Comparing the DISA STIG to Intune Security Baselines

My last two posts have covered the DISA STIG in-depth. In reality they were mostly mimicking work I’ve done before – leveraging LGPO and MMAT to apply GPOs. When I first set out to do those tasks years ago I had to learn how to do them via trial and error, which is why I turned them into blog posts. All of that work has led up to this point, where we’ll be doing something completely new. Today we will implement the DISA STIG into modern Intune profiles by using Security Baselines. If the Security Baselines fall short, we’ll see if we can supplement them with other Intune profiles.

Our first step is just like before: open up the DISA STIG and review the settings. I’m using the same DoD Windows 10 v1r18 copy as before:

We have a few options here, but the easiest (for me at least) would be to look at the Reports folder and inspect the GPO exports.

The User STIG has only 2 settings, so we’ll start here. In Intune, create a new Security Baseline by clicking Device Security > Security Baselines > MDM Security Baseline > Profiles > + Create Profile.

I’ll name mine DoD Windows 10 STIG v1r18 (matching the STIG itself).

On the Configuration settings pane, we can search for each of our settings. If we search for Toast, we’ll find the setting we’re looking for:

If we try to hunt down the “Prevent users from synchronizing personal OneDrive accounts” setting we’ll notice it doesn’t exist. So we’ll have to fall back to Administrative Templates. Let’s save the Security Baseline and create an Administrative Template Device Configuration profile.

Administrative templates have to be created before you can edit them. Once you create the profile, select click Settings, select Office from the drop down, and type “prevent users from s”…

and viola! There’s the setting we needed. Select the setting and click Enabled (like the GPResult User STIG shows) to add the setting to our Administrative Template.

So now we have two profiles for our 2 User STIG settings. You can either create new profiles for the Computer settings or reuse the same profiles (I’ll be reusing them for simplicity). Just like before, open up the GPResult from the Reports folder, and expand the settings:

We have a ton of settings here so let’s get to it! Starting with the Password Policy, let’s head back to the Security Baseline:

We can easily find the “Enforce password history”, “Maximum password age”, “Minimum password length”, and “Minimum password age” settings. The only one we need to change is password length, set to 14 instead of 8. Since I wasn’t 100% sure about “Password must meet complexity requirements”, take a quick look at the GPO and see if it can be met with the available settings. A quick search gets us to the docs page:

The beginning of the GPO talks about validating Account and Display names against the password – which are not options in our Security Baseline. I would consider the alphanumeric option as meeting the second half of the complexity requirements. But since we’re trying to be as accurate as possible, I’ll have a list of the differences between the STIG and our MDM settings at the end of this article.

If we look for “Store passwords using reversible encryption” we’ll also notice that it’s missing and add that to our tally. While we’re here, let’s search for the Device Lock security baseline settings that we haven’t enabled to see if they are STIG requirements.

If we search for Camera, we’ll notice that Prevent enabling lock screen camera is set to enabled – just like our baseline. Just below it, Prevent enabling lock screen slide show is also enabled.

Now, the one setting that we can’t find in the STIG is Number of sign-in failures before wiping device. We can set this to 0 to disable the setting. I’m sure most companies would prefer to leave this at 10, but we’re trying to match everything here.

Onto the next group of security settings! For Account Lockout Policy, we can easily find the lockout duration:

But unfortunately, the threshold and lockout counter settings are missing. If we try to hunt them down in the Administrative Templates or Device Restrictions, they are also unavailable.

Like before, I went through the rest of the the Local Policies Security Options. From my understanding, the Security Baseline setting “Block remote logon with blank password” matches “Accounts: Limit local account use of blank passwords to console logon only”. Other than that, the rest of our Secure Baseline settings are there! No changes required.

For User Rights Assignment, “Access Credential Manager as a trusted caller” is set to none in the STIG. Fortunately, by default it is set to none – so we could in theory consider this complete. But going further down – none of the User Rights Assignment settings are available. So where can we find them?

We’ll need to create an Endpoint protection Intune profile. Once you create the profile, go down to User Rights – where we’ll find the settings we need to enable.

“Access this computer from the network” matches up with “Allow access from network”, so we’ll click Allow in the dropdown, then Other local users or groups. On this pane, I just used the predefined values to set BUILTIN\Remote Desktop Users, BUILTIN\Administrators and then click Add.

And now we’ll need to do this 28 more times. Quick note – there will be a few items where the STIG references says, ADD YOUR ENTERPRISE/DOMAIN ADMINS. Be sure to grab the relevant SIDs for these settings.

In the end you’ll have most of the settings configured:

Moving on – for Local Policies/Security Options things actually start off in the Endpoint protection settings again. If we click on Local device security options, we’ll find most of the settings we’ll need to configure:

The Accounts settings are easy enough:

For Interactive Logon, we run into one issue… the message text is too long. In the screenshot below, the highlighted text on the left must be excluded to fit the input box.

With all the available settings, we should have 47 configured:

And that completes our Security Options! There were a considerable amount that were not available, but we did cover an overwhelming majority.

Okay – time for some bad news. None of the Advanced Audit Configuration settings are available. I suppose there’s something to be said about using modern security detection products such as Cloud App Security or Advanced Threat Analytics for cloud-only devices, but, still unfortunate to see it missing.

That does mean that we’ve completed all the “Windows Settings” though, so now we can move on to Administrative Templates.

