone links are disabled, it is not possible to configure 2.2 and 2.3 and their configurations are not relevant.
Dylan-MITRE
commented
1 year ago @tkol2022 so i have fixed the issue with 2.3 with #112 but yea i can try to explore a way to add in the logic where if 2.1 pass then 2.3 should indicate that anyone link is disabled.
and am still investigating 2.2. it seems like that there are things might need to be changed on baseline document because when users follow the steps, once they have complete the configuration of 2.1 they would not be able to follow along 2.2 and 2.3 as the option for Anyone Link disappears.
OneDrive for Business policy 2.1 is "Anyone Links SHOULD Be Turned Off". If this is turned off the current rego will mark 2.2 and 2.3 as "FAIL" (Expiration Date SHOULD Be Set for Anyone Links & Link Permissions SHOULD Be Set to Enabled Anyone Links to View) since the admin cannot set an expiration date or permissions to "view".
Suggest adding to the rego a "PASS" scenario if anyone links are disable 2.2 and 2.3 will also show up as "PASS".