├── License.txt ├── O365-Lockdown.ps1 └── README.md /License.txt: -------------------------------------------------------------------------------- 1 | Copyright 2018, LMG Security 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | 9 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 10 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 11 | HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 12 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON 13 | ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 14 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE -------------------------------------------------------------------------------- /O365-Lockdown.ps1: -------------------------------------------------------------------------------- 1 | <# Create the Exchange PS Session #> 2 | $UserCredential = Get-Credential 3 | $Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential –Authentication Basic -AllowRedirection 4 | Import-PSSession $Session 5 | 6 | <# Enable logging for all accounts, enable all owner log actions, and retain for 365 days #> 7 | Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 8 | Set-AdminAuditLogConfig -AdminAuditLogAgeLimit 365.00:00:00 9 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 365 10 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update 11 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditDelegate Create,FolderBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,MoveToDeletedItems,UpdateFolderPermissions 12 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditAdmin Create, FolderBind,MessageBind,SendAs,SendOnBehalf,SoftDelete,HardDelete,Update,Move,Copy,MoveToDeletedItems,UpdateFolderPermissions 13 | 14 | Write-Host "Audit logging activation results" 15 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Select Name,Audit* 16 | <# 17 | The following lines will disable various mailbox access methods. Each line will prompt for input prior to shutting down access. 18 | #> 19 | 20 | <# Disable Outlook Web Access. This can be enabled on a per user basis if there is a need for it #> 21 | Write-Host "Would you like to disable Outlook Web Access? y/n" 22 | $ReadHost = Read-Host " ( y / n ) " 23 | Switch($ReadHost) 24 | { 25 | y {Write-Host "Outlook Web Access Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -OWAEnabled $False} 26 | Default {Write-Host "Outlook Web Access still active"} 27 | } 28 | 29 | <# Disable ActiveSync. This can be enabled on a per user basis if there is a need for it #> 30 | Write-Host "Would you like to disable ActiveSync? y/n" 31 | $ReadHost = Read-Host " ( y / n ) " 32 | Switch($ReadHost) 33 | { 34 | y {Write-Host "ActiveSync Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -ActiveSyncEnalbed $False} 35 | Default {Write-Host "ActiveSync still active"} 36 | } 37 | 38 | <# Disable MAPI Access. This can be enabled on a per user basis if there is a need for it #> 39 | Write-Host "Would you like to disable MAPI access? y/n" 40 | $ReadHost = Read-Host " ( y / n ) " 41 | Switch($ReadHost) 42 | { 43 | y {Write-Host "MAPI Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -MAPIEnabled $False} 44 | Default {Write-Host "MAPI still active"} 45 | } 46 | 47 | <# Disable EWS Access. This can be enabled on a per user basis if there is a need for it #> 48 | Write-Host "Would you like to disable EWS access? y/n" 49 | $ReadHost = Read-Host " ( y / n ) " 50 | Switch($ReadHost) 51 | { 52 | y {Write-Host "EWS Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -EWSEnabled $False} 53 | Default {Write-Host "EWS still active"} 54 | } 55 | 56 | <# Disable POP3 Access. This can be enabled on a per user basis if there is a need for it #> 57 | Write-Host "Would you like to disable POP3 access? y/n" 58 | $ReadHost = Read-Host " ( y / n ) " 59 | Switch($ReadHost) 60 | { 61 | y {Write-Host "POP3 Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -PopEnabled $False} 62 | Default {Write-Host "POP3 still active"} 63 | } 64 | 65 | <# Disable IMAP Access. This can be enabled on a per user basis if there is a need for it #> 66 | Write-Host "Would you like to disable IMAP access? y/n" 67 | $ReadHost = Read-Host " ( y / n ) " 68 | Switch($ReadHost) 69 | { 70 | y {Write-Host "IMAP Disabled"; Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-CASMailbox -ImapEnabled $False} 71 | Default {Write-Host "IMAP still active"} 72 | } 73 | 74 | <# 75 | The following lines will restrict the ability to auto-forward to an external domain. Manual forwarding is still possible. 76 | #> 77 | 78 | <# Remove any existing forwarding rules at the users discretion #> 79 | $Forwards = Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Select Identity,ForwardingSmtpAddress,ForwardingAddress 80 | 81 | foreach($Forward in $Forwards) 82 | { 83 | Write-Host "Forwarding address found. " $Forward.Identity " forwards to " $Forward.ForwardingAddress " " $Forward.ForwardingSmtpAddress ". Would you like to remove it? y/n" 84 | $ReadHost = Read-Host " ( y / n ) " 85 | Switch($ReadHost) 86 | { 87 | y {Write-Host "Deleting"; Set-Mailbox -Identity $Forward.Identity -ForwardingSmtpAddress $null -ForwardingAddress $null} 88 | n {Write-Host "Skipping"} 89 | Default {Write-Host "Skipping"} 90 | } 91 | } 92 | 93 | <# Remove auto forwarding #> 94 | Write-Host "Would you like to disable automatic forwarding completely? y/n" 95 | $ReadHost = Read-Host " ( y / n ) " 96 | Switch($ReadHost) 97 | { 98 | y {Write-Host "Forwarding Disabled"; Set-RemoteDomain Default -AutoForwardEnabled $false} 99 | Default {Write-Host "Forwards still active"; Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Select Identity,ForwardingSmtpAddress,ForwardingAddress} 100 | } 101 | 102 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | This is a simple Powershell script that can be used to better secure an Office 365 environment and 3 | enable audit logging. It is offered under the BSD license. 4 | 5 | Operations have been tested and verified in LMG Security's Office 365 testing lab. Use at your own 6 | risk. Please report any issues or suggestions you might have in the "Issues" section. 7 | 8 | ## Operations performed 9 | This script takes the following actions: 10 | 11 | 1.) Enables audit logging for all accounts in your organization 12 | 2.) Enables all owner actions as logged events 13 | 3.) Sets log retention to 365 days 14 | 4.) Allows the user to disable several mailbox access methods 15 | 5.) Removes external forwarding inbox rules 16 | 6.) Disables external forwarding at a domain level 17 | 18 | ## Why are these things important? 19 | 20 | > 1.) Enables audit logging for all accounts in your organization 21 | Audit logging is not enabled by default, and it's not retroactive. If you need to investigate suspicious 22 | activity, you must have already enabled audit logging to have easy access to log data. 23 | 24 | > 2.) Enables all owner actions as logged events 25 | Not all audit logging capabilities are enabled when you enable audit logging (really). It's a pain in the 26 | neck, and this fixes it. 27 | 28 | > 3.) Sets log retention to 365 days 29 | Normal retention time is 90 days. This makes it longer. Feel free to set the retention time even longer (or shorter) 30 | based on your organization's needs. 31 | 32 | > 4.) Disables POP3, IMAP, MAPI, EWS, ActiveSync, and OWA as needed. 33 | Access methods like IMAP and POP3 are just other ways that attackers can potentially access your account. If you 34 | don't need them, turn them off. The script will prompt and ask you if you want to disable each access method before 35 | taking action. 36 | 37 | > 5.) Removes external forwarding inbox rules 38 | External forwarding rules are often installed by attackers seeking to retain copies of user mail. Other times, users 39 | themselves set up these rules to easily access work email from home, in violation of policy. The script will prompt and 40 | ask you if you want to remove a particular rule before deleting it. 41 | 42 | > 6.) Disables external fowarding at a domain level 43 | This makes it so that if you delete a user's forwarding rules, they cannot go back and re-enter the rule. Furthermore, 44 | unauthorized users cannot add forwarding rules without first changing this global setting. 45 | 46 | ## WARNING 47 | Carefully review the script before running it. There are parts of this that you might not want to run on your 48 | particular system, or you may want to add additional items if your organization might benefit from them. Pay 49 | particular attention to the section that disables access features like POP3. These features can be enabled again 50 | on a per user basis if the need is there, but if a large number of users in your organization utilize this protocol 51 | then you probably dont want to disable it. 52 | 53 | ## Usage 54 | The script is designed to be run by an Office 365 administrator. To run the script, open an administrator level 55 | powershell window, navigate to the containing folder, they execute the following command: 56 | PS *Path to file*>.\O365-Lockdown.ps1 57 | 58 | You will be prompted for your Office 365 administrative credentials in a popup window. Once these are entered, the script will 59 | execute and return to the command prompt. 60 | 61 | ## Verification 62 | After the initial script runs, the following commands can be used to verify successful execution: 63 | 64 | Check that audit logging has been enabled correctly: 65 | Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit* 66 | 67 | Check that forwarding rules are gone: 68 | Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Select Identity,ForwardingSmtpAddress,ForwardingAddress 69 | 70 | ## Advice from the LMG Security team 71 | One important thing this script does not address is multi-factor authentication. At LMG, we STRONGLY urge you to enable 72 | multi-factor authentication! This is the single most effective method of preventing unauthorized access to your organization's email 73 | system. We did not build this into the script because it will require some planning 74 | before deployment, but it should be done as soon as possible. Here is a nice writeup on how to enable this feature: 75 | https://blogs.technet.microsoft.com/office365/2015/08/25/powershell-enableenforce-multifactor-authentication-for-all-bulk-users-in-office-365/ 76 | --------------------------------------------------------------------------------