L1 BIO 16.01 ISO A.12.4.1 CIS 18.9.19.2

Wachtwoordbescherming Onprem

📅 2025-10-30
⏱️ 2 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Deze security regelen waarborgt de correcte configuratie van beveiligingsinstellingen op Windows endpoints.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
Windows

Deze instelling is onderdeel van de Windows security baseline en beschermt tegen bekende aanvalsvectoren door het afdwingen van veilige configuraties.

PowerShell Modules Vereist
Primary API: Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Dit regelen configureert wachtwoordbescherming onprem via Microsoft Intune apparaat configuratie beleid of compliance policies om Windows endpoints te beveiligen volgens security best practices.

Vereisten

m365

Implementatie

Gebruik PowerShell-script password-bescherming-onprem.ps1 (functie Invoke-Monitoring) – Monitoren.

monitoring

Gebruik PowerShell-script password-protection-onprem.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script password-bescherming-onprem.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance en Auditing

Beleid documentatie

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Password Protection On-Premises .DESCRIPTION Verifies Azure AD Password Protection is deployed on domain controllers .NOTES NL Baseline v2.0 For hybrid environments only #> #Requires -Version 5.1 [CmdletBinding()] param([switch]$Monitoring) $ErrorActionPreference = 'Stop' Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "Password Protection On-Premises" -ForegroundColor Cyan Write-Host "========================================`n" -ForegroundColor Cyan function Invoke-Monitoring { try { Write-Host " ⚠️ For hybrid environments only" -ForegroundColor Yellow Write-Host "`n Required components:" -ForegroundColor Cyan Write-Host " 1. Azure AD Password Protection DC Agent" -ForegroundColor Gray Write-Host " Installed on all domain controllers" -ForegroundColor Gray Write-Host " 2. Azure AD Password Protection Proxy" -ForegroundColor Gray Write-Host " Configured and running" -ForegroundColor Gray Write-Host " 3. Mode set to 'Enforced' (not Audit)" -ForegroundColor Gray Write-Host "`n PowerShell verification on DC:" -ForegroundColor Cyan Write-Host " Get-Service AzureADPasswordProtectionDCAgent" -ForegroundColor Gray Write-Host " Get-Service AzureADPasswordProtectionProxy" -ForegroundColor Gray Write-Host " Get-AzureADPasswordProtectionDCAgent" -ForegroundColor Gray Write-Host "`n Benefits:" -ForegroundColor Cyan Write-Host " • Extends cloud protection to on-prem" -ForegroundColor Gray Write-Host " • Consistent password policies" -ForegroundColor Gray Write-Host " • Blocks weak passwords everywhere" -ForegroundColor Gray Write-Host "`n ⚠️ Note: Not applicable for cloud-only tenants" -ForegroundColor Yellow Write-Host " Run verification commands on domain controllers" -ForegroundColor Gray exit 0 } catch { Write-Host "ERROR: $_" -ForegroundColor Red exit 2 } } try { if ($Monitoring) { Invoke-Monitoring } else { Write-Host "Use: -Monitoring" -ForegroundColor Yellow } } catch { throw } finally { Write-Host "`n========================================`n" -ForegroundColor Cyan } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat .DESCRIPTION Dit is een monitoring-only control, remediation delegeert naar monitoring #> [CmdletBinding()] param() Write-Host "[INFO] Dit is een monitoring-only control" -ForegroundColor Yellow Write-Host "[INFO] Running monitoring check..." -ForegroundColor Cyan Invoke-Monitoring }

Risico zonder implementatie

Risico zonder implementatie
High: No auth tracking.

Management Samenvatting

Schakel in audit logging.