💼 Management Samenvatting
Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
✓ Windows
Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.
PowerShell Modules Vereist
Primary API: Graph
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Dit regelen configureert machine account lockout threshold is set to 10 of fewer invalid logon attempt s maar not 0 via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.
Vereisten
Microsoft Intune via device configuratiebeleidsregels
Implementatie
Gebruik PowerShell-script machine-account-lockout-threshold-is-set-to-10-or-fewer-invalid-logon-attempt-s-but-not-0.ps1 (functie Invoke-Implementation) – Implementeren.
Gebruik PowerShell-script machine-account-lockout-threshold-is-set-to-10-or-fewer-invalid-logon-attempt-s-but-not-0.ps1 (functie Invoke-Monitoring) – Monitoren.
monitoring
Gebruik PowerShell-script machine-account-lockout-threshold-is-set-to-10-or-fewer-invalid-logon-attempt-s-but-not-0.ps1 (functie Invoke-Monitoring) – Controleren.
Remediatie
Gebruik PowerShell-script machine-account-lockout-threshold-is-set-to-10-or-fewer-invalid-logon-attempt-s-but-not-0.ps1 (functie Invoke-Remediation) – Herstellen.
Compliance en Auditing
Beleid documentatie
Compliance & Frameworks
- CIS M365: Control 18.9.19.2 (L1) - CIS Security Benchmark aanbevelingen
- BIO: 16.01 - BIO Baseline Informatiebeveiliging Overheid - 16.01 - Gebeurtenissen logging en audittrails
- ISO 27001:2022: A.12.4.1 - ISO 27001:2022 - Gebeurtenissen logging en audittrails
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
================================================================================
POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================
.SYNOPSIS
Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0
.DESCRIPTION
Implementeert, monitort en herstelt: Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0
.NOTES
Filename: machine-account-lockout-threshold-is-set-to-10-or-fewer-invalid-logon-attempt-s-but-not-0.ps1
Author: Nederlandse Baseline voor Veilige Cloud
Version: 1.0
Workload: intune
Category: security-options
#>
#Requires -Version 5.1
[CmdletBinding()]
param()
$ErrorActionPreference = 'Stop'
function Invoke-Implementation {
<#
.SYNOPSIS
Implementeert de configuratie
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Invoke-Implementation - Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0" -ForegroundColor Cyan
Invoke-Remediation
}
function Invoke-Monitoring {
<#
.SYNOPSIS
Controleert de huidige configuratie status
#>
[CmdletBinding()]
param()
try {
Write-Host "
========================================" -ForegroundColor Cyan
Write-Host "Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0 - Monitoring" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
# TODO: Implementeer monitoring logica voor Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0
Write-Host "[INFO] Monitoring check voor Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0" -ForegroundColor Yellow
Write-Host "[OK] Monitoring check completed" -ForegroundColor Green
}
catch {
Write-Error "Monitoring failed: $_"
throw
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
#>
[CmdletBinding()]
param()
try {
Write-Host "
========================================" -ForegroundColor Cyan
Write-Host "Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0 - Remediation" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
# TODO: Implementeer remediation logica voor Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0
Write-Host "[INFO] Remediation voor Machine Account Lockout Threshold Is Set To 10 of Fewer Invalid Logon Attempt S maar Not 0" -ForegroundColor Yellow
Write-Host "[OK] Remediation completed" -ForegroundColor Green
}
catch {
Write-Error "Remediation failed: $_"
throw
}
}
Risico zonder implementatie
Risico zonder implementatie
High: No auth tracking.
Management Samenvatting
Schakel in audit logging.
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE