Monkey365 v0.96

What's Added

• Support for serving static HTML-related assets (CSS, JS, images, fonts, etc.) through a dedicated local web server endpoint. More information about this can be seen here. #162
• Full support for the CIS Microsoft 365 Foundations Benchmark v5.0.0. All controls included.

What's Fixed

• Automated Monkey365 Runs May Introduce A Confirmation Prompt In PowerShell 5.1 after installing KB5074204 #163
• Added new exceptions
• Better classification for findings #159 .Since the CIS Benchmarks do not assign risk severity levels, the risk ratings for all rulesets are based on my own interpretation.

As always, you can override any rule at different levels, such as severity, enabled/disabled and so on. More details are available in the in the Overrides section.

The following rules were automated:

• 1.1.4 Ensure administrative accounts use licenses with a reduced application footprint
• 1.2.1 Ensure that only organizationally managed/approved public groups exist
• 1.2.2 Ensure sign-in to shared mailboxes is blocked
• 1.3.4 Ensure 'User owned apps and services' is restricted
• 2.1.1 Ensure Safe Links for Office Applications is Enabled
• 2.1.2 Ensure the Common Attachment Types Filter is enabled
• 2.1.4 Ensure Safe Attachments policy is enabled
• 2.1.5 Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is Enabled
• 2.1.6 Ensure Exchange Online Spam Policies are set to notify administrators
• 2.1.7 Ensure that an anti-phishing policy has been created
• 2.1.11 Ensure comprehensive attachment filtering is applied
• 2.1.12 Ensure the connection filter IP allow list is not used
• 2.1.13 Ensure the connection filter safe list is off
• 2.1.14 Ensure inbound anti-spam policies do not contain allowed domains
• 2.4.1 Ensure Priority account protection is enabled and configured
• 2.4.2 Ensure Priority accounts have 'Strict protection' presets applied
• 2.4.4 Ensure Zero-hour auto purge for Microsoft Teams is on
• 3.2.1 Ensure DLP policies are enabled
• 3.2.2 Ensure DLP policies are enabled for Microsoft Teams
• 3.3.1 Ensure Information Protection sensitivity label policies are published
• 5.1.3.1 Ensure a dynamic group for guest users is created
• 5.2.2.1 Ensure multifactor authentication is enabled for all users in administrative roles
• 5.2.2.2 Ensure multifactor authentication is enabled for all users
• 5.2.2.4 Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users
• 5.2.2.5 Ensure 'Phishing-resistant MFA strength' is required for Administrators
• 5.2.2.8 Ensure 'sign-in risk' is blocked for medium and high risk
• 5.2.2.9 Ensure a managed device is required for authentication
• 5.2.2.10 Ensure a managed device is required to register security information
• 5.2.2.11 Ensure sign-in frequency for Intune Enrollment is set to 'Every time'
• 5.2.2.12 Ensure the device code sign-in flow is blocked
• 5.2.3.1 Ensure Microsoft Authenticator is configured to protect against MFA fatigue
• 5.2.3.5 Ensure weak authentication methods are disabled
• 5.3.2 Ensure 'Access reviews' for Guest Users are configured
• 5.3.4 Ensure approval is required for Global Administrator role activation
• 5.3.5 Ensure approval is required for Privileged Role Administrator activation
• 6.1.1 Ensure 'AuditDisabled' organizationally is set to 'False'
• 6.1.2 Ensure mailbox audit actions are configured
• 6.1.3 Ensure 'AuditBypassEnabled' is not enabled on mailboxes
• 6.2.2 Ensure mail transport rules do not whitelist specific domains
• 6.5.1 Ensure modern authentication for Exchange Online is enabled
• 6.5.4 Ensure SMTP AUTH is disabled
• 7.2.1 Ensure modern authentication for SharePoint applications is required
• 7.2.3 Ensure external content sharing is restricted
• 7.2.4 Ensure OneDrive content sharing is restricted
• 7.2.8 Ensure external sharing is restricted by security group

Upcoming deprecation

The following benchmarks will be deprecated, and will be retired soon:

• CIS Microsoft Azure Foundations 3.0
• CIS Microsoft 365 Foundations 3.0
• CIS Microsoft 365 Foundations 4.0

Upcoming breaking changes

• List of all ongoing deprecations and breaking changes #132

Full Changelog: v0.95.7...v0.96

Monkey365 v0.95.8

What's Changed

• Small fix by @GoldraK in #157
• Improved documentation and examples (https://silverhack.github.io/monkey365/)
  • Detailed documentation about authentication options available here
• Updated internal modules

What's Added

• Client credentials support for Microsoft Fabric. You can now use Monkey365 using the following command as a example:

$param = @{
    ClientId = '00000000-0000-0000-0000-000000000000';
    certificate = 'C:\monkey365\testapp.pfx';
    CertFilePassword = ("MySuperCertSecret" | ConvertTo-SecureString -AsPlainText -Force);
    Instance = 'Microsoft365';
    Collect = 'SharePointOnline','MicrosoftFabric';
    TenantID = '00000000-0000-0000-0000-000000000000';
    PowerBIClientId = '00000000-0000-0000-0000-000000000000';
    PowerBICertificateFile = 'C:\monkey365\powerBi.pfx';
    PowerBICertificatePassword = ("MySuperPassword" | ConvertTo-SecureString -AsPlainText -Force);
    ExportTo = @("HTML");
}
Invoke-Monkey365 @param

Please, note that unlike other services, Microsoft Fabric requires that the application must not have any delegated or application permissions assigned. See docs here and official documentation from Microsoft here

New features

Listing rules

The -ListRule flag is used to display a list of available rules within the Monkey365 framework. Try it now with the following examples:

• The following example will list all rules available for the Azure instance.

$p = @{
    Instance = "Azure";
    ListRule = $true
}
Invoke-Monkey365 @p

The following example will list all rules available for the Microsoft 365 instance.

$p = @{
    Instance = "Microsoft365";
    ListRule = $true
}
Invoke-Monkey365 @p

Automatic application setup with Monkey365

Monkey365 now includes a built-in utility that streamlines the creation and configuration of Entra ID applications for the following Microsoft services:

• Microsoft Graph
• Microsoft Teams
• Exchange Online
• SharePoint Online

The utility automates the creation of an Entra ID application, configures permissions based on the selected services, and generates a certificate for authentication, which it then uploaded.

To run the utility with default settings from the Monkey365 installation directory, use the following:

$p = @{
    TenantId = '00000000-0000-0000-0000-000000000000';
    Services = 'ExchangeOnline','MicrosoftGraph','MicrosoftTeams','SharePointOnline';
}
Register-Monkey365Application @p

If you want to specify a custom certificate, use the following:

$p = @{
    TenantId = '00000000-0000-0000-0000-000000000000';
    Services = 'ExchangeOnline','MicrosoftGraph','MicrosoftTeams','SharePointOnline';
    Certificate = 'C:\Monkey365.cer'
}
Register-Monkey365Application @p

More information and examples can been seen here

New Contributors

• @GoldraK made their first contribution in #157

Full Changelog: v0.95.6...v0.95.8

Monkey365 v0.95.7

What's Changed

• Small fix by @GoldraK in #157

What's Fixed

• Fix authentication logic when external user is used to authenticate #156
• Added new exceptions

The following rules were automated:

• CIS 5.0 9.1.1 Ensure guest user access is restricted
• CIS 5.0 9.1.2 Ensure external user invitations are restricted
• CIS 5.0 9.1.3 Ensure guest access to content is restricted
• CIS 5.0 9.1.4 Ensure 'Publish to web' is restricted
• CIS 5.0 9.1.5 Ensure 'Interact with and share R and Python' visuals is 'Disabled'
• CIS 5.0 9.1.6 Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'
• CIS 5.0 9.1.7 Ensure shareable links are restricted
• CIS 5.0 9.1.8 Ensure enabling of external data sharing is restricted
• CIS 5.0 9.1.9 Ensure 'Block ResourceKey Authentication' is 'Enabled'
• CIS 5.0 9.1.10 Ensure access to APIs by Service Principals is restricted
• CIS 5.0 9.1.11 Ensure Service Principals cannot create and use profiles

New Contributors

• @GoldraK made their first contribution in #157

Full Changelog: v0.95.6...v0.95.7

Monkey365 v0.95.6

What's Fixed

• Fix profilephoto render with MSGraph API #155
• Fix Tenant logic. Using Select-Object instead of direct access to tenant name property #156

Enjoy!

Full Changelog: v0.95.5...v0.95.6

Monkey365 v0.95.5

What's Added

The following benchmark was added:

• CIS Microsoft 365 Foundations Benchmark v5.0.0

What's Fixed

• Fix authentication logic when authenticating against a tenant without a P1 or P2 license #151
• Fix Azure and Microsoft 365 import logic when running in custom docker container #150
• Added a new exception when monkey365 is unable to establish connection to desired tenant #146

What's Changed

• fix: updated filepath to sample-report by @picccard in #148
• feat: automatically format copyright string in footer with current year by @picccard and @kamilkrzyskow in #147
• Cis m365 5.0 by @rfernandezdo in #149

What's Removed

• Collectors and internal functions used to fetch data using the legacy MS Graph API were removed #152

New Contributors

• @picccard and @kamilkrzyskow made their first contribution in #148
• @rfernandezdo made their first contribution in #149

Full Changelog: 0.95.2...v0.95.5

Monkey365 v0.95.2

What's Fixed

• VerbosePreference was not propagated through different tasks #145

Full Changelog: 0.95.1...0.95.2

Monkey365 v0.95.1

What's Changed

• Improved documentation and examples (https://silverhack.github.io/monkey365/)
• Internal modules were rewritten to add support to CDN (jsDelivr)

What's New

• I have significantly enhanced the HTML option to make the report more intuitive:

• You can see additional information in docs

• Now you can install Monkey365 using the built-in Install-Module command. The examples below will install Monkey365 in your installation scope depending on your PowerShell version. You can control this using the -Scope <AllUsers/CurrentUser> parameter.

Install-Module -Name monkey365 -Scope CurrentUser

To install a beta version, you can use the following command:

Install-Module -Name monkey365 -Scope CurrentUser -AllowPrerelease

To update monkey365:

Update-Module -Name monkey365 -Scope CurrentUser

• More information is available here

Full Changelog: v0.94.6-beta...0.95.1

Monkey365 v0.94.6-beta

What's Changed

The following benchmark was added:

• CIS Microsoft 365 Foundations Benchmark v4.0.0

What's Changed

The following rules were updated:

• CIS 3.0 2.6 Ensure that account 'Lockout Threshold' is less than or equal to '10'
• CIS 3.0 2.7 Ensure that account 'Lockout duration in seconds' is greater than or equal to '60'
• CIS 3.0 9.12 Ensure that 'Remote debugging' is set to 'Off'

Upcoming breaking changes

• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133
• List of all ongoing deprecations and breaking changes #132

Full Changelog: v0.94.5-beta...v0.94.6-beta

Monkey365 v0.94.5-beta

What's Changed

• Some strongly typed objects were created to store internal data
• A number of collectors for Azure were completely rewritten to add runspace support

The following rules from Microsoft 365 were automated:

SharePoint Online

7.2.1 Ensure modern authentication for SharePoint applications is required
7.2.2 Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled
7.2.3 Ensure external content sharing is restricted
7.2.4 Ensure OneDrive content sharing is restricted
7.2.5 Ensure that SharePoint guest users cannot share items they don't own
7.2.6 Ensure SharePoint external sharing is managed through domain whitelist/blacklists
7.2.7 Ensure link sharing is restricted in SharePoint and OneDrive
7.2.8 Ensure external sharing is restricted by security group
7.2.9 Ensure guest access to a site or OneDrive will expire automatically
7.2.10 Ensure reauthentication with verification code is restricted
7.3.1 Ensure Office 365 SharePoint infected files are disallowed for download
7.3.2 Ensure OneDrive sync is restricted for unmanaged devices
7.3.4 Ensure custom script execution is restricted on site collections

Microsoft Teams

8.1.1 Ensure external file sharing in Teams is enabled for only approved cloud storage services
8.1.2 Ensure users can't send emails to a channel email address
8.2.1 Ensure 'external access' is restricted in the Teams admin center
8.4.1 Ensure app permission policies are configured
8.5.1 Ensure anonymous users can't join a meeting
8.5.2 Ensure anonymous users and dial-in callers can't start a meeting
8.5.3 Ensure only people in my org can bypass the lobby
8.5.4 Ensure users dialing in can't bypass the lobby
8.5.5 Ensure meeting chat does not allow anonymous users
8.5.6 Ensure only organizers and co-organizers can present
8.5.7 Ensure external participants can't give or request control

The following rules from Azure were automated:

Azure Key Vault

3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
3.3.5 Ensure the Key Vault is Recoverable
3.3.6 Enable Role Based Access Control for Azure Key Vault
3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Storage Accounts

4.1 Ensure that 'Secure transfer required' is set to 'Enabled'
4.2 Ensure that 'Enable Infrastructure Encryption’ for Each Storage Account in Azure Storage is Set to 'enabled'
4.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
4.4 Ensure that Storage Account Access Keys are Periodically Regenerated
4.6 Ensure that 'Public Network Access' is 'Disabled' for storage accounts
4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
4.9 Ensure Private Endpoints are used to access Storage Accounts
4.10 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK)
4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
4.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
4.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
4.16 Ensure 'Cross Tenant Replication' is not enabled
4.17 Ensure that 'Allow Blob Anonymous Access' is set to 'Disabled'

Azure SQL Database

5.1.1 Ensure that 'Auditing' is set to 'On' (Automated)
5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) (Automated)
5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
5.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
5.1.7 Ensure Public Network Access is Disabled

Azure Database for PostgreSQL

5.2.1 Ensure server parameter 'require_secure_transport' is set to 'ON' for PostgreSQL flexible server
5.2.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL flexible server
5.2.3 Ensure server parameter 'connection_throttle.enable' is set to 'ON' for PostgreSQL flexible server
5.2.4 Ensure server parameter 'logfiles.retention_days' is greater than 3 days for PostgreSQL flexible server
5.2.5 Ensure 'Allow public access from any Azure service within Azure to this server' for PostgreSQL flexible server is disabled
5.2.6 [LEGACY] Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single server
5.2.7 [LEGACY] Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single server
5.2.8 [LEGACY] Ensure 'Infrastructure double encryption' for PostgreSQL single server is 'Enabled'

Monitoring

6.1.4 Ensure that logging for Azure Key Vault is 'Enabled'

Virtual Machines

8.2 Ensure Virtual Machines are utilizing Managed Disks
8.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
8.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
8.5 Ensure that 'Disk Network Access' is NOT set to 'Enable public access from all networks'
8.6 Ensure that 'Enable Data Access Authentication Mode' is 'Checked'
8.8 Ensure that Endpoint Protection for all Virtual Machines is installed
8.9 [Legacy] Ensure that VHDs are Encrypted
8.11 Ensure Trusted Launch is enabled on Virtual Machines

App Service

9.1 Ensure 'HTTPS Only' is set to On
9.2 Ensure App Service Authentication is set up for apps in Azure App Service
9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
9.4 Ensure Web App is using the latest version of TLS encryption
9.5 Ensure that Register with Entra ID is enabled on App Service
9.6 Ensure that 'Basic Authentication' is 'Disabled'
9.7 Ensure that 'PHP version' is currently supported (if in use)
9.8 Ensure that 'Python version' is currently supported (if in use)
9.9 Ensure that 'Java version' is currently supported (if in use)
9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)
9.12 Ensure that 'Remote debugging' is set to 'Off'

Upcoming breaking changes

• Update to latest CIS Benchmarks #122
• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133

Full Changelog: v0.93-beta...v0.94.5-beta

Monkey365 v0.94-beta

What's Changed

• The following rulesets were removed from codebase:
  • CIS for Microsoft 365 1.4
  • CIS for Microsoft 365 1.5
  • CIS for Azure 1.4
  • CIS for Azure 1.5
  • CIS for Azure 2.0
• Improved documentation and examples (https://silverhack.github.io/monkey365/)

What's New

• All CIS recommendations/controls were included:
  • 151 rules were added for Azure
  • 97 rules were added for Entra ID
  • 126 rules were added for Microsoft 365 services
• Support for both Azure and Microsoft 365 CIS benchmark v3.0

Fixes

• Purview Scan Error #130
• Get-MonkeyCompliance is not recognized as a name of a cmdlet, function, script file #128
• CIS benchmark output has missing checks #131

Upcoming breaking changes

• Update to latest CIS Benchmarks #122
• Redesign HTML output #114
• Move all rules and rulesets to its own repo #133

Full Changelog: v0.91.3-beta...v0.94-beta