6.3 Ensure expiration time for external sharing links is set

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

You should restrict the length of time that anonymous access links are valid.

Rationale:

An attacker can compromise a user account for a short period of time, send anonymous sharing links to an external account, then take their time accessing the data. They can also compromise external accounts and steal the anonymous sharing links sent to those external entities well after the data has been shared. Restricting how long the links are valid can reduce the window of opportunity for attackers.

Impact:

Enabling this feature will ensure that link expire within the defined number of days. This will have an affect on links that were previously not set with an expiration.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To set expiration for anonymous access links, use the Microsoft 365 Admin Center

Select Admin Centers and SharePoint.

Expand Polices then click Sharing.

Under Choose expiration and permissions options for Anyone links. check the These links must expire within this many days.

Set to the desired number of days, such as 30.

Click Save.

To set expiration for anonymous access links, you can also use SharePoint Online PowerShell:

Connect to SharePoint Online using Connect-SPOService

Run the following PowerShell command:

set-SPOTenant -RequireAnonymousLinksExpireInDays 30

Default Value:

Anonymous Sharing - On

Sharing Links Expiration - Off

See Also

https://workbench.cisecurity.org/files/3729