Skip to content

Latest commit

 

History

History
157 lines (121 loc) · 15.6 KB

File metadata and controls

157 lines (121 loc) · 15.6 KB

Intune ACSC Windows Hardening Guidelines

These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.

Additional Intune policies have been provided for organisations who are also required to comply with the ACSC's Office Hardening Guidance and the ACSC's Office Macro Security publication.

While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.

What's included?

Windows

There are three Windows hardening policies and a collection of scripts contained within this repository.

  1. ACSC Windows Hardening Guidelines
    • This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Windows.

Important: some settings are not be available for configuration via Settings Catalog. Ensure that you verify this representation of the hardening guidance meets your requirements.

  1. Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
    • Microsoft provides a Windows Security Baseline (currently version 23H2), which is comprised of groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams within Microsoft. The Microsoft Security Baseline can be deployed with Intune.
    • This Microsoft Security Baseline has been modified so that its settings do not conflict with those of the ACSC Windows Hardening Guidelines. All non-conflicting settings have been left as-is.
  2. ACSC Windows Hardening Guidelines-Attack Surface Reduction
    • This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
  3. UserApplicationHardening-RemoveFeatures
    • This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).
  4. A collection of PowerShell scripts that configures registry keys for settings that are currently unavailable to be configured via Settings Catalog.

Supplementary documentation has been provided for the ACSC Windows Hardening Guidelines policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.

Microsoft 365 Apps for Enterprise

Organisations that are required to harden Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus) with the ACSC recommended hardening policies, including limiting the execution of macros to Trusted Publishers can use the supplied policies. See the Microsoft 365 Apps for Enterprise README for additional information and steps to import the policies.

Microsoft Edge

Organisations that are looking to harden only Microsoft Edge, without applying all additional Windows hardening recommended by the ACSC can use the supplied policy. See Microsoft Edge README for additional information and steps to import the policy.

What's not included?

Although the below settings are configured as a part of the ACSC Windows Hardening Guidelines, they have not been included in this version of the guidelines. It is still recommended to configure each of the settings below as a part of an end to end security strategy.

Requirements

These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.

Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.

How to import the policies

To import the policies, use Graph Explorer. After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.

Note: After importing the policies, the policies will need to be assigned to a group.

  1. A Settings Catalog policy, named: ACSC Windows Hardening Guidelines
    • This Settings Catalog policy will be found in the Microsoft Intune console, under: Devices > Windows > Configuration profiles
  2. A Security Baseline, named: Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
    • This Security Baseline will be found in the Microsoft Intune console, under: Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later
  3. An Attack surface reduction policy, named: ACSC Windows Hardening Guidelines-Attack Surface Reduction
    • This Attack surface reduction policy will be found in the Microsoft Intune console, under: Endpoint Security > Attack surface reduction
  4. A PowerShell script, named: UserApplicationHardening-RemoveFeatures
  5. Multiple PowerShell scripts, each corresponding to the name of the registry key they configure

Note: When using Graph Explorer, you may need to consent to permissions if you have not done so before. For more information, please see Working with Graph Explorer.

ACSC Windows Hardening Guidelines (Settings Catalog)

  1. Save the ACSC Windows Hardening Guidelines policy to your local device
  2. Navigate to the Microsoft Intune console
  3. Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
  4. Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1
  5. Click Save

Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) (Windows Security Baseline)

  1. Navigate to Graph Explorer and authenticate
  2. Create a POST request, using the beta schema to the Windows Security Baseline policy endpoint: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
  3. Copy the JSON in the Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) policy and paste it in the request body
  4. (Optional) modify the name value if required

ACSC Windows Hardening Guidelines - Attack Surface Reduction Rules (Endpoint Security)

  1. Navigate to Graph Explorer and authenticate
  2. Create a POST request, using the beta schema to the Attack Surface Reduction policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance
  3. Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it in the request body
  4. (Optional) modify the name value if required

UserApplicationHardening-RemoveFeatures (PowerShell script)

  1. Navigate to the Microsoft Intune console
  2. Add a new PowerShell script, under Devices > Windows > Powershell scripts
    • Name: UserApplicationHardening-RemoveFeatures
  3. Upload UserApplicationHardening-RemoveFeatures.ps1
    • Run this script using the logged on credentials: No
    • Enforce script signature check: No
    • Run script in 64 bit PowerShell Host: No

Multiple PowerShell Scripts

For each PowerShell script in scripts:

  1. Navigate to the Microsoft Intune console
  2. Add a new PowerShell script, under Devices > Windows > Powershell scripts
    • Name: < name of the corresponding PowerShell script >
  3. Upload the corresponding PowerShell script
    • Run this script using the logged on credentials: No
    • Enforce script signature check: No
    • Run script in 64 bit PowerShell Host: No

Additional Considerations

  • The setting 'Allow Telemetry' has been configured to: 'Security'. Keep in mind that other services require different telemetry settings, such as Update Compliance, which requires Basic telemetry.
  • The setting 'Disable One Drive File Sync' has been configured to: 'disable sync'. This disables OneDrive. Modify this setting to 'sync enabled' to enable OneDrive.

Windows 365 and Azure Virtual Desktop Considerations

As both Windows 365 and Azure Virtual Desktop rely on remote desktop connectivity to the endpoint, you will need to modify the following settings from the ACSC Windows Hardening Guidelines policy to enable remote connectivity.

  • Modify Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services from Disabled to Enabled
  • Remove the setting "Deny Access From Network"
  • Remove the setting "Deny Remote Desktop Services Log On"

Remote Help Considerations

Remote Help requires the following modifications in the ACSC Windows Hardening Guidelines policy:

  • Modify User Account Control Behavior Of The Elevation Prompt for Standard Users from Automatically deny elevation requests to Prompt for credentials on the secure desktop
  • Modify Require trusted path for credential entry from Enabled to Disabled

Support

For help and questions about using this project, please reach out to [email protected]. If you notice any discrepancies in the policies provided, please raise an issue as described in SUPPORT.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.