Microsoft Active Directory Indicators
51 Health Checks
190 Security Checks
49 Configuration Checks
SmartProfiler for Active Directory can look for both Security Indicators; Indicator Of Exposure (IOE) and Indicator Of Compromise (IOC).
Evidence that someone may have accessed a network or endpoint within an organization is known as an indicator of compromise, or IOC. This forensic data not only points to a possible danger, but also indicates that an attack—such as one involving malware, credential theft, or data exfiltration—has already taken place. Event logs, extended detection and response (XDR) systems, and security information and event management (SIEM) systems are the places where security experts look for IOCs. The team use IOCs to neutralize threats and minimize damage during an attack. IOCs aid an organization’s security team in strengthening security and lowering the likelihood of a recurrence of a similar incident by providing a deeper understanding of what transpired after recovery.
“Indicators of Exposure” describes various attack vectors that could be easily exploited by hackers to get access to a company. These attack vectors could include misconfigured or Active Directory components.
SmartProfiler for Active Directory supports Security Indicators recommended by ANSSI, MITRE and Microsoft.
SECURITY INDICATORS - RISKY ITEMS CHECKS
RISKY ITEMS
AD SECURITY RISKS-USERS
AD SECURITY RISKS-COMPUTERS
AD SECURITY RISKS-ADMINS
AD SECURITY RISKS-OBJECTS
SENSITIVE CHANGES
CRITICAL ACCOUNTS STATUS
RISKY ITEMS
| Orphaned Admins on AdminSDHolder | IOC |
| Dangerous Permissions on AdminSDHolder | IOC |
| AdminSDHolder was Modified in last 30 days | IOC |
| Constrained delegation to domain controller service | IOC |
| Resource-based constrained delegation on domain controllers | IOC |
| Anonymous Access to Active Directory | IOE |
| Anonymous or EVERYONE in Pre-Windows 2000 Group | IOE IOC |
| Potentially Sensitive Information Found in User Description Field | IOE IOC |
| Found Hidden Domain Controllers | IOE |
| Successful Exploit Machine Accounts Found | IOE |
| Possible User-based Service Accounts found | IOC |
| Objects Modified in Last 10 Days | IOE IOC |
| Objects Created in Last 10 Days | IOE IOC |
| Domain Trusts Found | IOE IOC |
| Anyone can Join Computers to Domain | IOE |
| Replication Errors DCs | IOE |
| Normal Users Full Control Permissions on OUs | IOE |
| EVERYONE Full Control Permissions on OUs | IOE |
| Allowed RODC Password Replication Group is not empty | IOE |
| Found Privileged Groups in msDS-RevealOnDemandGroup of RODC | IOE |
| Managed service accounts with passwords unchanged for more than 90 days | IOE |
| Denied RODC Password Replication Group missing Privileged Accounts | IOE |
| msDS-NeverRevealGroupattribute RODC missing Privileged Accounts | IOE |
| Schema Admin Group members | IOE |
| Unsecure Updates Zones | IOE IOC |
| Missing Domain Zones Scavenging | IOC |
| AD Partitions Backup Status |
AD SECURITY RISKS-USERS
| Users with Blank Password | IOE IOC |
| Users with LastPasswordSet was never Set | IOE |
| Users with PWDLastSet to ZERO | IOE |
| Users with SPNs Configured | IOE |
| Password Expiration is misssing for smart card users | IOE |
| Accounts vulnerable to Kerberoasting Found | IOE |
| Users With DES encryption | IOE |
| Users With Reversible Encryption | IOE |
| Users With Kerberos Pre-Authentication | IOE |
| Users Modified with PrimaryGroupID | IOC |
| Users Sending Bad Logons | IOC |
| Users Disabled | IOC |
| Stale User Accounts | IOC |
| Users Expired | IOC |
| User Accounts Pass Never Expires | IOC |
| User Accounts Pass Not Required | IOC |
AD SECURITY RISKS-COMPUTERS
| Computers with SPNs Configured | IOE |
| Computers With Unconstrained Delegation | IOE |
| Computers Modified with PrimaryGroupID | IOC |
| Computers Sending Bad Logons | IOC |
| Computers Disabled | IOC |
| Stale Computer Accounts | IOC |
| Unsupported Operating Systems | IOE |
AD SECURITY RISKS-ADMINS
| Admins with SPNs Configured | IOE |
| Admins Sending Bad Logons | IOC |
AD SECURITY RISKS-OBJECTS
| Domain Controllers not owned by Admins | IOC |
| Computer Objects not managed by Admins | IOC |
| Organizational Units not managed by Admins | IOC |
SENSITIVE CHANGES
| Sensitive GPOs Modified | IOC |
| Recently Created Privileged Admins | IOC |
| Changes to Privileged Groups in Last 15 days | IOC |
| Users Identified with Privileged SIDs in sIDHistory | IOC |
| Computers Identified with Privileged SIDs in sIDHistory | IOC |
| Found Excluded Groups by AdminSDHolder and SDProp | IOC |
| krbtgt Account with Resource-Based Constrained Delegation | IOC |
CRITICAL ACCOUNTS STATUS
| Built-In Admin Account Not protected | IOE IOC |
| Built-In Admin Account Not Disabled | IOE IOC |
| Built-In Admin Account Not Renamed | IOE |
| Built-In Admin Account Password Not Changed in 90 days | IOE |
| Built-In Admin Account was used in last 10 days | IOC |
| KRBTGT Account Password Not Changed | IOE |
| Guest Account is enabled | IOE |
| Administrator Account ServicePrincipalNames Found | IOE |
PRIVILEGED ACCOUNTS CHECKS
Privileged Accounts
Sensitive Modification-Creation
Account policies
AD Permissions
Servers Placement and Time Sync
Privileged Accounts
| Misconfigured Administrative Accounts Found | IOE IOC |
| Missing Privileged Groups in Protected Users Group | IOE IOC |
| Privileged Accounts Pass Never Expires | IOE IOC |
| Too Many Privileged Accounts | IOC |
| Inactive Admins | IOE |
| Privileged Groups Contain more than 20 members | IOE |
| Kerberos Pre-authentication Disabled | IOE IOC |
| Disabled Admins part of Privileged Groups | IOE |
| Passwords Not Changed within 90 days | IOE |
| DNSAdmins Group has members | IOE IOC |
| Privileged Groups Contained Computer Accounts | IOE IOC |
| Privileged Admins missing AdminCount=1 Flag | IOC |
| ForeignSecurityPrincipals In Privileged Groups | IOE IOC |
| Operators Groups are not empty | IOE IOC |
| Weak Password Policies Affected Admins | IOE IOC |
| Password Do Not Expire | IOE |
| AdminsCount Flag set users not acting as Admins | IOC |
Sensitive Modification-Creation
| Sensitive GPOs Modified | IOC |
| Recently Created Privileged Admins | IOC |
| Changes to Privileged Groups in Last 15 days | IOC |
| Users Identified with Privileged SIDs in sIDHistory | IOC |
| Computers Identified with Privileged SIDs in sIDHistory | IOC |
| Found Excluded Groups by AdminSDHolder and SDProp | IOC |
| krbtgt Account with Resource-Based Constrained Delegation | IOC |
Account policies
| Default Domain Policy-Minimum Password Length | IOE |
| FGPP Policies-Minimum Password Length | IOE |
| FGPP Policies Not Applying | IOE |
| Account Lockout Policies Missing | IOE |
AD Permissions
| High Value Targets Found | IOE IOC |
| Accounts with Extended Rights to Read LAPS Passwords Found | IOE IOC |
| Access Control Lists on Computers Found | IOE IOC |
| Access Control Lists on Security Groups Found | IOE IOC |
| Access Control Lists on Users Found | IOE IOC |
| Group Policy Objects with Improper Permissions Found | IOE IOC |
| Group Policy Object Assignments with Improper Permissions Found | IOE IOC |
| Dangerous Permissions Found on MicrosoftDNS Container | IOE IOC |
| Dangerous Permissions Found on Naming Contexts | IOE IOC |
| Outbound forest trust relationships with sID History enabled | IOE IOC |
| Trust account passwords unchanged for more than a year | IOE IOC |
| Pre-Windows 2000 Compatible Access Group is not empty | IOE IOC |
| Found Groups with SID history Set | IOE IOC |
Servers Placement and Time Sync
| PDC Emulator Time Source | |
| Domain Controllers Time Source | |
| Domain FSMO Placement | |
| Domain Naming Master and Schema Master Placement |
DOMAIN CONTROLLER CHECKS
Domain Controllers security
Domain Controllers - Configuration
Domain controllers - Roles/Services
Domain Controllers security
| Domain Controllers Modified with PrimaryGroupID | IOC |
| SMB 1 Protocol Enabled DCs | IOE |
| AllowNT4Crypto DCs | IOE |
| LAN Manager password hashes Enabled DCs | IOE |
| SMB Signing Disabled DCs | IOE |
| LDAP Signing Disabled DCs | IOE |
| TLS 1.1 Enabled DCs | IOE |
| NTLM Authentication Enabled DCs | IOE |
| Inconsistent DCs | IOE |
| RC4 Encryption Enabled DCs | IOE |
| Unauthenticated DCs since last 45 Days | IOE |
| Secrets not renewed DCs | IOE |
| Managed Service Accounts Not Linked | IOE |
| Missing Updates DCs | IOE |
| Missed Reboot Cycles DCs | IOE |
| No Contacts with Domain Controllers in Last Three Months | IOE |
Domain Controllers - Configuration
| Orphaned DCs | IOE |
| Missing DNS Scavenging DCs | IOE |
| Missing DNS Forwarders DCs | IOE |
| Missing Root Hints DCs | IOE |
| Missing Host Records DCs | IOE |
| Not Enough Free Space DCs | IOE |
| Errors and Warnings in Log DCs | IOE |
| Loopback Address Missing DCs | IOE |
| Multihomed DCs | IOE |
| Missing SSL Authentication DCs | IOE |
| NTFS Replication DCs | IOE |
| Strict Replication Disabled DCs | IOE IOC |
| DCDiag Failure DCs | |
| Out Of Default OUs DCs | |
| Unsupported OS DCs | IOE |
| Missing Enough DNS Servers in NIC DCs | |
| Not Enough Local Disks DCs | |
| Missing DNS Dynmaic Registration on NIC DCs | |
| Missing _msdcs Zone DCs | |
| Event Log Config Not Correct DCs | |
| Event Log Size Not Optimized DCs | |
| Scheduled Tasks found on Domain Controllers | IOC |
Domain controllers - Roles/Services
| Fax Server role installed DCs | IOE |
| Microsoft FTP service installed DCs | IOE |
| Peer Name Resolution Protocol installed DCs | IOE |
| Simple TCP-IP Services installed DCs | IOE |
| Telnet Client installed DCs | IOE |
| TFTP Client installed DCs | IOE |
| Server Message Block (SMB) v1 protocol Installed DCs | IOE |
| Windows PowerShell 2.0 installed DCs | IOE |
| Print Spooler Service Running DCs | IOE |
| ADWS Service Set to Manual DCs | IOE |
| DHCP Service Running DCs | IOE |
| Additional Roles and Features DCs | IOE |
| AD Services not running DCs | IOE |
| Software Installed on Domain Controllers | IOE |
Microsoft 365 Indicators
115 CIS Checks
119 SmartProfiler Checks
CIS V3.0 Tests
Here is the list of tests included with SmartProfiler for M365. SmartProfiler offers additional tests which are not included in CIS V3.0 list.
CIS v3.0 Tests
SmartProfiler Tests
CIS v3.0 Tests
| Category | CISProfile | Test |
| M365 Admin Center-Users | E3 Level 1 | Ensure Administrative accounts are separate and cloud-only |
| M365 Admin Center-Users | E3 Level 1 | Ensure two emergency access accounts have been defined |
| M365 Admin Center-Users | E3 Level 1 | Ensure that between two and four global admins are designated |
| M365 Admin Center-Users | E3 Level 1 | Ensure Guest Users are reviewed at least biweekly |
| M365 Admin Center-Teams and Groups | E3 Level 2 | Ensure that only organizationally managed-approved public groups exist |
| M365 Admin Center-Teams and Groups | E3 Level 1 | Ensure sign-in to shared mailboxes is blocked |
| M365 Admin Center-Settings | E3 Level 1 | Ensure the Password expiration policy is set to Set passwords to never expire (recommended) |
| M365 Admin Center-Settings | E3 Level 1 | Ensure Idle session timeout is set to 3 hours (or less) for unmanaged devices |
| M365 Admin Center-Settings | E3 Level 2 | Ensure calendar details sharing with external users is disabled |
| M365 Admin Center-Settings | E3 Level 1 | Ensure User owned apps and services is restricted |
| M365 Admin Center-Settings | E3 Level 1 | Ensure internal phishing protection for Forms is enabled |
| M365 Admin Center-Settings | E5 Level 2 | Ensure the customer lockbox feature is enabled |
| M365 Admin Center-Settings | E3 Level 2 | Ensure third-party storage services are restricted in Microsoft 365 on the web |
| M365 Admin Center-Settings | E3 Level 2 | Ensure that Sways cannot be shared with people outside of your organization |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Links for Office Applications is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure the Common Attachment Types Filter is enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure notifications for internal users sending malware is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Attachments policy is enabled |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 2 | Ensure Safe Attachments for SharePoint-OneDrive-Microsoft Teams is Enabled |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure Exchange Online Spam Policies are set correctly |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 1 | Ensure that an anti-phishing policy has been created |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure that SPF records are published for all Exchange Domains |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure that DKIM is enabled for all Exchange Online Domains |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure DMARC Records for all Exchange Online domains are published |
| Microsoft 365 Defender-Email and Collaboration | E5 Level 1 | Ensure the spoofed domains report is review weekly |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure the Restricted entities report is reviewed weekly |
| Microsoft 365 Defender-Email and Collaboration | E3 Level 1 | Ensure all security threats in the Threat protection status report are reviewed at least weekly |
| Microsoft 365 Defender-Audit | E3 Level 1 | Ensure the Account Provisioning Activity report is reviewed at least weekly |
| Microsoft 365 Defender-Audit | E3 Level 1 | Ensure non-global administrator role group assignments are reviewed at least weekly |
| Microsoft 365 Defender-Settings | E5 Level 1 | Ensure Priority account protection is enabled and configured |
| Microsoft 365 Defender-Settings | E5 Level 1 | Ensure Priority accounts have Strict protection presets applied |
| Microsoft 365 Defender-Settings | E5 Level 2 | Ensure Microsoft Defender for Cloud Apps is Enabled |
| Microsoft Purview-Audit | E3 Level 1 | Ensure Microsoft 365 audit log search is Enabled |
| Microsoft Purview-Audit | E3 Level 1 | Ensure user role group changes are reviewed at least weekly |
| Microsoft Purview-Data Loss Protection | E3 Level 1 | Ensure DLP policies are enabled |
| Microsoft Purview-Data Loss Protection | E5 Level 1 | Ensure DLP policies are enabled for Microsoft Teams |
| Microsoft Purview-Information Protection | E3 Level 1 | Ensure SharePoint Online Information Protection policies are set up and used |
| Microsoft Entra admin center-Identity-Overview | E3 Level 1 | Ensure Security Defaults is disabled on Azure Active Directory |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Per-user MFA is disabled |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure third party integrated applications are not allowed |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Restrict non-admin users from creating tenants is set to Yes |
| Microsoft Entra admin center-Identity-Users | E3 Level 1 | Ensure Restrict access to the Azure AD administration portal is set to Yes |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure the option to remain signed in is hidden |
| Microsoft Entra admin center-Identity-Users | E3 Level 2 | Ensure LinkedIn account connections is disabled |
| Microsoft Entra admin center-Identity-Groups | E3 Level 1 | Ensure a dynamic group for guest users is created |
| Microsoft Entra admin center-Identity-Applications | E3 Level 1 | Ensure the Application Usage report is reviewed at least weekly |
| Microsoft Entra admin center-Identity-Applications | E3 Level 2 | Ensure user consent to apps accessing company data on their behalf is not allowed |
| Microsoft Entra admin center-Identity-Applications | E3 Level 1 | Ensure the admin consent workflow is enabled |
| Microsoft Entra admin center-Identity-External Identities | E3 Level 2 | Ensure that collaboration invitations are sent to allowed domains only |
| Microsoft Entra admin center-Identity-Hybrid Management | E3 Level 1 | Ensure that password hash sync is enabled for hybrid deployments |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure multifactor authentication is enabled for all users in administrative roles |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure multifactor authentication is enabled for all users |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Enable Conditional Access policies to block legacy authentication |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure Sign-in frequency is enabled and browser sessions are not persistent for Administrative users |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 2 | Ensure Phishing-resistant MFA strength is required for Administrators |
| Microsoft Entra admin center-Protection-Conditional Access | E5 Level 2 | Enable Azure AD Identity Protection user risk policies |
| Microsoft Entra admin center-Protection-Conditional Access | E5 Level 2 | Enable Azure AD Identity Protection sign-in risk policies |
| Microsoft Entra admin center-Protection-Conditional Access | E3 Level 1 | Ensure Microsoft Azure Management is limited to administrative roles |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure Microsoft Authenticator is configured to protect against MFA fatigue |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure custom banned passwords lists are used |
| Microsoft Entra admin center-Protection-Authentication Methods | E3 Level 1 | Ensure that password protection is enabled for Active Directory |
| Microsoft Entra admin center-Protection-Password Reset | E3 Level 1 | Ensure Self service password reset enabled is set to All |
| Microsoft Entra admin center-Protection-Password Reset | E3 Level 1 | Ensure the self-service password reset activity report is reviewed at least weekly |
| Microsoft Entra admin center-Protection-Risk Activities | E3 Level 1 | Ensure the Azure AD Risky sign-ins report is reviewed at least weekly |
| Microsoft Entra admin center-Identity Governance | E5 Level 2 | Ensure Privileged Identity Management is used to manage roles |
| Microsoft Entra admin center-Identity Governance | E5 Level 2 | Ensure Access reviews for Guest Users are configured |
| Microsoft Entra admin center-Identity Governance | E5 Level 1 | Ensure Access reviews for high privileged Azure AD roles are configured |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure AuditDisabled organizationally is set to False |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure mailbox auditing for E3 users is Enabled |
| Microsoft Exchange admin center-Audit | E5 Level 1 | Ensure mailbox auditing for E5 users is Enabled |
| Microsoft Exchange admin center-Audit | E3 Level 1 | Ensure AuditBypassEnabled is not enabled on mailboxes |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure all forms of mail forwarding are blocked and-or disabled |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure mail transport rules do not whitelist specific domains |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure Tagging is enabled for External Emails |
| Microsoft Exchange admin center-Mailflow | E3 Level 1 | Ensure Tagging does not allow specific domains |
| Microsoft Exchange admin center-Roles | E3 Level 2 | Ensure users installing Outlook add-ins is not allowed |
| Microsoft Exchange admin center-Reports | E3 Level 1 | Ensure mail forwarding rules are reviewed at least weekly |
| Microsoft Exchange admin center-Settings | E3 Level 1 | Ensure modern authentication for Exchange Online is enabled |
| Microsoft Exchange admin center-Settings | E3 Level 2 | Ensure MailTips are enabled for end users |
| Microsoft Exchange admin center-Settings | E3 Level 2 | Ensure external storage providers available in Outlook on the Web are restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure modern authentication for SharePoint applications is required |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure SharePoint and OneDrive integration with Azure AD B2B is enabled |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure external content sharing is restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure OneDrive content sharing is restricted |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure that SharePoint guest users cannot share items they dont own |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure link sharing is restricted in SharePoint and OneDrive |
| Microsoft SharePoint Admin Center-Policies | E3 Level 2 | Ensure external sharing is restricted by security group |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure expiration time for external sharing links is set |
| Microsoft SharePoint Admin Center-Policies | E3 Level 1 | Ensure reauthentication with verification code is restricted |
| Microsoft SharePoint Admin Center-Settings | E5 Level 2 | Ensure Microsoft 365 SharePoint infected files are disallowed for download |
| Microsoft SharePoint Admin Center-Settings | E3 Level 2 | Block OneDrive for Business sync from unmanaged devices |
| Microsoft SharePoint Admin Center-Settings | E3 Level 1 | Ensure custom script execution is restricted on personal sites |
| Microsoft SharePoint Admin Center-Settings | E3 Level 1 | Ensure custom script execution is restricted on site collections |
| Microsoft Teams Admin Center-Teams | E3 Level 2 | Ensure external file sharing in Teams is enabled for only approved cloud storage services |
| Microsoft Teams Admin Center-Teams | E3 Level 1 | Ensure users cant send emails to a channel email address |
| Microsoft Teams Admin Center-Users | E3 Level 2 | Ensure external access is restricted in the Teams admin center |
| Microsoft Teams Admin Center-Teams Apps | E3 Level 1 | Ensure app permission policies are configured |
| Microsoft Teams Admin Center-Meetings | E3 Level 2 | Ensure anonymous users cant join a meeting |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure anonymous users and dial-in callers cant start a meeting |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure only people in my org can bypass the lobby |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure users dialing in cant bypass the lobby |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure meeting chat does not allow anonymous users |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure only organizers and co-organizers can present |
| Microsoft Teams Admin Center-Meetings | E3 Level 1 | Ensure external participants cant give or request control |
| Microsoft Teams Admin Center-Messaging | E3 Level 1 | Ensure users can report security concerns in Teams |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure guest user access is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure external user invitations are restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure guest access to content is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Publish to web is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 2 | Ensure Interact with and share R and Python visuals is Disabled |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Allow users to apply sensitivity labels for content is Enabled |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure shareable links are restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure enabling of external data sharing is restricted |
| Microsoft Fabric-Tenant Settings | E3 Level 1 | Ensure Block ResourceKey Authentication is Enabled |
SmartProfiler Tests
| Category | Test |
| M365 Admin Center-Accounts and Authentication | Ensure Azure Information Protection-AIP is enabled at Global Level |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 User Roles have less than 10 Admins |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Users Have Strong Password Requirements Configured |
| M365 Admin Center-Accounts and Authentication | Ensure self-service password reset is enabled |
| M365 Admin Center-Accounts and Authentication | Ensure that Microsoft 365 Passwords Are Not Set to Expire |
| M365 Admin Center-Accounts and Authentication | Ensure modern authentication for Teams Online is enabled |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Exchange Online Modern Authentication is Used |
| M365 Admin Center-Accounts and Authentication | Ensure Microsoft 365 Exchange Online Privileged Access Management is Used |
| M365 Admin Center-Auditing | Ensure Enterprise Applications Role Assignments are reviewed weekly |
| Microsoft 365 Defender-Email and Collaboration | Ensure No Domains with SPF Soft Fail are Configured |
| Microsoft Purview-Data Loss Protection | Ensure DLP Policy is enabled for OneDrive |
| Microsoft Purview-Data Loss Protection | Ensure DLP Policy is configured for SharePoint |
| Microsoft Purview-Data Loss Protection | Ensure Custom Anti-Malware Policy is Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom Anti-Phishing Policy is Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom DLP Policies are Present |
| Microsoft Purview-Data Loss Protection | Ensure Custom DLP Sensitive Information Types are Defined |
| Microsoft Entra admin center-Identity Governance | Use Just In Time privileged access to Microsoft 365 roles |
| Microsoft Exchange admin center-Audit | Ensure Microsoft 365 Exchange Online Admin Auditing Is Enabled |
| Microsoft Exchange admin center-Audit | Ensure Microsoft 365 Exchange Online Unified Auditing Is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Exchange Auto-Forwarding is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Do Not Bypass the Safe Attachments Filter is not configured |
| Microsoft Exchange admin center-Mailflow | Ensure Do Not Bypass the Safe Links Feature is not configured |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Modern Authentication is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Executable Attachments are configured |
| Microsoft Exchange admin center-Mailflow | Ensure Dangerous Attachment Extensions are Filtered is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Malware Filter Policies Alert for Internal Users Sending Malware is configured |
| Microsoft Exchange admin center-Mailflow | Ensure Transport Rules to Block Large Attachments are configured |
| Microsoft Exchange admin center-Mailflow | Ensure Mailbox Auditing is Enabled at Tenant Level |
| Microsoft Exchange admin center-Mailflow | Ensure Mailboxes without Mailbox Auditing are not present |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Mailboxes with IMAP is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Mailboxes with POP is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Exchange Online Mailboxes with SMTP Authentication is not Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Common Malicious Attachment Extensions are Filtered |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Attachments is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links is Enabled |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links Click-Through is Not Allowed |
| Microsoft Exchange admin center-Mailflow | Ensure Safe Links Flags Links in Real Time |
| Microsoft Exchange admin center-Mailflow | Ensure SMTP Authentication is disabled Globally |
| Microsoft Exchange admin center-Mailflow | Ensure mail transport rules do not forward email to external domains |
| Microsoft Exchange admin center-Mailflow | Ensure automatic forwarding options are disabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Client Rules Forwarding Block is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Advanced Threat Protection Safe Links policy is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure the Advanced Threat Protection SafeAttachments policy is enabled |
| Microsoft Exchange admin center-Mailflow | Ensure that an anti-phishing policy has been created |
| Microsoft Exchange admin center-Mailflow | Ensure mailbox auditing for all users is Enabled |
| Microsoft Exchange admin center-Reports | Ensure the Mailbox Access by Non-Owners Report is reviewed at least biweekly |
| Microsoft Exchange admin center-Reports | Ensure the Malware Detections report is reviewed at least weekly |
| Microsoft Exchange admin center-Reports | Ensure the report of users who have had their email privileges restricted due to spamming is reviewed |
| Microsoft Exchange admin center-Reports | Ensure Microsoft 365 Deleted Mailboxes are identified and Verified |
| Microsoft Exchange admin center-Reports | Ensure Microsoft 365 Hidden Mailboxes are Identified |
| Microsoft Exchange admin center-Reports | Ensure Mailboxes External Address Forwarding is not configured |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online Mailboxes on Litigation Hold |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online SPAM Domains are identified |
| Microsoft Exchange admin center-Reports | Ensure Exchange Online Mailbox Auditing is enabled |
| Microsoft Exchange admin center-Reports | Microsoft 365 Exchange Online Admin Success and Failure Attempts |
| Microsoft Exchange admin center-Reports | Microsoft 365 Exchange Online External Access Admin Success and Failure Attempts |
| Microsoft Exchange admin center-Settings | Ensure Email Security Checks are Bypassed Based on Sender Domain are not configured |
| Microsoft Exchange admin center-Settings | Ensure Email Security Checks are Bypassed Based on Sender IP are not configured |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with FullAccess Delegates are present |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with SendAs Delegates are present |
| Microsoft Exchange admin center-Settings | Ensure No Exchange Mailboxes with SendOnBehalfOf Delegates are present |
| Microsoft SharePoint Admin Center-Policies | Ensure document sharing is being controlled by domains with whitelist or blacklist |
| Microsoft SharePoint Admin Center-Settings | Ensure SharePoint sites are not enabled for both External and User Sharing |
| Microsoft SharePoint Admin Center-Settings | External user sharing-share by email-and guest link sharing are both disabled |
| Microsoft SharePoint Admin Center-Settings | Ensure that external users cannot share files folders and sites they do not own |
| Microsoft SharePoint Admin Center-Settings | SharePoint External Sharing is not Enabled at Global Level |
| Microsoft SharePoint Admin Center-Settings | SharePoint External User Resharing is not Permitted |
| Microsoft SharePoint Admin Center-Settings | SharePoint Legacy Authentication is not Enabled |
| Microsoft SharePoint Admin Center-Settings | SharePoint Anyone Shared Links Never Expire is not configured |
| Microsoft SharePoint Admin Center-Settings | SharePoint Online Modern Authentication is Enabled |
| Microsoft SharePoint Admin Center-Settings | Ensure Sign out inactive users in SharePoint Online is Configured |
| Microsoft Teams Admin Center-Teams | Ensure End-to-end encryption for Microsoft Teams is enabled |
