[THEME] System
The System theme addresses the security of employee devices (computers and laptops) that are managed through Microsoft 365 and Intune. These devices contain business data and serve as an entry point for attackers into the organization.
What does Attic do?
Attic verifies that device management policies are configured to protect endpoints from misuse and unauthorized access.
The checks in this theme cover:
- BitLocker recovery keys are not readable by regular users
- Global admin is not automatically added to new devices
- Users are not automatically added to the local admin group on devices
- LAPS (Local Administrator Password Solution) is enabled
- Dynamic groups are reviewed for potential security risks
- Resource Access Group (RAG) owners do not have excessive privileges
Why is this important?
Employee devices are often the first target in an attack. If a device is compromised, the attacker can access all data stored on it and use it as a stepping stone to access cloud resources. Proper device security settings ensure that local admin rights are controlled, encryption keys are protected, and device management follows security best practices.
Checks in this theme
| ID | Check |
|---|---|
| CHK-1149 | Bitlocker keys not readable |
| CHK-1166 | Global admins non-local admins |
| CHK-1165 | Minimize local admins |
| CHK-1169 | LAPS and Entra ID |
| CHK-1177 | Dynamic Group Vulnerability Analysis |
| CHK-1180 | Role Assignable Group Privilege Escalation |