Essential 8 | M365 Maps Microsoft Chart
E5? Compliance Chart Microsoft Purview Compliance Manager – Microsoft Purview (compliance) | Microsoft Learn
TMP-0001 The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.
Poor Mans ( Turn on Audit Mode Before )
This approach to application control does not meet the requirements for the Essential Eight maturity model due to the use of Microsoft Intelligence Security Graph. If you are aiming to meet Essential Eight requirements, please consider using the WDAC Wizard or a third-party application control solution.
ISM-1688 Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.
One option is to deny login on the Workstations OU for all your DomAdmin and ServerAdmin user groups. Then have a separate AD group for WorkstationAdmins that’s not denied, but has no rights on servers. Define “privileged account” in that context as a server or domain admin account.
Another option would be to not have workstation admin accounts, just use LAPS for all workstation config.
ISM-1387 Administrative activities are conducted through jump servers.
Azure Bastion
ISM-1175 Privileged user accounts are prevented from accessing the internet, email and web services.
We do 3 levels of accounts . Normal user with email and web . Local workstation admin with web access and only able to log into workstation or remote desktop svr as local admin . Domain/server admin – no mail or web access and deny log on locally to workstation or RDS
ISM-1681 Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.
Loading...