The first category, Control Panel/Personalization, has already been covered by the Device Lock Security baseline settings we looked at before:

The next category, MS Security Guide, has a matching group in the Security Baseline. All of the Security Baseline settings match but…

we are missing the “Run As Different User” setting (from all other profiles, too).

For the rest of the settings, I’ll focus on enumerating the differences (with explanations), rather then taking screenshots of every category. We’ll be using the Security Baseline, Device Restrictions, Administrative Templates, and Endpoint Protection profiles.

According to the Policy CSP, “Block Internet Sharing” is the same as “Prohibit the use of Internet Connection Sharing on your DNS domain network”.

Under Device Guard, Secure Launch Configuration is set to Not Configured. In the Security Baseline it was set to enabled (and the name was changed to system guard), so we’ll have to change that:

For Power Settings, the standby states are not configured in the STIG. In the Security Baseline they were disabled:

Interestingly, the STIG has “Turn off Microsoft consumer experiences” but not “Block Windows spotlight”, so 3rd party suggestions (like start menu, lockscreen) are still allowed. So we’ll change that in the Security Baseline:

We’ll need to bump up the size of the Security log size in our Baseline by a magnitude of 5…

Two of the Edge Security settings are not configured in the STIG:

The Exploit Protection Security Baseline has an embedded XML that we can use, instead of pointing to a folder share that the STIG suggests:

There is not BitLocker policy set to require encryption for removable drives in the STIG, so we can change this to Not Configured as well:

Block direct memory access is undefined in the STIG:

Device installation is undefined in the STIG:

DMA Guard is undefined in the STIG:

The File Explorer settings in the Security Baseline are not configured in the STIG:

Windows Defender and Internet Explorer each have their own STIG, so I won’t be incorporating them into our Security Baseline. Let me know if you’d be interested in seeing two more baselines created that match these settings!

System boot driver initialization is not configured in the STIG:

and our final difference, the Windows Ink Workspace. In the Security Baseline it is set to enabled, but the STIG does not mention it at all, so we’ll change it to not configured:

That completes our comparison. Off all the settings, only 4 needed to be added as Administrative Templates:

8 settings were added as Device Restrictions:

53 Endpoint Protection settings:

And 1 setting for the Delivery Optimization profile:

Summary

In the end, of the 205 STIG GPO settings, Intune profiles (Security Baseline, Administrative Template, Device Restrictions, Endpoint Protection) were able to cover almost 160 (with a bulk of the missing settings being Audit policies). Additionally, the STIG itself misses 15 great settings that the Security Baseline recommends!

Thanks for making it to the end! I hope this has been useful. If you’re not deploying the STIG GPOs then maybe you’ll use this as an encyclopedia of current missing Intune settings. Throughout this process I’ve searched all of the missing settings, and it’s hard to stumble on a definitive page that tells you “no, it’s not available.” I know I’ll be back on this page for that very reason.

And for those looking to implement this in their own environment, here is an export of the Device Restrictions, Endpoint Protection, and Delivery Optimization settings not covered by the Security Baseline: windows10_stig.zip. There’s another post on Device Advice that explains how to import these settings: https://deviceadvice.io/2019/07/12/export-import-your-intune-tenant-settings/. I initially thought the Administrative Templates profile would be exported as well, but it looks like that’s not covered by the Intune PowerShell Samples – so I’ll have to write my own for another post.

Without further adieu, here’s the exact list of differences:

STIG GPOs that are missing from Intune profiles

Account Policies/Password Policy
Password must meet complexity requirements*
*a complexity policy (forcing alphanumeric) is available, but this doesn’t meet 100% of the GPO requirements
Store password using reversible encryption

Account Policies/Account Lockout Policy
Account lockout threshold
Reset account lockout counter after

Local Policies/User Rights Assignment
Deny log on as a batch job
Deny log on locally

Local Policies/Security Options
All of the Domain Member settings (Digitally encrypt or sign secure channel data (always), Digitally encrypt secure channel data (when possible), Digitally sign secure channel data (when possible), Disable machine account password changes, Maximum machine account password age, Require strong (Windows 2000 or later) session key)
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Allow anonymous SID/Name translation
Network access: Let Everyone permissions apply to anonymous users
Network security: LDAP client signing requirements
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Configure encryption types allowed for Kerberos

System Services
Secondary Logon: Disabled

Advanced Audit Configuration
No settings are configurable

MS Security Guide
Remove “Run as Different User” from context menus

Network/SSL Configuration Settings
ECC Curve order

System/Internet Communication Management/Internet Communication settings
Turn off printing over HTTP

System/Group Policy
Configure registry policy processing

System/Audit Process Creation
Include command line in process creation events

System/Logon
Do not display network selection UI

Windows Components/Application Compatibility
Turn off Inventory Collector

Windows Components/Windows Hello for Business
Use a hardware security device: Do not use the following security devices: TPM 1.2*
*If you use the Intune compliance policy, “Require TPM”, this sort of works, because TPM 1.2 devices won’t report as compliant.

Intune Security Baseline settings missing from the STIG

BitLocker
Removable drive policy

Browser
Block malicious site access
Block unverified file download

Device Lock
Number of sign-in failures before wiping device

Data Protection
Block direct memory access

Device Installation
Blocking Hardware device installation by device identifiers and Hardware device installation by setup classes

DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection

Experience
Block third-party suggestions in Windows Spotlight

File Explorer
Block data execution prevention
Block heap termination on corruption

Power
Standby states when sleeping while on battery
Standby states when sleeping while plugged in

System
System boot start driver initialization

Windows Ink Workspace
Ink Workspace