From 744db5ac04090354d6c8d651c0f6f6053136db21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20Kj=C3=A6rg=C3=A5rd?= Date: Tue, 6 Feb 2024 19:27:24 +0100 Subject: [PATCH] Add tags to all standards --- src/data/standards.json | 124 ++++++++++++++++++++++++++++++---------- 1 file changed, 95 insertions(+), 29 deletions(-) diff --git a/src/data/standards.json b/src/data/standards.json index 8c49f0deb337..762bdc713054 100644 --- a/src/data/standards.json +++ b/src/data/standards.json @@ -2,6 +2,7 @@ { "name": "standards.MailContacts", "cat": "Global Standards", + "tag": ["lowimpact"], "helpText": "Defines the email address to receive general updates and information related to M365 subscriptions. Leave a contact field blank if you do not want to update the contact information.", "disabledFeatures": { "report": false, @@ -37,6 +38,7 @@ { "name": "standards.AuditLog", "cat": "Global Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables the Unified Audit Log for tracking and auditing activities. Also runs Enable-OrganizationCustomization if necessary.", "addedComponent": [], "label": "Enable the Unified Audit Log", @@ -46,6 +48,7 @@ { "name": "standards.PhishProtection", "cat": "Global Standards", + "tag": ["lowimpact"], "helpText": "Adds branding to the logon page that only appears if the url is not login.microsoftonline.com. This potentially prevents AITM attacks via EvilNginx. This will also automatically generate alerts if a clone of your login page has been found when set to Remediate.", "addedComponent": [], "label": "Enable Phishing Protection system via branding CSS", @@ -60,6 +63,7 @@ { "name": "standards.EnableCustomerLockbox", "cat": "Global Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables Customer Lockbox that offers an approval process for Microsoft support to access organization data", "addedComponent": [], "label": "Enable Customer Lockbox", @@ -69,6 +73,7 @@ { "name": "standards.AnonReportDisable", "cat": "Global Standards", + "tag": ["lowimpact"], "helpText": "Shows usernames instead of pseudo anonymised names in reports. This standard is required for reporting to work correctly.", "addedComponent": [], "label": "Enable Usernames instead of pseudo anonymised names in reports", @@ -78,6 +83,7 @@ { "name": "standards.DisableGuestDirectory", "cat": "Global Standards", + "tag": ["lowimpact"], "helpText": "Disables Guest access to enumerate directory objects. This prevents guest users from seeing other users or guests in the directory.", "addedComponent": [], "label": "Restrict guest user access to directory objects", @@ -87,6 +93,7 @@ { "name": "standards.DisableBasicAuthSMTP", "cat": "Global Standards", + "tag": ["mediumimpact"], "helpText": "Disables SMTP AUTH for the organization and all users. This is the default for new tenants. ", "addedComponent": [], "label": "Disable SMTP Basic Authentication", @@ -96,6 +103,7 @@ { "name": "standards.ActivityBasedTimeout", "cat": "Global Standards", + "tag": ["mediumimpact", "CIS"], "helpText": "Enables and sets Idle session timeout for Microsoft 365 to 1 hour. This policy affects most M365 web apps", "addedComponent": [], "label": "Enable 1 hour Activity based Timeout", @@ -105,6 +113,7 @@ { "name": "standards.laps", "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Enables the tenant to use LAPS. You must still create a policy for LAPS to be active on all devices. Use the template standards to deploy this by default.", "addedComponent": [], "label": "Enable LAPS on the tenant", @@ -112,8 +121,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.PWdisplayAppInformationRequiredState", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables the MS authenticator app to display information about the app that is requesting authentication. This displays the application name.", "addedComponent": [], "label": "Enable Passwordless with Location information and Number Matching", @@ -121,8 +131,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.allowOTPTokens", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Allows you to use MS authenticator OTP token generator", "addedComponent": [], "label": "Enable OTP via Authenticator", @@ -130,8 +141,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.PWcompanionAppAllowedState", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Sets the state of Authenticator Lite, Authenticator lite is a companion app for passwordless authentication.", "addedComponent": [ { @@ -155,8 +167,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.EnableFIDO2", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Enables the FIDO2 authenticationMethod for the tenant", "addedComponent": [], "label": "Enable FIDO2 capabilities", @@ -164,8 +177,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.EnableHardwareOAuth", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Enables the HardwareOath authenticationMethod for the tenant. This allows you to use hardware tokens for generating 6 digit MFA codes.", "addedComponent": [], "label": "Enable Hardware OAuth tokens", @@ -173,8 +187,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.allowOAuthTokens", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Allows you to use any software OAuth token generator", "addedComponent": [], "label": "Enable OTP Software OAuth tokens", @@ -182,8 +197,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.TAP", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Enables TAP and sets the default TAP lifetime to 1 hour. This configuration also allows you to select is a TAP is single use or multi-logon.", "addedComponent": [ { @@ -207,8 +223,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.PasswordExpireDisabled", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Disables the expiration of passwords for the tenant by setting the password expiration policy to never expire for any user.", "addedComponent": [], "label": "Do not expire passwords", @@ -216,8 +233,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableTenantCreation", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Restricts creation of M365 tenants to the Global Administrator or Tenant Creator roles. ", "addedComponent": [], "label": "Disable M365 Tenant creation by users", @@ -225,8 +243,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.EnableAppConsentRequests", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables App consent admin requests for the tenant via the GA role. Does not overwrite existing reviewer settings", "addedComponent": [ { @@ -240,8 +259,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.NudgeMFA.enable", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Enables registration campaign for the tenant", "addedComponent": [], "label": "Request to setup Authenticator if not setup yet", @@ -249,8 +269,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.NudgeMFA.disable", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Disables registration campaign for the tenant", "addedComponent": [], "label": "Disables the request to setup Authenticator if setup", @@ -258,8 +279,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableM365GroupUsers", + "cat": "Entra (AAD) Standards", + "tag": ["lowimpact"], "helpText": "Restricts M365 group creation to certain admin roles. This disables the ability to create Teams, Sharepoint sites, Planner, etc", "addedComponent": [], "label": "Disable M365 Group creation by users", @@ -267,8 +289,9 @@ "impactColour": "info" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableSecurityGroupUsers", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact"], "helpText": "Completely disables the creation of security groups by users. This also breaks the ability to manage groups themselves, or create Teams", "addedComponent": [], "label": "Disable Security Group creation by users", @@ -276,8 +299,9 @@ "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.LegacyMFACleanup", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact"], "helpText": "Removes legacy Per-User MFA if the tenant has Security Defaults or an All Users Conditional Access rule enabled.", "addedComponent": [], "label": "Remove Legacy MFA if SD or CA is active", @@ -285,8 +309,9 @@ "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableSelfServiceLicenses", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact"], "helpText": "This standard currently does not function and can be safely disabled", "addedComponent": [], "label": "Disable Self Service Licensing", @@ -294,8 +319,9 @@ "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableGuests", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact"], "helpText": "Blocks login for guest users that have not logged in for 90 days", "addedComponent": [], "label": "Disable Guest accounts that have not logged on for 90 days", @@ -303,8 +329,9 @@ "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.OauthConsent", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact", "CIS"], "helpText": "Disables users from being able to consent to applications, except for those specified in the field below", "addedComponent": [ { @@ -318,30 +345,33 @@ "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.OauthConsentLowSec", + "cat": "Entra (AAD) Standards", + "tag": ["mediumimpact"], "helpText": "Sets the default oauth consent level so users can consent to applications that have low risks.", "label": "Allow users to consent to applications with low security risk (Prevent OAuth phishing. Lower impact, less secure)", "impact": "Medium Impact", "impactColour": "warning" }, { - "cat": "Entra (AAD) Standards", "name": "standards.UndoOauth", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], + "helpText": "Disables App consent and set to Allow user consent for apps", + "addedComponent": [], "disabledFeatures": { "report": true, "warn": true, "remediate": false }, - "helpText": "Disables App consent and set to Allow user consent for apps", - "addedComponent": [], "label": "Undo App Consent Standard", "impact": "High Impact", "impactColour": "danger" }, { - "cat": "Entra (AAD) Standards", "name": "standards.SecurityDefaults", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], "helpText": "Enables security defaults for the tenant, for newer tenants this is enabled by default. Do not enable this feature if you use Conditional Access.", "addedComponent": [], "label": "Enable Security Defaults", @@ -349,8 +379,9 @@ "impactColour": "danger" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableSMS", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], "helpText": "This blocks users from using SMS as an MFA method. If a user only has SMS as a MFA method, they will be unable to login.", "addedComponent": [], "label": "Disables SMS as an MFA method", @@ -358,8 +389,9 @@ "impactColour": "danger" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableVoice", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], "helpText": "This blocks users from using Voice call as an MFA method. If a user only has Voice as a MFA method, they will be unable to login.", "addedComponent": [], "label": "Disables Voice call as an MFA method", @@ -367,8 +399,9 @@ "impactColour": "danger" }, { - "cat": "Entra (AAD) Standards", "name": "standards.DisableEmail", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], "helpText": "This blocks users from using email as an MFA method. This disables the email OTP option for guest users, and instead promts them to create a Microsoft account.", "addedComponent": [], "label": "Disables Email as an MFA method", @@ -376,8 +409,9 @@ "impactColour": "danger" }, { - "cat": "Entra (AAD) Standards", "name": "standards.Disablex509Certificate", + "cat": "Entra (AAD) Standards", + "tag": ["highimpact"], "helpText": "This blocks users from using Certificates as an MFA method.", "addedComponent": [], "label": "Disables Certificates as an MFA method", @@ -387,6 +421,7 @@ { "name": "standards.OutBoundSpamAlert", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Set the Outbound Spam Alert e-mail address", "addedComponent": [ { @@ -402,6 +437,7 @@ { "name": "standards.AutoExpandArchive", "cat": "Exchange Standards", + "tag": ["lowimpact"], "helpText": "Enables auto-expanding archives for the tenant", "addedComponent": [], "label": "Enable Auto-expanding archives", @@ -411,6 +447,7 @@ { "name": "standards.EnableOnlineArchiving", "cat": "Exchange Standards", + "tag": ["lowimpact"], "helpText": "Enables the In-Place Online Archive for all UserMailboxes with a valid license.", "addedComponent": [], "label": "Enable Online Archive for all users", @@ -420,6 +457,7 @@ { "name": "standards.SpoofWarn", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Adds or removes indicators to e-mail messages received from external senders in Outlook. Works on all Outlook clients/OWA", "addedComponent": [ { @@ -445,6 +483,7 @@ { "name": "standards.EnableMailTips", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables all MailTips in Outlook. MailTips are