Intune Endpoint Hardening
  • Intune Endpoint Hardening
    • 2. Local Policies
      • 2.2 User Rights Assignment
        • 2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Automated)
        • 2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop
        • 2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Automated)
        • *2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, N
        • 2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Automated)
        • *2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote
        • 2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Automated)
        • 2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Automated)
        • 2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Automate
        • 2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Automated)
        • 2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Automated)
        • 2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVIC
        • 2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Automated)
        • *2.2.14 (L1) Configure 'Create symbolic links' (Automated)
        • 2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Automated)
        • 2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local accoun
        • 2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Automated)
        • *2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Automated)
        • 2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Automated)
        • 2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'
        • 2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No O
        • 2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Automated)
        • 2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Automated
        • 2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SER
        • 2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window
        • 2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Automated)
        • 2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Automated)
        • 2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Automated)
        • *2.2.29 (L2) Configure 'Log on as a service' (Automated)
        • 2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Automated)
        • 2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Automated)
        • 2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Automated)
        • 2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Automated)
        • 2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Automated)
        • 2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHos
        • 2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Auto
        • 2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Automated)
        • 2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Automated)
        • 2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Automated
      • 2.3 Security Options
        • 2.3.1 Accounts
          • 2.3.1.1 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with
          • 2.3.1.2 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Automated)
          • 2.3.1.3 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is
          • 2.3.1.4 (L1) Configure 'Accounts: Rename administrator account' (Automated)
          • 2.3.1.5 (L1) Configure 'Accounts: Rename guest account' (Automated)
        • 2.3.2 Audit
          • *2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to ov
          • *2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set
        • 2.3.3 DCOM
        • 2.3.4 Devices
          • 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrator
          • 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (A
        • 2.3.5 Domain controller
        • 2.3.6 Domain member
          • *2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set
          • *2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set
          • *2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to
          • *2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
          • *2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer d
          • *2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to
        • 2.3.7 Interactive logon
          • 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Automate
          • 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Automate
          • 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer i
          • 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s)
          • 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Automated)
          • 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Automated
          • *2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain control
          • *2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set t
          • 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' o
        • 2.3.8 Microsoft network client
          • 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'E
          • 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is
          • 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers
        • 2.3.9 Microsoft network server
          • *2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending sess
          • 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'E
          • 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is
          • 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set t
          • *2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to
    • Account Protection
      • Enforce password history
      • Ensure Maximum password age
      • Ensure Minimum password age
      • Ensure Minimum password length
      • Ensure Password must meet complexity requirements
      • *Ensure Relax minimum password length limits
      • *Store passwords using reversible encryption
      • Allow Simple Device Password
      • Alphanumeric Device Password Required
      • Number of sign-in failures before wiping device
      • Device Lock Enabled
      • *Account lockout duration
      • *Account lockout threshold
      • *Allow Administrator account lockout
      • *Reset account lockout counter after
    • Auditing and Logs
      • AccountLogon_AuditOtherAccountLogonEvents
      • PolicyChange_AuditPolicyChange
      • PolicyChange_AuditAuthenticationPolicyChange
      • PolicyChange_AuditAuthorizationPolicyChange
      • AccountLogon_AuditCredentialValidation
      • AccountLogonLogoff_AuditGroupMembership
      • AccountLogonLogoff_AuditLogoff
      • AccountLogonLogoff_AuditLogon
      • PolicyChange_AuditMPSSVCRuleLevelPolicyChange
      • AccountLogonLogoff_AuditOtherLogonLogoffEvents
      • PolicyChange_AuditOtherPolicyChangeEvents
      • DetailedTracking_AuditPNPActivity
      • DetailedTracking_AuditProcessCreation
      • AccountManagement_AuditSecurityGroupManagement
      • PrivilegeUse_AuditSensitivePrivilegeUse
      • AccountLogonLogoff_AuditSpecialLogon
      • AccountManagement_AuditUserAccountManagement
      • SpecifyMaximumFileSizeApplicationLog
      • SpecifyMaximumFileSizeSecurityLog
    • Identification and Authentication
      • Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
      • AllowBasicAuthentication_Client
      • AllowBasicAuthentication_Service
      • DisallowDigestAuthentication
      • DisallowStoringOfRunAsCredentials
      • DoNotAllowPasswordSaving
    • 17. Advanced Audit Policy Configuration
      • 17.9 System
        • 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Automated)
        • 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' (Automated)
        • 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' (Automated)
        • 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' (Automated)
        • 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Automated)
      • 17.6 Object Access
        • 17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' (Automated)
        • 17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' (Automated)
        • 17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Automated)
        • 17.6.4 L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Automated)
    • 18. Administrative Templates (Computer)
      • 18.10.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its max
      • 18.10.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,76
      • 18.10.43.16 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enab
      • 18.10.43.17 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' (Automated)
Powered by GitBook
On this page
  1. Intune Endpoint Hardening
  2. Auditing and Logs

AccountLogonLogoff_AuditSpecialLogon

AccountLogonLogoff_AuditSpecialLogon

PreviousPrivilegeUse_AuditSensitivePrivilegeUseNextAccountManagement_AuditUserAccountManagement

Last updated 1 year ago

This policy setting allows you to audit events generated by special logons such as the following: The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged-on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.

./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon

Format: int Value: 1

Audit event on success.

YES

Audit Special Logon

LogoAudit Policy CSP - Windows Client ManagementMicrosoftLearn