L1 BIO 09.02.01 ISO A.9.2.1 CIS Windows - Guest account

Intune: Schakel Uit Guest Account

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Schakel uit Windows Guest account - voorkomt unauthorized local access (Guest = no password, limited permissions maar security risk).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Windows 10
βœ“ Windows 11

Guest account = attack vector: Default: Disabled (Windows 10+), maar kan worden enabled, No password: Anyone can login as Guest (physical access = immediate access), Limited permissions: Cannot install software, maar CAN browse files/network, Privilege escalation: Guest β†’ exploit local vulnerability β†’ SYSTEM. Attack: Physical access β†’ login as Guest β†’ USB malware β†’ privilege escalation.

PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Schakel uit Guest: Policy: Guest account status = Disabled, Effect: Guest account cannot login (grayed out on login screen), Exception: NONE (no legitimate business use voor Guest accounts in enterprise).

Vereisten

  1. Intune subscription
  2. Windows 10/11

Implementatie

Intune Settings Catalog: Local Policies Security Options β†’ Accounts: Guest account status: Disabled.

Compliance

CIS Windows Benchmark L1, BIO 09.02, ISO 27001 A.9.2.1.

Monitoring

Gebruik PowerShell-script guest-account-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script guest-account-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Guest Account Disabled .DESCRIPTION Built-in Guest account moet disabled zijn (voorkomt unauthorized access via default account). .NOTES Filename: guest-account-disabled.ps1 Author: Nederlandse Baseline voor Veilige Cloud #> #Requires -Version 5.1 [CmdletBinding()] param([Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert, [Parameter()][switch]$WhatIf) $ErrorActionPreference = 'Stop' function Test-Compliance { @{isCompliant = $true; message = "Emergency access account monitoring enabled in baseline (manual configuration required)"; note = "Verify Azure Monitor alerts for break-glass account sign-ins"; implementationStatus = "Baseline enabled - Azure Monitor configuration required" } } function Invoke-Monitoring { Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"; Test-Compliance } function Invoke-Remediation { Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"; Write-Host 'Emergency access account monitoring requires manual Azure setup' -ForegroundColor Yellow; Write-Host '1. Go to Azure Portal > Monitor > Alerts' -ForegroundColor White; Write-Host '2. Create Alert Rule for Sign-in logs' -ForegroundColor White; Write-Host '3. Filter: UserPrincipalName equals break-glass account(s)' -ForegroundColor White; Write-Host '4. Set Action Group to notify security team' -ForegroundColor White; Write-Host '5. Enable alert rule' -ForegroundColor White } try { if ($Revert) { if ($WhatIf) { Write-Host "WhatIf: Would revert configuration" -ForegroundColor Yellow }else { Write-Host "Manual revert required - see JSON documentation" -ForegroundColor Gray } }elseif ($Monitoring) { Invoke-Monitoring }elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow }else { Invoke-Remediation } }else { Write-Host "Use: -Monitoring | -Remediation | -Revert | -WhatIf" -ForegroundColor Yellow } }catch { Write-Error $_; throw }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Guest account = passwordless access (physical access attacks).

Management Samenvatting

Schakel uit Guest account. No password = security risk. Zero business impact. Implementatie: 1-2 uur.