MS Intune Console Access
MS Intune Console Access
Objective
Limit access to GC-approved IP addresses and authorized users.
Key Considerations
- Implement multi-factor authentication mechanism for privileged accounts and remote network (MS Intune) access.
- Determine access restrictions and configuration requirements for GC-issued endpoint devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly.
Note: Some service providers may offer configuration options to restrict endpoint device access. Alternatively, organizational policy and procedural instruments can be implemented to restrict access.
- Implement a mechanism for enforcing access authorizations.
- Implement password protection mechanisms to protect against password brute force attacks.
Validation
- Confirm policy for MFA is enabled through screenshots and compliance reports.
Additional Considerations
- Leverage enterprise services such as Administrative Access Control System (AACS) for Privileged Access Management (PAM), Attributed-based access control (ABAC).
Applicable Service Models
- IaaS, PaaS, SaaS
References
- SPIN 2017-01, subsection 6.2.3
- CSE Top 10 #2
- Refer to the Recommendations for Two-Factor User Authentication Within the Government of Canada Enterprise Domain
- Related security controls: AC‑2, AC‑2(1), AC‑3, AC‑5, AC‑6, AC‑6(5), AC‑6(10), AC‑7, AC‑9, AC‑19, AC‑20(3), IA‑2, IA‑2(1), IA‑2(2), IA‑2(11), IA‑4, IA‑5, IA‑5(1), IA‑5(6), IA‑5(7), IA‑5(13), IA‑6, IA‑8