💼 Management Samenvatting
Voorkom transport rules die sender whitelisting implementeren - bypasses anti-spam/anti-phishing protections.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
4u (tech: 2u)
Van toepassing op:
✓ Exchange Online
Transport rules die senders whitelisten (skip spam filter, altijd allow from domain X) creëren KRITIEKE beveiliging gap: Spoofed emails bypass protections, Phishing emails from whitelisted domains delivered, Attackers target whitelisted senders (compromise CEO email, alle emails bypass filters). Whitelisting is ANTI-PATTERN - moderne email security gebruikt conditional trust, niet blanket whitelisting. nooit whitelist entire domains.
PowerShell Modules Vereist
Primary API: Exchange Online
Connection:
Required Modules: ExchangeOnlineManagement
Connection:
Connect-ExchangeOnlineRequired Modules: ExchangeOnlineManagement
Implementatie
Audit transport rules: Identify rules met sender whitelisting, Remove of scope heavily (specific sender + aanvullend conditions, GEEN domain-wide whitelists).
Implementatie
Review transport rules: Get-TransportRule | waar SenderDomainIs -ne $null. Remove problematic whitelists.
Monitoring
Gebruik PowerShell-script transport-rules-no-whitelist.ps1 (functie Invoke-Monitoring) – Controleren.
- Quarterly transport rule audit
- No sender domain whitelists
Compliance en Auditing
- CIS M365 - Email security
- Anti-phishing best practices
Remediatie
Gebruik PowerShell-script transport-rules-no-whitelist.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- BIO: 09.02.01 - User access management
- ISO 27001:2022: A.9.2.1 - User access management
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Transport Rules No Whitelist
.DESCRIPTION
Checks for transport rules that bypass spam filters (security risk)
.NOTES
NL Baseline v2.0
#>
#Requires -Version 5.1
#Requires -Modules ExchangeOnlineManagement
[CmdletBinding()]
param([switch]$Monitoring)
$ErrorActionPreference = 'Stop'
Write-Host "`n========================================" -ForegroundColor Cyan
Write-Host "Transport Rules No Whitelist" -ForegroundColor Cyan
Write-Host "========================================`n" -ForegroundColor Cyan
function Invoke-Monitoring {
try {
Connect-ExchangeOnline -ShowBanner:$false -ErrorAction Stop
$rules = Get-TransportRule
$result = @{ total = $rules.Count; whitelistRules = 0; flaggedRules = @() }
foreach ($rule in $rules) {
$hasWhitelist = $false
# Check for SCL bypass (-1 = bypass spam filtering)
if ($rule.SetSCL -eq -1) {
$hasWhitelist = $true
}
# Check for rules that allow messages without filtering
if ($rule.DeleteMessage -eq $false -and $rule.Quarantine -eq $false -and
($rule.FromAddressContainsWords -or $rule.FromAddressMatchesPatterns)) {
$hasWhitelist = $true
}
if ($hasWhitelist) {
$result.whitelistRules++
$result.flaggedRules += $rule.Name
Write-Host " ⚠️ WHITELIST RULE: $($rule.Name)" -ForegroundColor Red
Write-Host " Priority: $($rule.Priority) | SCL: $($rule.SetSCL)" -ForegroundColor Gray
}
}
Write-Host "`n Summary:" -ForegroundColor Cyan
Write-Host " Total Rules: $($result.total)" -ForegroundColor White
Write-Host " Whitelist Rules: $($result.whitelistRules)" -ForegroundColor $(
if ($result.whitelistRules -eq 0) { 'Green' }else { 'Red' }
)
Write-Host "`n Security Risk:" -ForegroundColor Cyan
Write-Host " Whitelist rules bypass spam/malware filters" -ForegroundColor Gray
Write-Host " Attackers can exploit these rules" -ForegroundColor Gray
Write-Host " Recommendation: Remove or review carefully" -ForegroundColor Gray
if ($result.whitelistRules -eq 0) {
Write-Host "`n[OK] COMPLIANT - No whitelist rules" -ForegroundColor Green
exit 0
}
else {
Write-Host "`n[FAIL] NON-COMPLIANT - Whitelist rules found!" -ForegroundColor Red
Write-Host "Manual review required - remove or justify each rule" -ForegroundColor Yellow
exit 1
}
}
catch {
Write-Host "ERROR: $_" -ForegroundColor Red
exit 2
}
}
try {
if ($Monitoring) { Invoke-Monitoring }
else { Write-Host "Use: -Monitoring (Manual review required)" -ForegroundColor Yellow }
}
catch { throw }
finally {
Write-Host "`n========================================`n" -ForegroundColor Cyan
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
.DESCRIPTION
Dit is een monitoring-only control, remediation delegeert naar monitoring
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow
Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan
Invoke-Monitoring
}
Risico zonder implementatie
Risico zonder implementatie
High: HOOG phishing risk - whitelisted senders bypass protections. CEO fraud emails delivered.
Management Samenvatting
Audit transport rules. Remove sender whitelists. NO domain-wide exemptions. Implementatie: 2-4 uur.
- Implementatietijd: 4 uur
- FTE required: 0.02 FTE