top of page
Search

(121) Microsoft Intune - Hardening with Secedit

  • Writer: Mr B SOE way
    Mr B SOE way
  • Apr 19, 2024
  • 4 min read

For hardening end user devices with ACSC or CIS security benchmarks, there are some Active Directory Group Policies that don't convert well with Microsoft Intune. In particular for certain controls like the following with CIS Windows 11 3.0.0 where the settings are either have a insider CSP or a manual setting like:


  • 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'

  • 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'

  • 1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

  • 1.2.4 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'

  • 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'

  • 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'

  • 2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'

  • 2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'

  • 2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'

  • 2.2.17 (L1) Ensure 'Deny log on as a batch job to include 'Guests'

  • 2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests'

  • 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'

  • 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'

  • 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' You can convert the following as


Prepare the following as a Win32 App to be deployed or Remediation script:

Prepare the Install.ps1

net accounts /lockoutduration:30
secedit /export /cfg secedit.cfg /areas securitypolicy user_rights
$secedit = Get-Content secedit.cfg
$secedit = $secedit -replace "LockoutBadCount.*", "LockoutBadCount = 5" <# Account lockout threshold #> `
-replace "AllowAdministratorLockout.*", "AllowAdministratorLockout = 1" <# Allow Administrator account lockout #> `
-replace "ResetLockoutCount.*", "ResetLockoutCount = 15" <# Reset account lockout counter after #> `
-replace "LSAAnonymousNameLookup.*", "LSAAnonymousNameLookup = 0" <# Allow anonymous SID/Name translation #> `
-replace "ForceLogoffWhenHourExpire.*", "ForceLogoffWhenHourExpire = 1" <# Force logoff when logon hours expire #> `
-replace "SeIncreaseQuotaPrivilege.*", "SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20" <# Adjust memory quotas for a process is set to Administrators, LOCAL SERVICE, NETWORK SERVICE #> `
-replace "SeRemoteInteractiveLogonRight.*", "SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555" <# Allow log on through Remote Desktop Services is set to 'Administrators, Remote Desktop Users #> `
-replace "SeTimeZonePrivilege.*", "SeTimeZonePrivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-32-545" <# Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users#> `
-replace "SeDenyBatchLogonRight.*", "SeDenyBatchLogonRight = *S-1-5-32-546" <# Deny log on as a batch job to include Guests #> `
-replace "SeDenyServiceLogonRight.*", "SeDenyServiceLogonRight = *S-1-5-32-546" <# Deny log on as a service' to include Guests #> `
-replace "SeSystemProfilePrivilege.*", "SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" <# Profile system performance is set to Administrators, NT SERVICE\WdiServiceHost #> `
-replace "SeAssignPrimaryTokenPrivilege.*", "SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19" <# Replace a process level token' is set to LOCAL SERVICE, NETWORK SERVICE #> `
-replace "SeShutdownPrivilege.*", "SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545" <# Shut down the system is set to 'Administrators, Users #>

$secedit | Out-File seceditnew.cfg
secedit /configure /cfg seceditnew.cfg /db seceditnew.sdb /areas securitypolicy user_rights
gpupdate /force

Prepare the Detect.ps1


secedit /export /cfg secedit.cfg
$secedit = Get-Content secedit.cfg
$settings = @(
  "LockoutDuration = 30", # Account lockout threshold: 30
  "LockoutBadCount = 5", # Account lockout threshold: 5
  "AllowAdministratorLockout = 1", # Administrator account lockout: 0
  "ResetLockoutCount = 15", # Reset account lockout counter after: 15 minutes
  "LSAAnonymousNameLookup = 0", <# Allow anonymous SID/Name translation: Disabled #>
  "ForceLogoffWhenHourExpire = 1" <# Force logoff when logon hours expire: Enabled #>
  "SeIncreaseQuotaPrivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20" <# Adjust memory quotas for a process is set to Administrators, LOCAL SERVICE, NETWORK SERVICE #>
  "SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555" <# Allow log on through Remote Desktop Services is set to Administrators, Remote Desktop Users #>
  "SeTimeZonePrivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-32-545" <# Change the time zone is set to Administrators, LOCAL SERVICE, Users#>
  "SeDenyBatchLogonRight = *S-1-5-32-546" <# Deny log on as a batch job to include Guests #> 
  "SeDenyServiceLogonRight = *S-1-5-32-546" <# Deny log on as a service' to include Guests #>
  "SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420" <# Profile system performance is set to Administrators, NT SERVICE\WdiServiceHost #>
  "SeAssignPrimaryTokenPrivilege = *S-1-5-20,*S-1-5-19" <# Replace a process level token is set to LOCAL SERVICE, NETWORK SERVICE #>
  "SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-545" <# Shut down the system is set to Administrators, Users #>
)

$test = @(
  if ($settings | Where-Object { $_ -notin $secedit }) {
    "Different"
  } else {
    "Equal"
  }
)

Then you can convert the app as Win32 App.


Navigate to https://intune.microsoft.com/ > Apps > By Platform: Windows > Add > Select App type: Windows app (Win32).


Under Program: 

Install Command: powershell -exe bypass -file Install.ps1

Uninstall Command: powershell -exe bypass -file Uninstall.ps1

Installation time required (mins): Yes

Allow available uninstall: Yes

Install behavior: System

Device restart behaviour: No specific action


Under Requirements:

Operating system architecture: 64-bit

Minimum operating system: Windows 10 1903


Under Detection Rules:

Rules format: Use a custom detection

Script file: Upload the detect.ps1

Run script as 32-bit process on 64-bit clients: No

Enforce script signature check and run script silently: No


Once created, sync the device from CP and it should begin installing.


 
 
 

Comments

bottom of page