Intune Endpoint Hardening
  • Intune Endpoint Hardening
    • 2. Local Policies
      • 2.2 User Rights Assignment
        • 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated)
        • 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop
        • 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated)
        • *2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, N
        • 2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated)
        • *2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote
        • 2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated)
        • 2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated)
        • 2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automate
        • 2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated)
        • 2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated)
        • 2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVIC
        • 2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated)
        • *2.2.14 (L1) Configure 'Create symbolic links' (Automated)
        • 2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated)
        • 2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local accoun
        • 2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated)
        • *2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated)
        • 2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated)
        • 2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
        • 2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No O
        • 2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated)
        • 2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated
        • 2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SER
        • 2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window
        • 2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated)
        • 2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated)
        • 2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated)
        • *2.2.29 (L2) Configure 'Log on as a service' (Automated)
        • 2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated)
        • 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated)
        • 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated)
        • 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated)
        • 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated)
        • 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHos
        • 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Auto
        • 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated)
        • 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated)
        • 2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated
      • 2.3 Security Options
        • 2.3.1 Accounts
          • 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with
          • 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated)
          • 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is
          • 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated)
          • 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated)
        • 2.3.2 Audit
          • *2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to ov
          • *2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set
        • 2.3.3 DCOM
        • 2.3.4 Devices
          • 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrator
          • 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (A
        • 2.3.5 Domain controller
        • 2.3.6 Domain member
          • *2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set
          • *2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set
          • *2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to
          • *2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
          • *2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer d
          • *2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to
        • 2.3.7 Interactive logon
          • 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automate
          • 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automate
          • 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer i
          • 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s)
          • 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated)
          • 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated
          • *2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain control
          • *2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t
          • 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' o
        • 2.3.8 Microsoft network client
          • 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'E
          • 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is
          • 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers
        • 2.3.9 Microsoft network server
          • *2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sess
          • 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'E
          • 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is
          • 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t
          • *2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to
    • Account Protection
      • Enforce password history
      • Ensure Maximum password age
      • Ensure Minimum password age
      • Ensure Minimum password length
      • Ensure Password must meet complexity requirements
      • *Ensure Relax minimum password length limits
      • *Store passwords using reversible encryption
      • Allow Simple Device Password
      • Alphanumeric Device Password Required
      • Number of sign-in failures before wiping device
      • Device Lock Enabled
      • *Account lockout duration
      • *Account lockout threshold
      • *Allow Administrator account lockout
      • *Reset account lockout counter after
    • Auditing and Logs
      • AccountLogon_AuditOtherAccountLogonEvents
      • PolicyChange_AuditPolicyChange
      • PolicyChange_AuditAuthenticationPolicyChange
      • PolicyChange_AuditAuthorizationPolicyChange
      • AccountLogon_AuditCredentialValidation
      • AccountLogonLogoff_AuditGroupMembership
      • AccountLogonLogoff_AuditLogoff
      • AccountLogonLogoff_AuditLogon
      • PolicyChange_AuditMPSSVCRuleLevelPolicyChange
      • AccountLogonLogoff_AuditOtherLogonLogoffEvents
      • PolicyChange_AuditOtherPolicyChangeEvents
      • DetailedTracking_AuditPNPActivity
      • DetailedTracking_AuditProcessCreation
      • AccountManagement_AuditSecurityGroupManagement
      • PrivilegeUse_AuditSensitivePrivilegeUse
      • AccountLogonLogoff_AuditSpecialLogon
      • AccountManagement_AuditUserAccountManagement
      • SpecifyMaximumFileSizeApplicationLog
      • SpecifyMaximumFileSizeSecurityLog
    • Identification and Authentication
      • Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      • AllowBasicAuthentication_Client
      • AllowBasicAuthentication_Service
      • DisallowDigestAuthentication
      • DisallowStoringOfRunAsCredentials
      • DoNotAllowPasswordSaving
    • 17. Advanced Audit Policy Configuration
      • 17.9 System
        • 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Automated)
        • 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' (Automated)
        • 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' (Automated)
        • 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' (Automated)
        • 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Automated)
      • 17.6 Object Access
        • 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' (Automated)
        • 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' (Automated)
        • 17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Automated)
        • 17.6.4 L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Automated)
    • 18. Administrative Templates (Computer)
      • 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its max
      • 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,76
      • 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enab
      • 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated)
Powered by GitBook
On this page
  1. Intune Endpoint Hardening
  2. Auditing and Logs

AccountLogonLogoff_AuditLogon

AccountLogonLogoff_AuditLogon

PreviousAccountLogonLogoff_AuditLogoffNextPolicyChange_AuditMPSSVCRuleLevelPolicyChange

Last updated 1 year ago

This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged-on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on.

./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogoff

Format: int Value: 3

Audit event on success and failure.

YES

Audit Logon

LogoAudit Policy CSP - Windows Client ManagementMicrosoftLearn