L1 BIO 09.02.01 ISO A.9.4.3 CIS Windows - Blank passwords

Intune: Limit Blank Password Accounts To Console Logon Only

📅 2025-10-30

•

⏱️ 3 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Limit blank password accounts to console logon only - accounts WITHOUT password can ONLY login locally (physical access), NOT from network.

Aanbeveling

IMPLEMENT

Risico zonder

High

Risk Score

8/10

Implementatie

2u (tech: 1u)

Van toepassing op:

✓ Windows 10
✓ Windows 11

Blank passwords = security disaster: Blank password accounts: Local accounts with EMPTY password (no password set), Attack: Blank password + network logon = instant remote access (no credentials needed - SMB/RDP with blank password succeeds), Lateral movement: Attacker scans network → finds blank password account → instant access. This policy: Blank password accounts CAN login locally (console - physical access required), CANNOT login from network (SMB/RDP/WinRM blocked), Defense: Prevents remote exploitation (attacker must have physical access). BEST PRACTICE: ELIMINATE blank passwords entirely (password complexity policy - maar this policy = defense in depth).

PowerShell Modules Vereist

Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Console-only blank passwords: Policy: Accounts: Limit local account use of blank passwords to console logon only: Enabled, Effect: Blank password account → local console login: ALLOWED (physical keyboard), network logon (SMB/RDP): BLOCKED, Best practice: Eliminate blank passwords (password minimum length policy = 14).

Vereisten

Intune subscription
Windows 10/11
Password policy: Minimum length 14 (eliminates blank passwords)

Implementatie

Intune Settings Catalog: Local Policies Security Options → Accounts: Limit local account use of blank passwords to console logon only: Enabled. Best practice: Password minimum length 14 (no blank passwords possible).

Compliance

CIS Windows Benchmark L1, Microsoft Security Baseline, BIO 09.02, ISO 27001 A.9.4.3.

Monitoring

Gebruik PowerShell-script accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is-set-to-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only-is-set-to-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Windows - Blank passwords (L1) -
BIO: 09.02.01 -
ISO 27001:2022: A.9.4.3 -

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Intune Security Options: Limit Blank Passwords Console Only
.DESCRIPTION
    CIS - Blank passwords alleen console logon.
.NOTES
    Filename: blank-passwords-console.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse|Expected: 1
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"; $RegName = "LimitBlankPasswordUse"; $ExpectedValue = 1
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
    $r = [PSCustomObject]@{ScriptName = "blank-pw.ps1"; PolicyName = "Blank Password Limit"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Console only"; Details = @() }; function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 0 -Type DWord }
    try { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Blank pw: console only" }else { $r.Details += "Blank pw: network allowed" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Blank passwords limited to console" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Set-ItemProperty -Path $RegPath -Name $RegName -Value 0 -Type DWord }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

High: Hoog: Blank passwords + network logon = instant remote access (no credentials).

Management Samenvatting

Limit blank password accounts: Console only (no network logon). Prevent remote exploitation. BEST: Eliminate blank passwords (password policy). Implementatie: 1-2 uur.

Implementatietijd: 2 uur
FTE required: 0.01 FTE

Intune: Limit Blank Password Accounts To Console Logon Only

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel