CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL

Audit Details

Name: CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL

Updated: 8/3/2022

Authority: CIS

Plugin: Windows

Revision: 1.0

Estimated Item Count: 241

File Details

Filename: CIS_MS_InTune_for_Windows_10_2004_Level_1_Bitlocker_v1.0.1.audit

Size: 843 kB

MD5: d3222b85851370f74f8b4339b92bea63
SHA256: ea0f7bcf06ed81e5276fe4314e89f131007ac6173c4c4037f7bdc6f6c8fdfbc8

Audit Items

DescriptionCategories
Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'

CONFIGURATION MANAGEMENT

1.1.1 Ensure 'Enforce password history' is set to '24 or more passwords'

ACCESS CONTROL

1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'

ACCESS CONTROL

1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)'

ACCESS CONTROL

1.1.4 Ensure 'Minimum password length' is set to '14 or more characters'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Numbers, lowercase, uppercase and special characters required'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.2.1 Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.2 Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.3 Ensure 'Act as part of the operating system' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.4 Ensure 'Allow log on locally' is set to 'Administrators, Users'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.5 Ensure 'Back up files and directories' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.6 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.7 Ensure 'Create a pagefile' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.8 Ensure 'Create a token object' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.9 Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.10 Ensure 'Create permanent shared objects' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.11 Configure 'Create symbolic links' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.12 Ensure 'Debug programs' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.13 Ensure 'Deny access to this computer from the network' to include 'Guests, Local account'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.14 Ensure 'Deny log on locally' to include 'Guests'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.15 Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.16 Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.17 Ensure 'Force shutdown from a remote system' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.18 Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.19 Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.20 Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.21 Ensure 'Load and unload device drivers' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.22 Ensure 'Lock pages in memory' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.23 Ensure 'Manage auditing and security log' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.24 Ensure 'Modify an object label' is set to 'No One'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.25 Ensure 'Modify firmware environment values' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.26 Ensure 'Perform volume maintenance tasks' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.27 Ensure 'Profile single process' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.28 Ensure 'Restore files and directories' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.2.29 Ensure 'Take ownership of files or other objects' is set to 'Administrators'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION

2.3.1.1 Ensure 'Accounts: Administrator account status' is set to 'Disabled'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.3.1.2 Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'

ACCESS CONTROL

2.3.1.3 Ensure 'Accounts: Guest account status' is set to 'Disabled'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.3.1.4 Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'

IDENTIFICATION AND AUTHENTICATION

2.3.1.5 Configure 'Accounts: Rename administrator account'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

2.3.1.6 Configure 'Accounts: Rename guest account'

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION

2.3.4.1 Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

2.3.7.1 Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.7.2 Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.7.3 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'

ACCESS CONTROL

2.3.7.4 Configure 'Interactive logon: Message text for users attempting to log on'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.7.5 Configure 'Interactive logon: Message title for users attempting to log on'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.8.1 Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.8.2 Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.3.8.3 Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION