7.3.3 Ensure custom script execution is restricted on personal sites

Information

This setting controls custom script execution on OneDrive or user-created sites.

Custom scripts can allow users to change the look, feel and behavior of sites and pages. Every script that runs in a SharePoint page (whether it's an HTML page in a document library or a JavaScript in a Script Editor Web Part) always runs in the context of the user visiting the page and the SharePoint application. This means:

Scripts have access to everything the user has access to.

Scripts can access content across several Microsoft 365 services and even beyond with Microsoft Graph integration.

The recommended state is Prevent users from running custom script on personal sites and Prevent users from running custom script on self-service created sites

Rationale:

Custom scripts could contain malicious instructions unknown to the user or administrator. When users are allowed to run custom script, the organization can no longer enforce governance, scope the capabilities of inserted code, block specific parts of code, or block all custom code that has been deployed. If scripting is allowed the following things can't be audited:

What code has been inserted

Where the code has been inserted

Who inserted the code

Note: Microsoft recommends using the SharePoint Framework instead of custom scripts.

Impact:

None - this is the default behavior.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to SharePoint admin center https://admin.microsoft.com/sharepoint

Select Settings.

At the bottom of the page click the classic settings page hyperlink.

Scroll to locate the Custom Script section. On the right set the following:

Select Prevent users from running custom script on personal sites.

Select Prevent users from running custom script on self-service created sites.

Default Value:

Selected Prevent users from running custom script on personal sites

Selected Prevent users from running custom script on self-service created sites

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: microsoft_azure

Control ID: c9846f84ae9585028408354a73042d7ea712570231943a42794dd791682d93c2