Various policies detected as not compliant - incorrectly or partially incorrectly
in progress
S
Sam Hobday
1) Block Legacy Authentication CA Policy
This was already enabled as a Microsoft Managed rule that exactly matched the Manual Remediation steps for ourselves.
For another test customer, they have Security Defaults and no Business Premium licensing so cannot set CA policies but Security Defaults already enables this setting.
2) Administrative accounts are cloud only - In our environment we don't have Entra ID Sync, yet this was listed as a "not Compliant". We USED to have Entra ID Sync about 7 years ago, but this was removed.
Detection for "is
currently
Entra ID Synced" should be improvedIn addition, the description of the policy is more about differentiating between user accounts and admin accounts and not using an admin account day-to-day. Whilst that's valid, it's not relevant to the title.
4) Non-admin users can view their own Bitlocker keys
This was already set to the correct value, but was listed as non-compliant.
5) Ensure organizational terms have been added to the banned password list
Whilst this was correctly detected as not being applied, it didn't actually say what custom passwords would get added if applied by Huntress. This either needs to be configurable as part of enabling in Huntress, or the platform should tell you what words will be added
6) Require MFA for All users
This was already enabled as a Microsoft Managed rule that exactly matched the Manual Remediation steps for ourselves
For another test customer, they have Security Defaults and no Business Premium licensing so cannot set CA policies but Security Defaults already enables this setting.
S
Scott Riley
marked this post as
in progress
Hey Sam, We're aware of issues with the CA recognition and we have a specific bug with the banned password list. You're absolutely right, that's not the expected behaviour!
On the the CA piece: right now it's looking for the Huntress Managed versions of those CA policies but a) that's not clear in the UI and b) is that the desired behaviour. But in both cases we're on it! Thanks for the feedback!
S
Sam Hobday
Following on from this on point 5 - Ensure organizational terms have been added to the banned password list.
When I looked at the list of added words in Entra, it had added our 2 domain names (without the .co.uk bit) which seems ok as a starting point. However, I then added another couple of manual ones in Entra in addition. Huntress then sent an alert saying we were no longer compliant.
So despite making it MORE secure by adding additional banned passwords, because it didn't match exactly the list approved by Huntress, it classed it as non-compliance. Also because I had selected Continuous Enforcement, it then removed my additions.
This should not be the behaviour