Impact Analysis - Microsoft change to Sharepoint custom scripting options could impact MS.SHAREPOINT.4.1v1 and 4.2

[tkol2022]

💡 Summary

Microsoft is making updates to the custom scripting configuration options for Sharepoint and OneDrive in March 2024. The purpose of this issue is to determine if we need to remove or revise policies MS.SHAREPOINT.4.1v1 and 4.2 based on the changes.

https://techcommunity.microsoft.com/t5/sharepoint/removing-custom-scripting-on-sharepoint-sites/m-p/4055563

Implementation notes

• Examine the Microsoft documentation which states that the scripting configuration is going to change.
• Perform a hands-on analysis of the Sharepoint admin center for the two affected settings and document the impacts.
• Document a recommendation on whether the baseline and ScubaGear need to change.
• If changes are needed, create new issues.

[ahuynhMITRE]

Notes:

In March 2024:

• The Custom Script setting, which determines if users can execute custom scripts on personal sites and self-service created sites will be removed.
• A new PowerShell command, "DelayDenyAddAndCustomizePagesEnforcement", has been introduced. This command is available in the SharePoint Online Management Shell version 16.0.24524.12000, or above which allows delay of the change to custom script set on the Tenant until mid-November 2024 (previously May).

New PowerShell Command "DelayDenyAddAndCustomizePagesEnforcement":

• False (default) - for site collections where administrators enabled the ability to add custom script, SharePoint will revoke that ability within 24 hours from the last time this setting was changed.

• True - All changes performed by administrators to custom script settings are preserved. When the value is set to true, a banner shows in the active sites list of the SharePoint admin center informing that changes to custom scripts are permanent.

Need to test:

• New PowerShell Command "DelayDenyAddAndCustomizePagesEnforcement once live
• Current comandlets in ScubaGear (will probably need to change)

[ahuynhMITRE]

Additional Notes:

Post November:
Post November, on SharePoint sites if administrators wish to continue using features that are only available when unmanaged custom scripts are permitted to run, they will need to re-enable the running of custom scripts every 24 hours. This option does not impact existing custom scripts.

The NoScriptSite setting will be configured to True for all existing SharePoint sites and OneDrive sites except for below mentioned sites templates.

BLANKINTERNETCONTAINER#0 = Classic Publishing Portal site

CMSPUBLISHING#0 = Publishing Site

BLANKINTERNET#0 = Publishing Site

GROUP#0 = Team site

APPCATALOG#0 = App Catalog

CSPCONTAINER#0 = CSP Container

The execution of existing scripts in OneDrive and SharePoint sites will remain unaffected.
There will not be an option to enable custom script on OneDrive sites once the delay set using DelayDenyAddAndCustomizePagesEnforcement ends in mid-November 2024 (previously May).
Customers will retain the ability to permit the execution of custom scripts on specific SharePoint sites using the Set-SPOSite -DenyAddAndCustomizePages PowerShell command or from the Active sites page in the SharePoint Admin Center.

Any modifications made to a site will be automatically reverted to False status within 24 hours, unless the new PowerShell command “DelayDenyAddAndCustomizePagesEnforcement” is used prior to mid-November 2024 (previously May). After mid-November 2024, the 24-hour reversion will occur regardless of this setting.

[schrolla]

@ahuynhMITRE Can you get a definitive answer from Microsoft support team on the impact of the change and whether custom scripting will still be available in SharePoint or not?

[ahuynhMITRE]

Met with @tkol2022 and @mitchelbaker-cisa on 04/15 to discuss and level set. Below are the actions and decisions made:

• Open new issue to further investigate and define the risk of custom scripting through prototyping.
• admin center message center mentioned in this issue has been pushed from Mar 2024 -> May 2024, close current issue and create new one once additional prototyping above is finished.

[tkol2022]

Met with @tkol2022 and @mitchelbaker-cisa on 04/15 to discuss and level set. Below are the actions and decisions made:

• Open new issue to further investigate and define the risk of custom scripting through prototyping.
• admin center message center mentioned in this issue has been pushed from Mar 2024 -> May 2024, close current issue and create new one once additional prototyping above is finished.

For the new issue related to bullet 1, name the issue "Develop and test custom scripting exploit to perform impact analysis of Sharepoint section 4 policies" and label the issue as handsonprototyping. The general scope would be to write a custom script that simulates a malicious action like downloading a set of files. Using test accounts we can simulate a phishing attack to lure a target user to click on a Sharepoint link that will execute the script within the context of the target user's identity.