| Finding ID |
Severity |
Title |
Description |
|
V-267379
|
Medium |
Microsoft Intune service must notify system administrator and information system security officer (ISSO) of account enabling actions. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Sending notification of account enabling events to the system administrator and ISSO is... |
|
V-267375
|
Medium |
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account removal actions. |
When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of account removal events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application... |
|
V-267374
|
Medium |
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account disabling actions. |
When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account disabling events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that... |
|
V-267373
|
Medium |
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are modified. |
When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that... |
|
V-267372
|
Medium |
Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are created. |
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Sending notification of account creation events to the system administrator and ISSO is one method... |
|
V-267355
|
Medium |
Microsoft Intune service must enforce a 60-day maximum password lifetime restriction. |
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals.
One method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their... |
|
V-267341
|
Medium |
Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts. |
A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire MDM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts... |
|
V-267334
|
Medium |
Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days. |
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices.
Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the... |
|
V-267315
|
Medium |
Microsoft Intune service must display the Standard Mandatory DOD Notice and Consent Banner and have the user acknowledge acceptance of the access conditions before granting access to the application. |
|
|
V-267314
|
Medium |
Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. |
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Satisfies: FMT_SMF.1(2)b.
Reference: PP-MDM-431028
Satisfies: SRG-APP-000065-UEM-000036, SRG-APP-000345-UEM-000218 |
|
V-267309
|
Medium |
Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity. |
Attackers that can exploit an inactive account and identifiers can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Applications need to track periods of user inactivity and disable accounts after 35 days... |
|
V-267303
|
Medium |
Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity. |
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application... |