| Microsoft Teams Admin Center-Teams | Ensure external domains are not allowed in Teams |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams External Domain Communication Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Users Allowed to Invite Anonymous Users is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Policies Allow Anonymous Members is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Consumer Communication Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams External Access Policies are configured |
| Microsoft Teams Admin Center-Policies | Ensure Microsoft Teams Users Allowed to Preview Links in Messages is disabled |
| Microsoft Teams Admin Center-Policies | Ensure Safe Links for Teams is Enabled |
| Microsoft M365 Users-Users | Ensure All Microsoft 365 Users are licensed |
| Microsoft M365 Users-Users | Ensure Deleted Microsoft 365 Users are Identified |
| Microsoft M365 Users-Users | Ensure Disabled Microsoft 365 Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users have no Reconciliation Errors |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users Password Expires |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users are Syncing and No Sync Errors |
| Microsoft M365 Users-Users | Ensure no Provisioning Errors for Microsoft 365 Users |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Blocked Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Users Have Changed Passwords |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Company Administrators have less than 5 Admins |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Deleted and Licensed Users are Identified |
| Microsoft M365 Users-Users | Ensure Microsoft 365 Groups Without Members are Identified |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are set to require advanced security configurations for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are set to require advanced security configurations for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device password reuse is prohibited for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device password reuse is prohibited for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices are set to never expire passwords for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices are set to never expire passwords for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that users cannot connect from devices that are jail broken or rooted |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require a minimum password length to prevent brute force attacks for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require a minimum password length to prevent brute force attacks for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure devices lock after a period of inactivity to prevent unauthorized access for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure devices lock after a period of inactivity to prevent unauthorized access for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Type = Alphanumeric) for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Type = Alphanumeric) for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that mobile devices require complex passwords (Simple Passwords = Blocked) for iOS Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure that devices connecting have AV and a local firewall enabled |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile device management policies are required for email profiles |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices require the use of a password for Android Devices |
| Microsoft Mobile Device Management-MDM Policies | Ensure mobile devices require the use of a password for iOS Devices |
| Microsoft M365 Dangerous Defaults | Ensure Users can read all attributes in Azure AD is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users can create security groups is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users are allowed to create and register applications is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users with a verified mail domain can join the tenant is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Guests can invite other guests into the tenant is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Users are allowed to create new Azure Active Directory Tenants is disabled |
| Microsoft M365 Dangerous Defaults | Ensure Policy exists to restrict non-administrator access to Azure Active Directory or Entra |
| Microsoft M365 Configuration | Ensure Microsoft 365 Licenses are consumed in SKUs |
| Microsoft M365 Configuration | Ensure All Microsoft 365 Domains Have been verified |
| Microsoft M365 Configuration | Ensure Microsoft 365 Domain Services Have Services Assigned |
| Microsoft M365 Configuration | Ensure Microsoft 365 Notification Email is configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Organization Level Mailbox Auditing is configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Dir Sync Feature is Configured |
| Microsoft M365 Configuration | Ensure Microsoft 365 Dir Sync Features Are Used |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflicts |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflict with User Principal Name |
| Microsoft M365 Configuration | Ensure No Microsoft 365 Dir Sync Property Conflict with ProxyAddress |