💼 Management Samenvatting
Ensure Guest account status is disabled - verify Guest account cannot be enabled (duplicate of 'guest-account-disabled' maar explicit verification).
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows 10
✓ Windows 11
✓ Windows 11
Guest account verification: Default: Guest disabled (Windows 10+), BUT: Can be manually enabled (local admin OR malware), This policy: ENFORCES disabled (prevents enabling), Defense in depth: 'guest-account-disabled' + this policy = double check (Guest CANNOT be enabled). Compliance: CIS requires explicit verification (not just recommendation).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Ensure Guest disabled: Policy: Accounts: Guest account status: Disabled (enforced), Effect: Guest account CANNOT be enabled (policy blocks attempts), Verification: Intune compliance report (Guest status = disabled on all devices).
Vereisten
- Intune subscription
- Windows 10/11
Implementatie
Intune Settings Catalog: Local Policies Security Options → Accounts: Guest account status: Disabled (enforced). Compliance: Verify Guest disabled on all devices.
Compliance
CIS Windows Benchmark L1 (enforced), BIO 09.02, ISO 27001 A.9.2.1.
Monitoring
Gebruik PowerShell-script accounts-enable-guest-account-status-is-set-to-disabled.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script accounts-enable-guest-account-status-is-set-to-disabled.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Guest account (L1) -
- BIO: 09.02.01 -
- ISO 27001:2022: A.9.2.1 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Guest Account Disabled
.DESCRIPTION
CIS - Guest account moet disabled zijn.
.NOTES
Filename: guest-account-disabled.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Account: Guest|Expected: Disabled
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "guest-disabled.ps1"; PolicyName = "Guest Account"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Enable-LocalUser -Name "Guest" }
try { $guest = Get-LocalUser -Name "Guest" -ErrorAction SilentlyContinue; if ($guest) { if (-not $guest.Enabled) { $r.IsCompliant = $true; $r.Details += "Guest disabled" }else { $r.Details += "Guest enabled - RISK" } }else { $r.IsCompliant = $true; $r.Details += "Guest niet gevonden" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { Disable-LocalUser -Name "Guest" -ErrorAction SilentlyContinue; Write-Host "Guest account disabled" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Enable-LocalUser -Name "Guest" }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: Guest account enabled = passwordless access risk.
Management Samenvatting
Ensure Guest account disabled (enforced). Verification policy. Defense in depth. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE