Intune Security Policies – E2


Security – Audit


After my first episode, I was busy working on different projects. Today, I decided to start with the security journey and recommendations. After “Administrative Templates Personalization," I realized I should discuss another security aspect: Audit. In Intune settings, there are 59 settings related to "Auditing," and in this blog, I selected some of the most important ones, which are also recommended by all Cyber Security and CIS Benchmark.

  1. Audit Process Creation(Enable): This policy setting determines what information is logged in security audit events when a new process is created. This setting only applies if the Audit Process Creation policy is enabled. When enabled, the command line information for every process will be logged in plain text within the security event log as part of the Audit Process Creation event 4688, ‘a new process has been created’ on the workstations and servers where this policy is applied. If this policy setting is disabled or not configured, the command line information will not be included in Audit Process Creation events. Default: Not configured. Note: When enabled, any user with access to read security events can view the command line arguments for any successfully created process. Command line arguments may contain sensitive or private information such as passwords or user data.


2. Account Logon Audit Credential Validation(Suceess+Failure): This setting allows you to monitor events generated by validation tests on user account logon credentials. These events occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.

 


3. Account Logon Logoff Audit Account Lockout (Failure): This policy setting enables you to track events caused by failed login attempts to a locked-out account. When you configure this policy, an audit event is created if an account cannot log in because it is locked out. Success audits log successful attempts, while failure audits record unsuccessful ones. Logon events are vital for monitoring user activity and identifying potential security threats.



4. Account Logon Logoff Audit Group Membership (Success): This policy allows you to audit group membership information in the user's logon token. Events in this category are generated on the computer where a logon session is established. For an interactive logon, the security audit event is created on the computer the user logs into. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is enabled, one or more security audit events are produced for each successful logon. You also need to enable the Audit Logon setting under Advanced Audit Policy Configuration"), System Audit Policies"), Logon/Logoff. Multiple events are generated if the group membership information does not fit into a single security audit event.



5. Account Management Audit Application Group Management(Suceess+Failure): This policy setting allows you to audit events related to changes in application groups, such as creating, modifying, or deleting an application group. It also tracks when members are added or removed from an application group. If you enable this policy setting, an audit event will be generated whenever there is an attempt to change an application group. Successful attempts are recorded as success audits, while unsuccessful attempts are recorded as failure audits. If you do not enable this policy setting, no audit events will be generated when an application group is modified.


6. Audit Authentication Policy Change(Success): This policy setting enables you to audit events caused by changes to the authentication policy, such as the following: creation of forest and domain trusts, modification of these trusts, or removal of them. It also includes changes to the Kerberos policy under Computer Configuration. For example, when a new Trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when there is an attempt to change the authentication policy. Success audits record successful attempts, and failure audits record unsuccessful ones. If you do not configure this policy setting, no audit event is created when the authentication policy changes. Note: The security audit event is logged when the group policy is applied, not at the time when the settings are modified.


7. Audit File Share Access (Suceess+Failure): This policy setting enables you to audit attempts to access a shared folder. When you configure this setting, an audit event is created whenever there is an attempt to access a shared folder. If enabled, the administrator can choose to audit only successful attempts, only failed attempts, or both. Note: Shared folders do not have system access control lists (SACLs). When this setting is enabled, access to all shared folders on the system is audited.


8. Audit Special Logon(Success): This policy setting allows you to audit events generated by special logons, such as the following: A special logon is a logon that has administrator like privileges and can be used to elevate a process to a higher level. It also includes a logon by a member of a Special Group. Special Groups let you audit events when a member of a specific group logs into your network. You can set up a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event will be logged.



9. Object Access Audit Removable Storage (Suceess+Failure): this policy setting enables you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested. When you configure this policy setting, an audit event occurs each time an account accesses a file system object on a removable storage device. Success audits record successful attempts, while Failure audits record unsuccessful ones. If you do not configure this policy setting, no audit events are generated when an account accesses a file system object on a removable storage device.


10. System Audit Other System Events (Suceess+Failure): This policy setting allows you to audit any of these events: startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, and cryptography key file and migration operations.





Thanks for the reading.

















Comments

Post a Comment

Popular posts from this blog

New LAPS for Windows 11 24H2

Image
  Windows LAPS automatically manages and backs up the password of a local administrator account on devices joined to Microsoft Entra ID (formerly Azure AD) or Windows Server Active Directory. This feature helps protect against pass-the-hash and lateral-traversal attacks, enhances security for remote help desk scenarios, and facilitates device recovery if they become inaccessible.   As many of you know, LAPS for Entra joined devices was announced around 2023 and has worked perfectly since then on Entra, Hybrid, joined, and On-premises devices via AD as well. One of the big challenges we all know is that the first version (if I can say that) of LAPS did not allow you to create a new custom admin account or change the existing admin account, which meant we had to use custom configuration or scripts to do that.   Microsoft announced the new LAPS about 3 weeks ago via Arnab Mitra, Sr. Program Manager at Microsoft, and it was a great announcement. Let us go ahead and co...
Read more

Windows Autopatch Hotpatch

Image
Windows Autopatch Hotpatch I am sure all of you guys are about to get busy for Thanksgiving! this is a short blog about Hotpatch. This morning, while I was checking for updates regarding my tenants and looking for the new hardware inventory setting, I was pleased to see that the new setting “ Hotpatch for Windows ” had appeared in my tenant. Before we discuss it, let’s first go over the details. We are all familiar with quality updates and the security patches released on the second Tuesday of each month. Microsoft has created a hotpatch for Windows 11 24H2 that allows these updates to be applied without requiring a restart. Typically, after monthly updates, the device must restart to install all security patches and to update the build number (the last four digits of Windows). According to Microsoft, there will be two types of updates each quarter. The first update will occur in January, April, July, and October and will include a full security patch and new features, requiring the de...
Read more

How to block TikTok or other social media

Image
Have you considered blocking social media platforms like Facebook, TikTok, and others on corporate devices?   Many government entities in our community want to restrict access to social media on their official devices rather than personally owned devices (BYOD). There are several reasons for this. For example, in the USA, TikTok was blocked and unblocked.   There are many ways to do this, such as Firewall, Network, Microsoft Defender, and so on. However, I will discuss how to do it via Intune. Create a Policy:         Create a New Policy: Name it as you want and add the description.     Configuration settings > add settings > and search for “URL blocking” and pick both Google Chrome and Microsoft Edge. And pick the one for the device, not the user, did not work for me. Then add the URL you want to block to “ Block access to a list of URLs (Device)”. I went a little further by disallowing the users to run the TikTok application “...
Read more