the notifications Outlook and Outlook on the web shows when an email you create, meets some requirements", "addedComponent": [ { @@ -461,6 +500,7 @@ { "name": "standards.DisableViva", "cat": "Exchange Standards", + "tag": ["lowimpact"], "helpText": "Disables the daily viva reports for all users.", "addedComponent": [], "label": "Disable daily Insight/Viva reports", @@ -470,6 +510,7 @@ { "name": "standards.RotateDKIM", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Rotate DKIM keys that are 1024 bit to 2048 bit", "addedComponent": [], "label": "Rotate DKIM keys that are 1024 bit to 2048 bit", @@ -479,6 +520,7 @@ { "name": "standards.AddDKIM", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables DKIM for all domains that currently support it", "addedComponent": [], "label": "Enables DKIM for all domains that currently support it", @@ -488,6 +530,7 @@ { "name": "standards.EnableMailboxAuditing", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Enables Mailbox auditing for all mailboxes and on tenant level. By default Microsoft does not enable mailbox auditing for Resource Mailboxes, Public Folder Mailboxes and DiscoverySearch Mailboxes. Unified Audit Log needs to be enabled for this standard to function.", "addedComponent": [], "label": "Enable Mailbox auditing", @@ -497,6 +540,7 @@ { "name": "standards.SendReceiveLimitTenant", "cat": "Exchange Standards", + "tag": ["lowimpact"], "helpText": "Sets the Send and Receive limits for new users. Valid values are 1MB to 150MB", "addedComponent": [ { @@ -517,6 +561,7 @@ { "name": "standards.calDefault", "cat": "Exchange Standards", + "tag": ["lowimpact"], "helpText": "Sets the default sharing level for the default calendar, for all users", "disabledFeatures": { "report": true, @@ -567,6 +612,7 @@ { "name": "standards.DisableExternalCalendarSharing", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Disables the ability for users to share their calendar with external users. Only for the default policy, so exclusions can be made if needed.", "addedComponent": [], "label": "Disable external calendar sharing", @@ -576,6 +622,7 @@ { "name": "standards.DisableAdditionalStorageProviders", "cat": "Exchange Standards", + "tag": ["lowimpact", "CIS"], "helpText": "Disables the ability for users to open files in Outlook on the Web, from other providers such as Box, Dropbox, Facebook, Google Drive, OneDrive Personal, etc.", "addedComponent": [], "label": "Disable additional storage providers in OWA", @@ -585,6 +632,7 @@ { "name": "standards.DisableOutlookAddins", "cat": "Exchange Standards", + "tag": ["mediumimpact", "CIS"], "helpText": "Disables the ability for users to install add-ins in Outlook. This is to prevent users from installing malicious add-ins.", "addedComponent": [], "label": "Disable users from installing add-ins in Outlook", @@ -594,13 +642,14 @@ { "name": "standards.SafeSendersDisable", "cat": "Exchange Standards", + "tag": ["mediumimpact"], + "helpText": "Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.", + "addedComponent": [], "disabledFeatures": { "report": true, "warn": true, "remediate": false }, - "helpText": "Loops through all users and removes the Safe Senders list. This is to prevent SPF bypass attacks, as the Safe Senders list is not checked by SPF.", - "addedComponent": [], "label": "Remove Safe Senders to prevent SPF bypass", "impact": "Medium Impact", "impactColour": "warning" @@ -608,6 +657,7 @@ { "name": "standards.DelegateSentItems", "cat": "Exchange Standards", + "tag": ["mediumimpact"], "helpText": "Sets emails sent as and on behalf of shared mailboxes to also be stored in the shared mailbox sent items folder", "addedComponent": [], "label": "Set mailbox Sent Items delegation (Sent items for shared mailboxes)", @@ -617,6 +667,7 @@ { "name": "standards.SendFromAlias", "cat": "Exchange Standards", + "tag": ["mediumimpact"], "helpText": "Enables the ability for users to send from their alias addresses.", "addedComponent": [], "label": "Allow users to send from their alias addresses", @@ -626,6 +677,7 @@ { "name": "standards.UserSubmissions.enable", "cat": "Exchange Standards", + "tag": ["mediumimpact"], "helpText": "Enables the spam submission button in Outlook", "addedComponent": [], "label": "Enable the built-in Report button in Outlook", @@ -635,6 +687,7 @@ { "name": "standards.UserSubmissions.disable", "cat": "Exchange Standards", + "tag": ["mediumimpact"], "helpText": "Disables the spam submission button in Outlook", "addedComponent": [], "label": "Disable the built-in Report button in Outlook", @@ -644,6 +697,7 @@ { "name": "standards.DisableSharedMailbox", "cat": "Exchange Standards", + "tag": ["mediumimpact", "CIS"], "helpText": "Blocks login for all accounts that are marked as a shared mailbox. This is Microsoft best practice to prevent direct logons to shared mailboxes.", "addedComponent": [], "label": "Disable Shared Mailbox AAD accounts", @@ -653,6 +707,7 @@ { "name": "standards.intuneDeviceRetirementDays", "cat": "Intune Standards", + "tag": ["lowimpact"], "helpText": "A value between 0 and 270 is supported. A value of 0 disables retirement, retired devices are removed from Intune after the specified number of days.", "addedComponent": [ { @@ -668,6 +723,7 @@ { "name": "standards.intuneDeviceReg", "cat": "Intune Standards", + "tag": ["mediumimpact"], "helpText": "sets the maximum number of devices that can be registered by a user. A value of 0 disables device registration by users", "addedComponent": [ { @@ -683,6 +739,7 @@ { "name": "standards.intuneRequireMFA", "cat": "Intune Standards", + "tag": ["mediumimpact"], "helpText": "Requires MFA for all users to register devices with Intune. This is useful when not using Conditional Access.", "label": "Require Multifactor Authentication to register or join devices with Microsoft Entra", "impact": "Medium Impact", @@ -691,6 +748,7 @@ { "name": "standards.DeletedUserRentention", "cat": "SharePoint Standards", + "tag": ["lowimpact"], "helpText": "Sets the retention period for deleted users OneDrive to 1 year/365 days", "addedComponent": [], "label": "Retain a deleted user OneDrive for 1 year", @@ -700,6 +758,7 @@ { "name": "standards.DisableAddShortcutsToOneDrive", "cat": "SharePoint Standards", + "tag": ["mediumimpact"], "helpText": "When the feature is disabled the option Add shortcut to OneDrive will be removed. Any folders that have already been added will remain on the user's computer.", "disabledFeatures": { "report": true, @@ -714,6 +773,7 @@ { "name": "standards.DisableSharePointLegacyAuth", "cat": "SharePoint Standards", + "tag": ["mediumimpact", "CIS"], "helpText": "Disables the ability to authenticate with SharePoint using legacy authentication methods. Any applications that use legacy authentication will need to be updated to use modern authentication.", "addedComponent": [], "label": "Disable legacy basic authentication for SharePoint", @@ -723,6 +783,7 @@ { "name": "standards.sharingCapability", "cat": "SharePoint Standards", + "tag": ["highimpact", "CIS"], "helpText": "Sets the default sharing level for OneDrive and Sharepoint. This is a tenant wide setting and overrules any settings set on the site level", "addedComponent": [ { @@ -756,6 +817,7 @@ { "name": "standards.DisableReshare", "cat": "SharePoint Standards", + "tag": ["highimpact", "CIS"], "helpText": "Disables the ability for external users to share files they don't own. Sharing links can only be made for People with existing access", "addedComponent": [], "label": "Disable Resharing by External Users", @@ -765,6 +827,7 @@ { "name": "standards.DisableUserSiteCreate", "cat": "SharePoint Standards", + "tag": ["highimpact"], "helpText": "Disables users from creating new SharePoint sites", "addedComponent": [], "label": "Disable site creation by standard users", @@ -774,6 +837,7 @@ { "name": "standards.ExcludedfileExt", "cat": "SharePoint Standards", + "tag": ["highimpact"], "helpText": "Sets the file extensions that are excluded from syncing with OneDrive. These files will be blocked from upload.", "addedComponent": [ { @@ -789,6 +853,7 @@ { "name": "standards.disableMacSync", "cat": "SharePoint Standards", + "tag": ["highimpact"], "helpText": "Disables the ability for Mac devices to sync with OneDrive.", "addedComponent": [], "label": "Do not allow Mac devices to sync using OneDrive", @@ -798,6 +863,7 @@ { "name": "standards.unmanagedSync", "cat": "SharePoint Standards", + "tag": ["highimpact"], "helpText": "This standard will only allow devices that are AD joined, or AAD joined to sync with OneDrive", "addedComponent": [], "label": "Only allow users to sync OneDrive from AAD joined devices",