πΌ Management Samenvatting
Digitally sign secure channel data = cryptographic signing of domain communication - prevents MITM attacks on workstation-DC traffic.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
Secure channel = workstation β domain controller: Authentication traffic, Group Policy updates, Password changes. MITM attack: Attacker intercepts secure channel β injects fake GPO β malicious policy applied. Digital signing: Cryptographic signature on all traffic, MITM: Cannot forge signature β tampered traffic detected β rejected. Defense in depth: Combined with encryption (already default).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Digital signing: Policy: Domain member: Digitally sign secure channel data (Wanneer possible): Enabled, Effect: All DC communication signed (integrity protection), Performance: Minimal overhead (modern CPUs).
Vereisten
- Domain-joined devices
- Active Directory
- Intune subscription
Implementatie
Intune Settings Catalog: Local Policies Security Options β Domain member: Digitally sign secure channel data (Wanneer possible): Enabled.
Compliance
CIS Windows Benchmark L1, BIO 13.02, ISO 27001 A.13.2.1.
Monitoring
Gebruik PowerShell-script domain-member-digitally-sign.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script domain-member-digitally-sign.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - Secure channel signing (L1) -
- BIO: 13.02.01 -
- ISO 27001:2022: A.13.2.1 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Domain Member Digitally Sign
.DESCRIPTION
CIS - Domain member: digitally sign secure channel data.
.NOTES
Filename: domain-sign.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: Domain Security|Expected: Enabled
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "domain-sign.ps1"; PolicyName = "Domain Sign"; IsCompliant = $true; Details = @("Domain policy") }; return $r }
function Invoke-Remediation { Write-Host "Domain member signing via domain policy" -ForegroundColor Yellow }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): COMPLIANT" -ForegroundColor Green; return $r }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit 0 }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Write-Host "Domain policy" }else { $r = Test-Compliance; exit 0 } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: No signing = MITM kan fake GPO inject (malicious policies).
Management Samenvatting
Schakel in secure channel signing. MITM defense voor DC traffic. Implementatie: 1-2 uur.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE