Skip to content

II - Mission Support Sensitive

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000003-UEM-000003

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity.

    &lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinit...
    Rule Medium Severity
  • SRG-APP-000025-UEM-000014

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity.

    &lt;VulnDiscussion&gt;Attackers that can exploit an inactive account and identifiers can potentially obtain and maintain undetected access to an ap...
    Rule Medium Severity
  • SRG-APP-000065-UEM-000036

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

    &lt;VulnDiscussion&gt;By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise...
    Rule Medium Severity
  • SRG-APP-000068-UEM-000037

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must display the Standard Mandatory DOD Notice and Consent Banner and have the user acknowledge acceptance of the access conditions before granting access to the application.

    &lt;VulnDiscussion&gt;Display of the DOD-approved use notification before granting access to the application ensures privacy and security notificat...
    Rule Medium Severity
  • SRG-APP-000125-UEM-000074

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.

    &lt;VulnDiscussion&gt;Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed de...
    Rule Medium Severity
  • SRG-APP-000149-UEM-000083

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts.

    &lt;VulnDiscussion&gt;A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring atte...
    Rule Medium Severity
  • SRG-APP-000174-UEM-000104

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must enforce a 60-day maximum password lifetime restriction.

    &lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals...
    Rule Medium Severity
  • SRG-APP-000291-UEM-000165

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are created.

    &lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestabli...
    Rule Medium Severity
  • SRG-APP-000292-UEM-000166

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are modified.

    &lt;VulnDiscussion&gt;When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or...
    Rule Medium Severity
  • SRG-APP-000293-UEM-000167

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account disabling actions.

    &lt;VulnDiscussion&gt;When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or...
    Rule Medium Severity
  • SRG-APP-000294-UEM-000168

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account removal actions.

    &lt;VulnDiscussion&gt;When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identif...
    Rule Medium Severity
  • SRG-APP-000320-UEM-000193

    <GroupDescription></GroupDescription>
    Group
  • Microsoft Intune service must notify system administrator and information system security officer (ISSO) of account enabling actions.

    &lt;VulnDiscussion&gt;Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestabli...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules