Microsoft Intune Service Desktop Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the tempora...Rule Medium Severity -
Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not acciden...Rule Medium Severity -
Microsoft Intune service must enforce a 60-day maximum password lifetime restriction.
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and p...Rule Medium Severity -
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notificat...Rule Medium Severity -
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of accou...Rule Medium Severity -
SRG-APP-000003-UEM-000003
Group -
SRG-APP-000025-UEM-000014
Group -
Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity.
Attackers that can exploit an inactive account and identifiers can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized a...Rule Medium Severity -
SRG-APP-000065-UEM-000036
Group -
Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.