L1 BIO 12.04 ISO A.12.4.1 CIS 2.1.3

Mailbox Audit Bypass Disabled

📅 2025-10-29

•

⏱️ 4 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Mailbox audit bypass Staat toe dat accounts to skip audit logging - moet zijn disabled voor accountability.

Aanbeveling

IMPLEMENT

Risico zonder

High

Risk Score

7/10

Implementatie

2u (tech: 1u)

Van toepassing op:

✓ M365
✓ Exchange

Audit bypass is no audittrail voor bypassed accounts. Attackers kunnen activities verbergen. serviceaccounts should NOT bypass auditing.

PowerShell Modules Vereist

Primary API: Exchange Online PowerShell
Connection: Connect-ExchangeOnline
Required Modules: ExchangeOnlineManagement

Implementatie

Verify no accounts hebben audit bypass ingeschakeld. Remove bypass voor alle accounts.

Check: Get-MailboxAuditBypassAssociation -ResultSize Unlimited | waar {$_.AuditBypassEnabled -eq $true}
Should return 0 results
If bypass found: Set-MailboxAuditBypassAssociation -Identity user -AuditBypassEnabled $false

Vereisten

Exchange Online

Implementatie

Check: Get-MailboxAuditBypassAssociation -ResultSize Unlimited | waar {$_.AuditBypassEnabled -eq $true}
Should return 0 results
If bypass found: Set-MailboxAuditBypassAssociation -Identity user -AuditBypassEnabled $false

Compliance en Auditing

CIS M365 - control 2.1.3
BIO 12.04
ISO 27001 A.12.4.1

Monitoring

Gebruik PowerShell-script audit-bypass-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script audit-bypass-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control 2.1.3 (L1) - No audit bypass
BIO: 12.04 - Complete audittrail
ISO 27001:2022: A.12.4.1 - Gebeurtenissen logging en audittrails

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Mailbox Audit Bypass Disabled
    
.DESCRIPTION
    Ensures no mailboxes have audit bypass enabled.
    All mailbox activities should be audited for security and compliance.
    
.NOTES
    Filename:       audit-bypass-disabled.ps1
    Author:         Nederlandse Baseline voor Veilige Cloud
    
.EXAMPLE
    .\audit-bypass-disabled.ps1 -Monitoring
    Check for mailboxes with audit bypass
    
.EXAMPLE
    .\audit-bypass-disabled.ps1 -Remediation
    Disable audit bypass on all mailboxes
#>

#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement

[CmdletBinding()]
param(
    [Parameter(Mandatory = $false)]
    [switch]$Monitoring,
    
    [Parameter(Mandatory = $false)]
    [switch]$Remediation,
    
    [Parameter(Mandatory = $false)]
    [switch]$Revert,
    [switch]$WhatIf
)

$ErrorActionPreference = 'Stop'

Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Mailbox Audit Bypass Disabled" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan

function Invoke-Monitoring {
    <#
    .SYNOPSIS
        Checks for mailboxes with audit bypass enabled
    #>
    try {
        Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
        Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
        
        Write-Host "Scanning all mailboxes for audit bypass..." -ForegroundColor Gray
        Write-Host "(This may take a while for large tenants)" -ForegroundColor Yellow
        
        $mailboxes = Get-Mailbox -ResultSize Unlimited -ErrorAction Stop
        
        $result = @{
            isCompliant = $true
            total = $mailboxes.Count
            bypassEnabled = 0
            bypassList = @()
        }
        
        foreach ($mailbox in $mailboxes) {
            if ($mailbox.AuditEnabled -eq $false) {
                $result.bypassEnabled++
                $result.bypassList += $mailbox.UserPrincipalName
                $result.isCompliant = $false
            }
        }
        
        Write-Host "`n  Total mailboxes scanned: $($result.total)" -ForegroundColor Cyan
        Write-Host "  Mailboxes with audit DISABLED: $($result.bypassEnabled)" -ForegroundColor $(
            if ($result.bypassEnabled -eq 0) { "Green" } else { "Red" }
        )
        
        if ($result.bypassEnabled -gt 0) {
            Write-Host "`n  [FAIL] Mailboxes bypassing audit:" -ForegroundColor Red
            $result.bypassList | Select-Object -First 20 | ForEach-Object {
                Write-Host "     - $_" -ForegroundColor Gray
            }
            
            if ($result.bypassEnabled -gt 20) {
                Write-Host "     ... and $($result.bypassEnabled - 20) more" -ForegroundColor Gray
            }
        }
        
        if ($result.isCompliant) {
            Write-Host "`n[OK] COMPLIANT - All mailboxes have audit enabled" -ForegroundColor Green
            exit 0
        }
        else {
            Write-Host "`n[FAIL] NON-COMPLIANT - $($result.bypassEnabled) mailboxes bypass audit!" -ForegroundColor Red
            exit 1
        }
    }
    catch {
        Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

function Invoke-Remediation {
    <#
    .SYNOPSIS
        Enables audit on all mailboxes
    #>
    try {
        Write-Host "Connecting to Exchange Online..." -ForegroundColor Gray
        Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
        
        Write-Host "Finding mailboxes with audit disabled..." -ForegroundColor Gray
        $mailboxes = Get-Mailbox -ResultSize Unlimited | Where-Object { $_.AuditEnabled -eq $false }
        
        if ($mailboxes.Count -eq 0) {
            Write-Host "  [OK] All mailboxes already have audit enabled" -ForegroundColor Green
            exit 0
        }
        
        Write-Host "Enabling audit for $($mailboxes.Count) mailboxes..." -ForegroundColor Cyan
        Write-Host "(This will process in batches for performance)`n" -ForegroundColor Yellow
        
        $count = 0
        $batchSize = 50
        
        foreach ($mailbox in $mailboxes) {
            try {
                Set-Mailbox -Identity $mailbox.Identity -AuditEnabled $true -ErrorAction Stop
                $count++
                
                if ($count % $batchSize -eq 0) {
                    Write-Host "  Processed $count / $($mailboxes.Count) mailboxes..." -ForegroundColor Gray
                }
            }
            catch {
                Write-Host "  ⚠️  Failed for $($mailbox.UserPrincipalName): $_" -ForegroundColor Yellow
            }
        }
        
        Write-Host "`n[OK] Enabled audit for $count mailboxes" -ForegroundColor Green
        Write-Host "All mailbox activities will now be audited" -ForegroundColor Cyan
        
        exit 0
    }
    catch {
        Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

function Invoke-Revert {
    try {
        Write-Host "⚠️  WARNING: Disabling mailbox audit is NOT recommended!" -ForegroundColor Red
        Write-Host "This action should not be performed" -ForegroundColor Yellow
        exit 0
    }
    catch {
        Write-Host "ERROR: $_" -ForegroundColor Red
        exit 2
    }
}

try {
    if ($Revert) {
        Invoke-Revert
    }
    elseif ($Monitoring) {
        Invoke-Monitoring
    }
    elseif ($Remediation) {
        Invoke-Remediation
    }
    else {
        Write-Host "Use: -Monitoring | -Remediation | -Revert" -ForegroundColor Yellow
    }
}
catch {
    throw
}
finally {
    Write-Host "`n========================================`n" -ForegroundColor Cyan
}

Risico zonder implementatie

High: High - Audit bypass is hidden activities, no accountability, compliance overtredingen.

Management Samenvatting

Schakel uit audit bypass voor alle accounts. complete audittrail. Voldoet aan CIS 2.1.3 L1. Verification: 1u.

Implementatietijd: 2 uur
FTE required: 0.02 FTE

Mailbox Audit Bypass Disabled

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance en Auditing

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel