Comparing the DISA STIG to Intune Security Baselines

My last two posts have covered the DISA STIG in-depth. In reality they were mostly mimicking work I’ve done before – leveraging LGPO and MMAT to apply GPOs. When I first set out to do those tasks years ago I had to learn how to do them via trial and error, which is why I turned them into blog posts. All of that work has led up to this point, where we’ll be doing something completely new. Today we will implement the DISA STIG into modern Intune profiles by using Security Baselines. If the Security Baselines fall short, we’ll see if we can supplement them with other Intune profiles.

Our first step is just like before: open up the DISA STIG and review the settings. I’m using the same DoD Windows 10 v1r18 copy as before:

DISA STIG directory

We have a few options here, but the easiest (for me at least) would be to look at the Reports folder and inspect the GPO exports.

Reports folder
GPResult for User

The User STIG has only 2 settings, so we’ll start here. In Intune, create a new Security Baseline by clicking Device Security > Security Baselines > MDM Security Baseline > Profiles > + Create Profile.

MDM Security Baselines
MDM Security Baseline Profiles

I’ll name mine DoD Windows 10 STIG v1r18 (matching the STIG itself).

Create profile pane

On the Configuration settings pane, we can search for each of our settings. If we search for Toast, we’ll find the setting we’re looking for:

Block display of toast notifications set to Yes

If we try to hunt down the “Prevent users from synchronizing personal OneDrive accounts” setting we’ll notice it doesn’t exist. So we’ll have to fall back to Administrative Templates. Let’s save the Security Baseline and create an Administrative Template Device Configuration profile.

Administrative Templates profile

Administrative templates have to be created before you can edit them. Once you create the profile, select click Settings, select Office from the drop down, and type “prevent users from s”

Prevent users from syncing personal OneDrive accounts

and viola! There’s the setting we needed. Select the setting and click Enabled (like the GPResult User STIG shows) to add the setting to our Administrative Template.

Enabling the prevent personal OneDrive setting

So now we have two profiles for our 2 User STIG settings. You can either create new profiles for the Computer settings or reuse the same profiles (I’ll be reusing them for simplicity). Just like before, open up the GPResult from the Reports folder, and expand the settings:

Computer STIG Settings

We have a ton of settings here so let’s get to it! Starting with the Password Policy, let’s head back to the Security Baseline:

Security Baseline and STIG GPResult side by side

We can easily find the “Enforce password history”, “Maximum password age”, “Minimum password length”, and “Minimum password age” settings. The only one we need to change is password length, set to 14 instead of 8. Since I wasn’t 100% sure about “Password must meet complexity requirements”, take a quick look at the GPO and see if it can be met with the available settings. A quick search gets us to the docs page:

Password GPO

The beginning of the GPO talks about validating Account and Display names against the password – which are not options in our Security Baseline. I would consider the alphanumeric option as meeting the second half of the complexity requirements. But since we’re trying to be as accurate as possible, I’ll have a list of the differences between the STIG and our MDM settings at the end of this article.

If we look for “Store passwords using reversible encryption” we’ll also notice that it’s missing and add that to our tally. While we’re here, let’s search for the Device Lock security baseline settings that we haven’t enabled to see if they are STIG requirements.

If we search for Camera, we’ll notice that Prevent enabling lock screen camera is set to enabled – just like our baseline. Just below it, Prevent enabling lock screen slide show is also enabled.

Prevent lock screen camera

Now, the one setting that we can’t find in the STIG is Number of sign-in failures before wiping device. We can set this to 0 to disable the setting. I’m sure most companies would prefer to leave this at 10, but we’re trying to match everything here.

MDM Security Baseline setting that isn’t in STIG

Onto the next group of security settings! For Account Lockout Policy, we can easily find the lockout duration:

Account lockout duration

But unfortunately, the threshold and lockout counter settings are missing. If we try to hunt them down in the Administrative Templates or Device Restrictions, they are also unavailable.

Like before, I went through the rest of the the Local Policies Security Options. From my understanding, the Security Baseline setting “Block remote logon with blank password” matches “Accounts: Limit local account use of blank passwords to console logon only”. Other than that, the rest of our Secure Baseline settings are there! No changes required.

Local Policies Security Options settings

For User Rights Assignment, “Access Credential Manager as a trusted caller” is set to none in the STIG. Fortunately, by default it is set to none – so we could in theory consider this complete. But going further down – none of the User Rights Assignment settings are available. So where can we find them?

We’ll need to create an Endpoint protection Intune profile. Once you create the profile, go down to User Rights – where we’ll find the settings we need to enable.

Endpoint protection user rights

“Access this computer from the network” matches up with “Allow access from network”, so we’ll click Allow in the dropdown, then Other local users or groups. On this pane, I just used the predefined values to set BUILTIN\Remote Desktop Users, BUILTIN\Administrators and then click Add.

Configuring User Rights Assignment settings

And now we’ll need to do this 28 more times. Quick note – there will be a few items where the STIG references says, ADD YOUR ENTERPRISE/DOMAIN ADMINS. Be sure to grab the relevant SIDs for these settings.

ADD YOUR ADMINS

In the end you’ll have most of the settings configured:

Moving on – for Local Policies/Security Options things actually start off in the Endpoint protection settings again. If we click on Local device security options, we’ll find most of the settings we’ll need to configure:

Endpoint protection Intune profile

The Accounts settings are easy enough:

For Interactive Logon, we run into one issue… the message text is too long. In the screenshot below, the highlighted text on the left must be excluded to fit the input box.

With all the available settings, we should have 47 configured:

And that completes our Security Options! There were a considerable amount that were not available, but we did cover an overwhelming majority.

Okay – time for some bad news. None of the Advanced Audit Configuration settings are available. I suppose there’s something to be said about using modern security detection products such as Cloud App Security or Advanced Threat Analytics for cloud-only devices, but, still unfortunate to see it missing.

Advanced Audit Configuration Settings

That does mean that we’ve completed all the “Windows Settings” though, so now we can move on to Administrative Templates.

Windows Settings portion of the STIG GPResult

The first category, Control Panel/Personalization, has already been covered by the Device Lock Security baseline settings we looked at before:

Control Panel/Personalization settings

The next category, MS Security Guide, has a matching group in the Security Baseline. All of the Security Baseline settings match but…

MS Security Guide settings

we are missing the “Run As Different User” setting (from all other profiles, too).

For the rest of the settings, I’ll focus on enumerating the differences (with explanations), rather then taking screenshots of every category. We’ll be using the Security Baseline, Device Restrictions, Administrative Templates, and Endpoint Protection profiles.

According to the Policy CSP, “Block Internet Sharing” is the same as “Prohibit the use of Internet Connection Sharing on your DNS domain network”.

Wi-Fi settings
Policy CSP page

Under Device Guard, Secure Launch Configuration is set to Not Configured. In the Security Baseline it was set to enabled (and the name was changed to system guard), so we’ll have to change that:

Launch system guard set to Not Configured

For Power Settings, the standby states are not configured in the STIG. In the Security Baseline they were disabled:

Standby states

Interestingly, the STIG has “Turn off Microsoft consumer experiences” but not “Block Windows spotlight”, so 3rd party suggestions (like start menu, lockscreen) are still allowed. So we’ll change that in the Security Baseline:

Un-blocking third party suggestions in Windows Spotlight

We’ll need to bump up the size of the Security log size in our Baseline by a magnitude of 5…

Event log size going from 190000 to 1024000 KBs

Two of the Edge Security settings are not configured in the STIG:

The Exploit Protection Security Baseline has an embedded XML that we can use, instead of pointing to a folder share that the STIG suggests:

Exploit Guide XML

There is not BitLocker policy set to require encryption for removable drives in the STIG, so we can change this to Not Configured as well:

Removable drive policy

Block direct memory access is undefined in the STIG:

Direct Memory Access setting

Device installation is undefined in the STIG:

Changing device installation to Allow

DMA Guard is undefined in the STIG:

Changing DMA Guard to Device default

The File Explorer settings in the Security Baseline are not configured in the STIG:

Changing both File Explorer settings to Not Configured

Windows Defender and Internet Explorer each have their own STIG, so I won’t be incorporating them into our Security Baseline. Let me know if you’d be interested in seeing two more baselines created that match these settings!

System boot driver initialization is not configured in the STIG:

Changing boot start driver initialization to not configured

and our final difference, the Windows Ink Workspace. In the Security Baseline it is set to enabled, but the STIG does not mention it at all, so we’ll change it to not configured:

Windows Ink Workspace changed to not configured

That completes our comparison. Off all the settings, only 4 needed to be added as Administrative Templates:

Administrative Template settings

8 settings were added as Device Restrictions:

“Allow InPrivate browsing” and “Clear browsing data on exit” configured
Password set to required, and FIPs policy allowed
Telemetry set to Enchanced

53 Endpoint Protection settings:

4 BitLocker OS drive settings
28 Local device security options settings
21 User Rights settings configured

And 1 setting for the Delivery Optimization profile:

Setting Download mode for Delivery Optimization

Summary

In the end, of the 205 STIG GPO settings, Intune profiles (Security Baseline, Administrative Template, Device Restrictions, Endpoint Protection) were able to cover almost 160 (with a bulk of the missing settings being Audit policies). Additionally, the STIG itself misses 15 great settings that the Security Baseline recommends!

Thanks for making it to the end! I hope this has been useful. If you’re not deploying the STIG GPOs then maybe you’ll use this as an encyclopedia of current missing Intune settings. Throughout this process I’ve searched all of the missing settings, and it’s hard to stumble on a definitive page that tells you “no, it’s not available.” I know I’ll be back on this page for that very reason.

And for those looking to implement this in their own environment, here is an export of the Device Restrictions, Endpoint Protection, and Delivery Optimization settings not covered by the Security Baseline: windows10_stig.zip. There’s another post on Device Advice that explains how to import these settings: https://deviceadvice.io/2019/07/12/export-import-your-intune-tenant-settings/. I initially thought the Administrative Templates profile would be exported as well, but it looks like that’s not covered by the Intune PowerShell Samples – so I’ll have to write my own for another post.

Without further adieu, here’s the exact list of differences:

STIG GPOs that are missing from Intune profiles

Account Policies/Password Policy
Password must meet complexity requirements*
*a complexity policy (forcing alphanumeric) is available, but this doesn’t meet 100% of the GPO requirements
Store password using reversible encryption

Account Policies/Account Lockout Policy
Account lockout threshold
Reset account lockout counter after

Local Policies/User Rights Assignment
Deny log on as a batch job
Deny log on locally

Local Policies/Security Options
All of the Domain Member settings (Digitally encrypt or sign secure channel data (always), Digitally encrypt secure channel data (when possible), Digitally sign secure channel data (when possible), Disable machine account password changes, Maximum machine account password age, Require strong (Windows 2000 or later) session key)
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Allow anonymous SID/Name translation
Network access: Let Everyone permissions apply to anonymous users
Network security: LDAP client signing requirements
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Configure encryption types allowed for Kerberos

System Services
Secondary Logon: Disabled

Advanced Audit Configuration
No settings are configurable

MS Security Guide
Remove “Run as Different User” from context menus

Network/SSL Configuration Settings
ECC Curve order

System/Internet Communication Management/Internet Communication settings
Turn off printing over HTTP

System/Group Policy
Configure registry policy processing

System/Audit Process Creation
Include command line in process creation events

System/Logon
Do not display network selection UI

Windows Components/Application Compatibility
Turn off Inventory Collector

Windows Components/Windows Hello for Business
Use a hardware security device: Do not use the following security devices: TPM 1.2*
*If you use the Intune compliance policy, “Require TPM”, this sort of works, because TPM 1.2 devices won’t report as compliant.

Intune Security Baseline settings missing from the STIG

BitLocker
Removable drive policy

Browser
Block malicious site access
Block unverified file download

Device Lock
Number of sign-in failures before wiping device

Data Protection
Block direct memory access

Device Installation
Blocking Hardware device installation by device identifiers and Hardware device installation by setup classes

DMA Guard
Enumeration of external devices incompatible with Kernel DMA Protection

Experience
Block third-party suggestions in Windows Spotlight

File Explorer
Block data execution prevention
Block heap termination on corruption

Power
Standby states when sleeping while on battery
Standby states when sleeping while plugged in

System
System boot start driver initialization

Windows Ink Workspace
Ink Workspace

You may also like...

2 Responses

  1. Brendan says:

    Just wanted to drop a line and thank you for this post – it has been extremely helpful for a deployment I am currently working on! If you do get around to the Defender and IE posts I know I would definitely read them 😀

    Cheers!

  2. Adrian says:

    I feel like I just stumbled on a gold mine. Thanks for diving deep on this subject. I haven’t fully read the article but as someone just getting started with Intune and configuring a lot of these unconfigured baseline policies or configuration settings, this content is incredibly appreciated. I’m in the Finance industry so our security controls might be a little different but this should get me started in the right direction to at least have a more hardened security policy.

    Thanks again. Hope you had a great holiday and here’s to an even better new year.

Leave a Reply

Your email address will not be published. Required fields are marked *