| CANARY‑1 |
Configure an appropriately-privileged NAA with interactive logon restricted |
SCCM, domain |
| DETECT‑1 |
Monitor site server domain computer accounts authenticating from another source |
Security |
| DETECT‑2 |
Monitor read access to the System Management Active Directory container |
Security |
| DETECT‑3 |
Monitor client push installation accounts authenticating from anywhere other than the primary site server |
Security |
| DETECT‑4 |
Monitor application deployment logs in the site's Audit Status Messages |
SCCM, security |
| DETECT‑5 |
Monitor group membership changes for SMS Admins |
SCCM, server, security |
| DETECT‑6 |
Monitor group membership changes for RBAC_Admins table |
SCCM, server, security |
| DETECT‑7 |
Monitor read access to the SMSTemp directory |
SCCM, server, security |
| DETECT‑8 |
Monitor connections to winreg named pipe |
SCCM, server, security |
| DETECT‑9 |
Monitor local object access for local SCCM logs and settings |
SCCM, server, security |
| PREVENT‑1 |
Patch site server with KB15599094 |
SCCM, server |
| PREVENT‑2 |
Disable Fallback to NTLM |
SCCM |
| PREVENT‑3 |
Harden or disable network access accounts |
SCCM, domain, security |
| PREVENT‑4 |
Configure Enhanced HTTP |
SCCM |
| PREVENT‑5 |
Disable automatic side-wide client push installation |
SCCM |
| PREVENT‑6 |
Configure a strong PXE boot password |
SCCM |
| PREVENT‑7 |
Disable command support in PXE boot configuration |
SCCM |
| PREVENT‑8 |
Require PKI certificates for client authentation |
SCCM, network, security, server, domain |
| PREVENT‑9 |
Enforce MFA for SMS Provider calls |
SCCM |
| PREVENT‑10 |
Enforce the principle of least privilege for accounts |
SCCM, domain, server, security |
| PREVENT‑11 |
Disable and uninstall WebClient on site servers |
SCCM, server |
| PREVENT‑12 |
Require SMB signing on site systems |
Domain, server, SCCM |
| PREVENT‑13 |
Require LDAP channel binding and signing |
Domain, server |
| PREVENT‑14 |
Require EPA on AD CS and site databases |
Domain, security, SCCM, server, database |
| PREVENT‑15 |
Disable and change passwords of legacy NAAs and collection variables/task sequence secrets in Active Directory |
Domain, SCCM |
| PREVENT‑16 |
Remove SeMachineAccountPrivilege and set MachineAccountQuota to 0 for non-admin accounts |
Domain |
| PREVENT‑17 |
Remove Extended Rights assignment from accounts that do not require it |
Domain, desktop |
| PREVENT‑18 |
Use strong passwords for DBA accounts |
Database, security, domain |
| PREVENT‑19 |
Remove unnecessary links to site databases |
SCCM, database |
| PREVENT‑20 |
Block unnecessary connections to site systems |
Network, server |
| PREVENT‑21 |
Restrict PXE boot to authorized VLANs |
SCCM, network |
| PREVENT‑22 |
Do not manage assets in two or more segmented forests, domains, networks, or security tiers |
SCCM, network, security, domain |