Closed eneerge closed 8 months ago
Opposing removal of 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' Ticket# 17565
Built in admin accounts does not run in admin approval mode (unless set to). Built in admin also has well known security identifier. Remote access to this account SHOULD be disabled, but I prefer the entire account being disabled. There shouldn't be any reason to have it available. CIS discussion here: https://workbench.cisecurity.org/community/2/tickets/16339
In my environment, we create a new admin account and it's managed by LAPs. Per previous guidelines (disable unused accounts), I will leave this built-in account disabled.
Opposing removal of 18.10 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Ticket #20134
Per the CIS ticket (https://workbench.cisecurity.org/tickets/20134). They removed it because they claim it's no longer available in Intune. The setting may have have been removed from a built in configuration profile, but it still shows up in the CSP documentation (https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode). I prefer to always pull from HTTP and have kept this setting in place.
Other notes:
For 18.10.43.4.1.1 and 18.10.43.4.1.2 (Attack Surface Reduction):
9.3.5 has a duplicate entry because in the CSP policy documentation, there exists 2 seperate settings:
Policy here: https://workbench.cisecurity.org/benchmarks/14355