πΌ Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert anti spam allowed domains via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
m365
Implementatie
Gebruik PowerShell-script anti-spam-allowed-domains.ps1 (functie Invoke-Monitoring) β Monitoren.
monitoring
Gebruik PowerShell-script anti-spam-allowed-domains.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script anti-spam-allowed-domains.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Anti-Spam Allowed Domains Review
.DESCRIPTION
Reviews and monitors anti-spam allowed sender domains.
Allow lists can be exploited by attackers and should be minimal.
.NOTES
Filename: anti-spam-allowed-domains.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\anti-spam-allowed-domains.ps1 -Monitoring
Check if allow lists are configured
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param(
[Parameter(Mandatory = $false)]
[switch]$Monitoring,
[Parameter(Mandatory = $false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Anti-Spam Allowed Domains Review" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Anti-Spam Allowed Domains Review
.DESCRIPTION
Reviews and monitors anti-spam allowed sender domains.
Allow lists can be exploited by attackers and should be minimal.
.NOTES
Filename: anti-spam-allowed-domains.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\anti-spam-allowed-domains.ps1 -Monitoring
Check if allow lists are configured
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Anti-Spam Allowed Domains Review" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking anti-spam policies for allow lists..." -ForegroundColor Gray
$policies = Get-HostedContentFilterPolicy -ErrorAction Stop
$result = @{
isCompliant = $true
total = $policies.Count
hasAllowList = 0
policyDetails = @()
}
foreach ($policy in $policies) {
$allowedDomains = $policy.AllowedSenderDomains
$allowedSenders = $policy.AllowedSenders
if ($allowedDomains.Count -gt 0 -or $allowedSenders.Count -gt 0) {
$result.hasAllowList++
$result.isCompliant = $false
Write-Host " β οΈ ALLOW LIST FOUND: $($policy.Name)" -ForegroundColor Yellow
if ($allowedDomains.Count -gt 0) {
Write-Host " Allowed Domains ($($allowedDomains.Count)):" -ForegroundColor Gray
$allowedDomains | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($allowedSenders.Count -gt 0) {
Write-Host " Allowed Senders ($($allowedSenders.Count)):" -ForegroundColor Gray
$allowedSenders | Select-Object -First 10 | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
$result.policyDetails += @{
PolicyName = $policy.Name
AllowedDomains = $allowedDomains.Count
AllowedSenders = $allowedSenders.Count
}
}
else {
Write-Host " [OK] NO ALLOW LIST: $($policy.Name)" -ForegroundColor Green
}
}
Write-Host "`n Total Policies: $($result.total)" -ForegroundColor Cyan
Write-Host " Policies with Allow Lists: $($result.hasAllowList)" -ForegroundColor $(
if ($result.hasAllowList -gt 0) { "Yellow" } else { "Green" }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - No allow lists configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Allow lists create security risk!" -ForegroundColor Red
Write-Host "Attackers can spoof allowed domains" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "β οΈ Removing allow lists requires manual review" -ForegroundColor Yellow
Write-Host "`nAllow lists should only exist for legitimate business needs" -ForegroundColor Cyan
Write-Host "Before removal, verify each entry with business owners" -ForegroundColor Gray
Write-Host "`nTo remove allow lists manually:" -ForegroundColor Cyan
Write-Host " 1. Review each allowed domain/sender for business need" -ForegroundColor Gray
Write-Host " 2. Security & Compliance Portal > Threat management" -ForegroundColor Gray
Write-Host " 3. Policy > Anti-spam > Edit policy" -ForegroundColor Gray
Write-Host " 4. Remove unnecessary entries" -ForegroundColor Gray
Write-Host " 5. Consider using mail flow rules for specific scenarios" -ForegroundColor Gray
Write-Host "`nπ Best practice: NO allow lists (use exceptions via mail flow rules)" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking anti-spam policies for allow lists..." -ForegroundColor Gray
$policies = Get-HostedContentFilterPolicy -ErrorAction Stop
$result = @{
isCompliant = $true
total = $policies.Count
hasAllowList = 0
policyDetails = @()
}
foreach ($policy in $policies) {
$allowedDomains = $policy.AllowedSenderDomains
$allowedSenders = $policy.AllowedSenders
if ($allowedDomains.Count -gt 0 -or $allowedSenders.Count -gt 0) {
$result.hasAllowList++
$result.isCompliant = $false
Write-Host " β οΈ ALLOW LIST FOUND: $($policy.Name)" -ForegroundColor Yellow
if ($allowedDomains.Count -gt 0) {
Write-Host " Allowed Domains ($($allowedDomains.Count)):" -ForegroundColor Gray
$allowedDomains | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($allowedSenders.Count -gt 0) {
Write-Host " Allowed Senders ($($allowedSenders.Count)):" -ForegroundColor Gray
$allowedSenders | Select-Object -First 10 | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
$result.policyDetails += @{
PolicyName = $policy.Name
AllowedDomains = $allowedDomains.Count
AllowedSenders = $allowedSenders.Count
}
}
else {
Write-Host " [OK] NO ALLOW LIST: $($policy.Name)" -ForegroundColor Green
}
}
Write-Host "`n Total Policies: $($result.total)" -ForegroundColor Cyan
Write-Host " Policies with Allow Lists: $($result.hasAllowList)" -ForegroundColor $(
if ($result.hasAllowList -gt 0) { "Yellow" } else { "Green" }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - No allow lists configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Allow lists create security risk!" -ForegroundColor Red
Write-Host "Attackers can spoof allowed domains" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Anti-Spam Allowed Domains Review
.DESCRIPTION
Reviews and monitors anti-spam allowed sender domains.
Allow lists can be exploited by attackers and should be minimal.
.NOTES
Filename: anti-spam-allowed-domains.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\anti-spam-allowed-domains.ps1 -Monitoring
Check if allow lists are configured
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Anti-Spam Allowed Domains Review" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking anti-spam policies for allow lists..." -ForegroundColor Gray
$policies = Get-HostedContentFilterPolicy -ErrorAction Stop
$result = @{
isCompliant = $true
total = $policies.Count
hasAllowList = 0
policyDetails = @()
}
foreach ($policy in $policies) {
$allowedDomains = $policy.AllowedSenderDomains
$allowedSenders = $policy.AllowedSenders
if ($allowedDomains.Count -gt 0 -or $allowedSenders.Count -gt 0) {
$result.hasAllowList++
$result.isCompliant = $false
Write-Host " β οΈ ALLOW LIST FOUND: $($policy.Name)" -ForegroundColor Yellow
if ($allowedDomains.Count -gt 0) {
Write-Host " Allowed Domains ($($allowedDomains.Count)):" -ForegroundColor Gray
$allowedDomains | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($allowedSenders.Count -gt 0) {
Write-Host " Allowed Senders ($($allowedSenders.Count)):" -ForegroundColor Gray
$allowedSenders | Select-Object -First 10 | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
$result.policyDetails += @{
PolicyName = $policy.Name
AllowedDomains = $allowedDomains.Count
AllowedSenders = $allowedSenders.Count
}
}
else {
Write-Host " [OK] NO ALLOW LIST: $($policy.Name)" -ForegroundColor Green
}
}
Write-Host "`n Total Policies: $($result.total)" -ForegroundColor Cyan
Write-Host " Policies with Allow Lists: $($result.hasAllowList)" -ForegroundColor $(
if ($result.hasAllowList -gt 0) { "Yellow" } else { "Green" }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - No allow lists configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Allow lists create security risk!" -ForegroundColor Red
Write-Host "Attackers can spoof allowed domains" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "β οΈ Removing allow lists requires manual review" -ForegroundColor Yellow
Write-Host "`nAllow lists should only exist for legitimate business needs" -ForegroundColor Cyan
Write-Host "Before removal, verify each entry with business owners" -ForegroundColor Gray
Write-Host "`nTo remove allow lists manually:" -ForegroundColor Cyan
Write-Host " 1. Review each allowed domain/sender for business need" -ForegroundColor Gray
Write-Host " 2. Security & Compliance Portal > Threat management" -ForegroundColor Gray
Write-Host " 3. Policy > Anti-spam > Edit policy" -ForegroundColor Gray
Write-Host " 4. Remove unnecessary entries" -ForegroundColor Gray
Write-Host " 5. Consider using mail flow rules for specific scenarios" -ForegroundColor Gray
Write-Host "`nπ Best practice: NO allow lists (use exceptions via mail flow rules)" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Write-Host "β οΈ Removing allow lists requires manual review" -ForegroundColor Yellow
Write-Host "`nAllow lists should only exist for legitimate business needs" -ForegroundColor Cyan
Write-Host "Before removal, verify each entry with business owners" -ForegroundColor Gray
Write-Host "`nTo remove allow lists manually:" -ForegroundColor Cyan
Write-Host " 1. Review each allowed domain/sender for business need" -ForegroundColor Gray
Write-Host " 2. Security & Compliance Portal > Threat management" -ForegroundColor Gray
Write-Host " 3. Policy > Anti-spam > Edit policy" -ForegroundColor Gray
Write-Host " 4. Remove unnecessary entries" -ForegroundColor Gray
Write-Host " 5. Consider using mail flow rules for specific scenarios" -ForegroundColor Gray
Write-Host "`nπ Best practice: NO allow lists (use exceptions via mail flow rules)" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
Anti-Spam Allowed Domains Review
.DESCRIPTION
Reviews and monitors anti-spam allowed sender domains.
Allow lists can be exploited by attackers and should be minimal.
.NOTES
Filename: anti-spam-allowed-domains.ps1
Author: Nederlandse Baseline voor Veilige Cloud
.EXAMPLE
.\anti-spam-allowed-domains.ps1 -Monitoring
Check if allow lists are configured
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param(
[Parameter(Mandatory=$false)]
[switch]$Monitoring,
[Parameter(Mandatory=$false)]
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Anti-Spam Allowed Domains Review" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
Write-Host "Checking anti-spam policies for allow lists..." -ForegroundColor Gray
$policies = Get-HostedContentFilterPolicy -ErrorAction Stop
$result = @{
isCompliant = $true
total = $policies.Count
hasAllowList = 0
policyDetails = @()
}
foreach ($policy in $policies) {
$allowedDomains = $policy.AllowedSenderDomains
$allowedSenders = $policy.AllowedSenders
if ($allowedDomains.Count -gt 0 -or $allowedSenders.Count -gt 0) {
$result.hasAllowList++
$result.isCompliant = $false
Write-Host " β οΈ ALLOW LIST FOUND: $($policy.Name)" -ForegroundColor Yellow
if ($allowedDomains.Count -gt 0) {
Write-Host " Allowed Domains ($($allowedDomains.Count)):" -ForegroundColor Gray
$allowedDomains | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
if ($allowedSenders.Count -gt 0) {
Write-Host " Allowed Senders ($($allowedSenders.Count)):" -ForegroundColor Gray
$allowedSenders | Select-Object -First 10 | ForEach-Object {
Write-Host " - $_" -ForegroundColor Gray
}
}
$result.policyDetails += @{
PolicyName = $policy.Name
AllowedDomains = $allowedDomains.Count
AllowedSenders = $allowedSenders.Count
}
}
else {
Write-Host " [OK] NO ALLOW LIST: $($policy.Name)" -ForegroundColor Green
}
}
Write-Host "`n Total Policies: $($result.total)" -ForegroundColor Cyan
Write-Host " Policies with Allow Lists: $($result.hasAllowList)" -ForegroundColor $(
if ($result.hasAllowList -gt 0) { "Yellow" } else { "Green" }
)
if ($result.isCompliant) {
Write-Host "`n[OK] COMPLIANT - No allow lists configured" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Allow lists create security risk!" -ForegroundColor Red
Write-Host "Attackers can spoof allowed domains" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Write-Host "β οΈ Removing allow lists requires manual review" -ForegroundColor Yellow
Write-Host "`nAllow lists should only exist for legitimate business needs" -ForegroundColor Cyan
Write-Host "Before removal, verify each entry with business owners" -ForegroundColor Gray
Write-Host "`nTo remove allow lists manually:" -ForegroundColor Cyan
Write-Host " 1. Review each allowed domain/sender for business need" -ForegroundColor Gray
Write-Host " 2. Security & Compliance Portal > Threat management" -ForegroundColor Gray
Write-Host " 3. Policy > Anti-spam > Edit policy" -ForegroundColor Gray
Write-Host " 4. Remove unnecessary entries" -ForegroundColor Gray
Write-Host " 5. Consider using mail flow rules for specific scenarios" -ForegroundColor Gray
Write-Host "`nπ Best practice: NO allow lists (use exceptions via mail flow rules)" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) {
Invoke-Monitoring
}
elseif ($Remediation) {
Invoke-Remediation
}
else {
Write-Host "Use: -Monitoring or -Remediation" -ForegroundColor Yellow
}
}
catch {
throw
}
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE