Consolidated ISM Control Implementation Guide

1. Credential Security

Controls: ISM-1557, ISM-1597, ISM-1795

The Group Policy setting for Minimum password length:

 Maxes out at 14 characters.

 This conflicts with ISM-1557’s requirement for minimum 17-

character passphrases.

Status: Fully Implemented and Tested

ISM-1557: Enforce Passphrases (>=17 characters)

1. Open ADAC

2. On your domain controller, open Administrative Tools > Active

Directory Administrative Center.

3. Go to Password Settings Container

4. In the left panel, go to your domain → System → Password

Settings Container.

5. Create a New Password Settings Object

6. Right-click → New > Password Settings.

7. Configure the following settings:

8. Name: ISM-1557-17CharPolicy (or similar)

9. Precedence: 1 (lowest number = highest priority)

10. Minimum password length: 17

11. Password history length: 24

12. Maximum password age: 60

 13. Minimum password age: 1

14. Password must meet complexity requirements: Enabled

15. Store passwords using reversible encryption: Disabled

16. Apply to: Add the user(s) or group(s) this policy applies to
(e.g., Domain Users)

17. Click OK to apply.

ISM-1597: Obscure Credential Entry

1. GPMC → Computer Configuration > Windows Settings > Security

Settings > Local Policies > Security Options

2. Set: Interactive logon: Do not require CTRL+ALT+DEL =

Disabled

ISM-1795: ≥30-char Passwords for Admin/Break-glass Accounts

1. Open AD Administrative Center → Password Settings Container

2. Create a Fine-Grained Password Policy:

 o Name: PSO_30char_Privileged

o Min Length: 30

o Complexity: Enabled

o Password history: 24

o Max password age: 60 days

o Lockout threshold: 5

o Target users/groups: Admin and Break-glass accounts

2. PowerShell & Script Restrictions

Controls: ISM-1491, ISM-1621–1624, ISM-1662, ISM-0843, ISM-1544

Status: Fully Implemented and Validated
GPO Configuration Steps

1. Create a GPO: PowerShell & Script Restrictions.

2. Add a startup script DisablePowerShell.bat.

3. Set Application Identity service to Automatic.

4. Create AppLocker rules:

o Executables

o Installers

o Scripts

o DLLs (optional)

5. PowerShell Configuration:

o Script Execution: Disabled

o Enable Logging:

 Module Logging

 ScriptBlock Logging

 Transcription Logging

6. Event Logging: Enable for PowerShell activities.

7. Link GPO to relevant OU and run gpupdate /force.

3. Application Control Blocking

Controls: ISM-1584, ISM-1592, ISM-1656, ISM-1659, ISM-1660, ISM-1745

Status: Fully Implemented and Validated

Steps:

1. Enable Microsoft Vulnerable Driver Blocklist:

 o Registry Key: HKLM\SOFTWARE\Microsoft\Windows Defender\
Features

o Value Name: VulnerableDriverBlocklistEnable, REG_DWORD =

1

2. Enable Defender Antivirus Real-Time Protection.

3. Configure AppLocker/WDAC:

o Block unsigned executables

o Allow only signed or whitelisted apps

4. Security Filtering: NT AUTHORITY\Authenticated Users

 5. Enable Event ID 8004 for logging.

4. Logging & Monitoring

Controls: ISM-1623, ISM-1660, ISM-1662, ISM-1830, ISM-1831, ISM-1677,

ISM-1678
Status: Implemented & Tested

ISM-1623/1662 – PowerShell Logging

1. GPMC → Windows PowerShell settings

2. Enable:

o "Turn on PowerShell Script Block Logging"

o "Turn on Transcription"

3. Monitor Event IDs 4104, 4105, 4106

ISM-1660 – Application Control Logging

1. Enable advanced audit policies:

o Object Access
 o Detailed Tracking

2. Configure event forwarding to SIEM Since a central log collection

server (WEF/SIEM) is not currently available
while maintaining ISM compliance through local logging and
retention.

3. ISM-1830/1831 – AD DS Event Logging

1. Enable auditing:

o Account Logon

o Account Management

o Directory Service Access

o Privilege Use
 4. Configure Windows Event Forwarding to central collector
Since a central log collection server (WEF/SIEM) is not currently
available while maintaining ISM compliance through local logging
and retention.

ISM-1677/1678 – Office Macro Logging

1. GPMC → Microsoft Office Templates → VBA Macro Settings through

registry via GPO

Under Group policy

2. Enable macro event logging covered in above steps

5. Use WEF/SIEM to collect logs centrally

Since a central log collection server (WEF/SIEM) is not currently
available while maintaining ISM compliance through local logging
and retention.

5. Microsoft Office Macro Control

Controls: ISM-1542, ISM-1586, ISM-1671–1676, ISM-1823–1824

Status: Fully Implemented and Verified

GPO Configuration

1. Create/Edit GPO: Microsoft Office & Macro Control

2. Navigate to: Computer Configuration > Preferences > Windows

Settings > Registry
 3. Add registry settings:

o SettingsVisibility, SmartScreenEnabled, ExtensionsEnabled

o bDisableJavaScript, bEnableProtectMode,
bDisableTrustedFolders/Documents

4. Use ADMX templates to:

o Disable macros from the internet

o Block trusted documents/folders

o Enforce macro settings

5. Apply GPO to test machines

6. Run gpupdate /force and verify registry keys

6. Windows Hardening

Controls: ISM-0380, ISM-0383, ISM-1409, ISM-1654, ISM-1655, ISM-1745

Status: Verified

Steps:

ISM-0380 – Disable Unneeded Accounts/Features

 1. Delete/disable unneeded accounts from Computer Management >
Local Users and Groups

2. Disable unused services via services.msc via gpo

3. Remove unused components from Turn Windows features on or off

ISM-0383 – Change Default Credentials

1. Rename built-in "Administrator" account

2. Enforce strong password policies

Already covered in above

ISM-1409 – Vendor Hardening Baseline

 1. Apply ASD & Microsoft Security Baselines using GPMC
Already covered in below ISM

ISM-1654 – Disable Internet Explorer

1. Computer Configuration > Administrative Templates > Windows

Components > Internet Explorer

2. Reboot to complete removal

ISM-1655 – Remove .NET 3.5

1. Add registry details via GPO

ISM-1745 – Secure Boot & ELAM

 1. GPMC → System > Early Launch Antimalware

2. Enable:

o Early Launch Antimalware

o Secure Boot From Bios only

o Trusted Boot  Default Behaviour

o Measured Boot via BIOS/UEFI  Default Behaviour

7. Active Directory DS Hardening

Controls: ISM-1827–1846
Status: Implemented and Validated Alreadey covered in Credential ISM

Steps:
1. Open GPMC → Create GPO AD DS Hardening (1827–1846)

2. Navigate to: Computer Configuration > Policies > Windows Settings

> Security Settings

3. Apply:

o Password Policy: Min 14 chars, history = 24

o User Rights Assignment: Deny logon locally/over RDP for

AD admins

o System Services: Disable Remote Registry, Telnet

o Audit Policies: Logon, Policy Change, Directory Service

Access

o Sensitive Objects: Protect using ACLs and AdminSDHolder

 4. Link GPO to Domain Controllers OU

5. Run gpupdate /force

6. Validate using RSOP or gpresult /h report.html

End of Document