๐ผ Management Samenvatting
Shared user app data moet worden geblokkeerd om te voorkomen dat verschillende users op hetzelfde device toegang hebben tot elkaars app data.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
4/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
โ Windows 10
โ Windows 11
โ Windows 11
SHARED APP DATA RISKS: Op shared devices (multi-user workstations), apps kunnen data delen tussen users. PRIVACY: User A's app gegevenstoegangible door User B, Potential sensitive info disclosure. SECURITY: Malware in one user profile kan access other user data. ENTERPRISE: Shared workstations should hebben proper user profile isolation.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Block shared app data: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager\AllowSharedLocalAppData is 0. EFFECT: Apps cannot share data tussen user profiles, Each user heeft isolated app opslag.
Vereisten
- Windows 10/11
- Shared device scenarios
Implementatie
Gebruik PowerShell-script allow-shared-user-app-data-is-set-to-block.ps1 (functie Invoke-Remediation) โ Block shared app data.
Intune: App Model โ AllowSharedLocalAppData is Block (0)
Monitoring
Gebruik PowerShell-script allow-shared-user-app-data-is-set-to-block.ps1 (functie Invoke-Monitoring) โ Verify AllowSharedLocalAppData is 0.
Compliance en Auditing
- BIO 09.02 - User isolation
- ISO 27001 A.9.2.3
Remediatie
Gebruik PowerShell-script allow-shared-user-app-data-is-set-to-block.ps1 (functie Invoke-Remediation) โ Herstellen.
Compliance & Frameworks
- BIO: 09.02.03 - Privileged access - User isolation
- ISO 27001:2022: A.9.2.3 - Management of privileged access
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Security Options: Shared User App Data Blocked
.DESCRIPTION
CIS - Shared user app data blocked.
.NOTES
Filename: shared-user-data.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager\AllowSharedLocalAppData|Expected: 0
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager"; $RegName = "AllowSharedLocalAppData"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "shared-data.ps1"; PolicyName = "Shared User Data"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Shared data blocked" }else { $r.Details += "Shared data enabled" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Shared user app data blocked" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium privacy risk op shared devices: Users kan toegang krijgen tot each other's app data.
Management Samenvatting
Blokkeer shared user app data (AllowSharedLocalAppData=0). User isolation op shared devices. Implementatie: 30-60 min.
- Implementatietijd: 1 uur
- FTE required: 0.01 FTE