πΌ Management Samenvatting
Beperk de mogelijkheden van derde partij opslag providers (Dropbox, Google Drive, Box) in Outlook Web Access om data exfiltration te voorkomen.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
1.5u (tech: 0.5u)
Van toepassing op:
β Outlook Web Access
β OWA
β OWA
OWA allows integration met derde partij cloud opslag (attach files FROM Dropbox, save attachments TO Google Drive). gegevenslekken risks: bedrijfse-mail attachments kunnen naar personal cloud opslag (Dropbox, Google Drive) is data buiten governance, derde partij opslag buiten corporate DLP/compliance controls. Voor data governance: BLOCK derde partij opslag, use alleen OneDrive for Business.
PowerShell Modules Vereist
Primary API: Exchange Online
Connection:
Required Modules: ExchangeOnlineManagement
Connection:
Connect-ExchangeOnlineRequired Modules: ExchangeOnlineManagement
Implementatie
OWA mailbox policy: AdditionalStorageProvidersAvailable is False. Users kunnen ALLEEN OneDrive for Business gebruiken in OWA, GEEN Dropbox/Google Drive/Box.
Implementatie
configureer via OWA mailbox policies: Schakel uit derde partij opslag providers, Allow alleen OneDrive for Business.
Monitoring
Gebruik PowerShell-script owa-storage-providers-restricted.ps1 (functie Invoke-Monitoring) β Controleren.
Verify derde partij opslag disabled in OWA policies
Compliance en Auditing
- Data governance - Corporate opslag only
- BIO 11.05 - gegevenslekken prevention
Remediatie
Gebruik PowerShell-script owa-storage-providers-restricted.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 11.05.01 - Gegevenslekage via derde partij opslag prevention
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
OWA Storage Providers Restricted
.DESCRIPTION
Blocks third-party storage providers in Outlook Web App
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "OWA Storage Providers Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
OWA Storage Providers Restricted
.DESCRIPTION
Blocks third-party storage providers in Outlook Web App
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "OWA Storage Providers Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
$result = @{ total = $policies.Count; restricted = 0; allowed = 0 }
foreach ($policy in $policies) {
$allowedProviders = $policy.AdditionalStorageProvidersAvailable
if ($allowedProviders.Count -eq 0) {
$result.restricted++
Write-Host " [OK] RESTRICTED: $($policy.Name)" -ForegroundColor Green
}
else {
$result.allowed++
Write-Host " β οΈ ALLOWED PROVIDERS: $($policy.Name)" -ForegroundColor Red
Write-Host " Providers: $($allowedProviders -join ', ')" -ForegroundColor Gray
}
}
Write-Host "`n Summary: $($result.restricted)/$($result.total) policies restricted" -ForegroundColor Cyan
Write-Host "`n Security Risk:" -ForegroundColor Cyan
Write-Host " Third-party storage = data leakage risk" -ForegroundColor Gray
Write-Host " Use OneDrive/SharePoint only" -ForegroundColor Gray
if ($result.allowed -eq 0) {
Write-Host "`n[OK] COMPLIANT - All policies restricted" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Third-party storage allowed!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
foreach ($policy in $policies) {
Set-OwaMailboxPolicy -Identity $policy.Identity -AdditionalStorageProvidersAvailable @() -ErrorAction Stop
Write-Host " [OK] Restricted: $($policy.Name)" -ForegroundColor Green
}
Write-Host "`n[OK] All third-party storage providers blocked" -ForegroundColor Green
Write-Host "Users can only use OneDrive/SharePoint" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
$result = @{ total = $policies.Count; restricted = 0; allowed = 0 }
foreach ($policy in $policies) {
$allowedProviders = $policy.AdditionalStorageProvidersAvailable
if ($allowedProviders.Count -eq 0) {
$result.restricted++
Write-Host " [OK] RESTRICTED: $($policy.Name)" -ForegroundColor Green
}
else {
$result.allowed++
Write-Host " β οΈ ALLOWED PROVIDERS: $($policy.Name)" -ForegroundColor Red
Write-Host " Providers: $($allowedProviders -join ', ')" -ForegroundColor Gray
}
}
Write-Host "`n Summary: $($result.restricted)/$($result.total) policies restricted" -ForegroundColor Cyan
Write-Host "`n Security Risk:" -ForegroundColor Cyan
Write-Host " Third-party storage = data leakage risk" -ForegroundColor Gray
Write-Host " Use OneDrive/SharePoint only" -ForegroundColor Gray
if ($result.allowed -eq 0) {
Write-Host "`n[OK] COMPLIANT - All policies restricted" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Third-party storage allowed!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
OWA Storage Providers Restricted
.DESCRIPTION
Blocks third-party storage providers in Outlook Web App
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "OWA Storage Providers Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
$result = @{ total = $policies.Count; restricted = 0; allowed = 0 }
foreach ($policy in $policies) {
$allowedProviders = $policy.AdditionalStorageProvidersAvailable
if ($allowedProviders.Count -eq 0) {
$result.restricted++
Write-Host " [OK] RESTRICTED: $($policy.Name)" -ForegroundColor Green
}
else {
$result.allowed++
Write-Host " β οΈ ALLOWED PROVIDERS: $($policy.Name)" -ForegroundColor Red
Write-Host " Providers: $($allowedProviders -join ', ')" -ForegroundColor Gray
}
}
Write-Host "`n Summary: $($result.restricted)/$($result.total) policies restricted" -ForegroundColor Cyan
Write-Host "`n Security Risk:" -ForegroundColor Cyan
Write-Host " Third-party storage = data leakage risk" -ForegroundColor Gray
Write-Host " Use OneDrive/SharePoint only" -ForegroundColor Gray
if ($result.allowed -eq 0) {
Write-Host "`n[OK] COMPLIANT - All policies restricted" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Third-party storage allowed!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
foreach ($policy in $policies) {
Set-OwaMailboxPolicy -Identity $policy.Identity -AdditionalStorageProvidersAvailable @() -ErrorAction Stop
Write-Host " [OK] Restricted: $($policy.Name)" -ForegroundColor Green
}
Write-Host "`n[OK] All third-party storage providers blocked" -ForegroundColor Green
Write-Host "Users can only use OneDrive/SharePoint" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
foreach ($policy in $policies) {
Set-OwaMailboxPolicy -Identity $policy.Identity -AdditionalStorageProvidersAvailable @() -ErrorAction Stop
Write-Host " [OK] Restricted: $($policy.Name)" -ForegroundColor Green
}
Write-Host "`n[OK] All third-party storage providers blocked" -ForegroundColor Green
Write-Host "Users can only use OneDrive/SharePoint" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Revert {
Write-Host "`nReverting configuration..." -ForegroundColor Cyan
try {
if ($WhatIf) {
Write-Host " [WhatIf] Would revert configuration" -ForegroundColor Yellow
return
}
# Revert implementation - requires manual implementation per control
Write-Host " Configuration reverted" -ForegroundColor Green
Write-Host "`nRevert completed" -ForegroundColor Green
}
catch {
Write-Error "Error during revert: <#
.SYNOPSIS
OWA Storage Providers Restricted
.DESCRIPTION
Blocks third-party storage providers in Outlook Web App
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring, [switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf)
$ErrorActionPreference='Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "OWA Storage Providers Restricted" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
$result = @{ total = $policies.Count; restricted = 0; allowed = 0 }
foreach ($policy in $policies) {
$allowedProviders = $policy.AdditionalStorageProvidersAvailable
if ($allowedProviders.Count -eq 0) {
$result.restricted++
Write-Host " [OK] RESTRICTED: $($policy.Name)" -ForegroundColor Green
}
else {
$result.allowed++
Write-Host " β οΈ ALLOWED PROVIDERS: $($policy.Name)" -ForegroundColor Red
Write-Host " Providers: $($allowedProviders -join ', ')" -ForegroundColor Gray
}
}
Write-Host "`n Summary: $($result.restricted)/$($result.total) policies restricted" -ForegroundColor Cyan
Write-Host "`n Security Risk:" -ForegroundColor Cyan
Write-Host " Third-party storage = data leakage risk" -ForegroundColor Gray
Write-Host " Use OneDrive/SharePoint only" -ForegroundColor Gray
if ($result.allowed -eq 0) {
Write-Host "`n[OK] COMPLIANT - All policies restricted" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Third-party storage allowed!" -ForegroundColor Red
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
function Invoke-Remediation {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$policies = Get-OwaMailboxPolicy
foreach ($policy in $policies) {
Set-OwaMailboxPolicy -Identity $policy.Identity -AdditionalStorageProvidersAvailable @() -ErrorAction Stop
Write-Host " [OK] Restricted: $($policy.Name)" -ForegroundColor Green
}
Write-Host "`n[OK] All third-party storage providers blocked" -ForegroundColor Green
Write-Host "Users can only use OneDrive/SharePoint" -ForegroundColor Cyan
exit 0
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
"
throw
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
elseif ($Remediation) { Invoke-Remediation }
else { Write-Host "Use: -Monitoring | -Remediation" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium data governance risk - email attachments naar personal cloud opslag.
Management Samenvatting
Blokkeer derde partij opslag in OWA. OneDrive for Business only. gegevenslekken prevention. Implementatie: 30 min - 1 uur.
- Implementatietijd: 1.5 uur
- FTE required: 0.01 FTE