Introduction
Do you like managing devices? Do you like to keep them safe? Then read along in this blog post.
In our company we use Microsoft Defender for Endpoint (aka MDATP) to protect our devices at a deeper level. If you work with Microsoft technology and you can use internet management, MDATP is definitely something you should look at. As I am working mostly with devices, security has also been a major thing to take into consideration, especially since we all started to work from home and not having our internet traffic going through a company firewall and/or Proxy.
In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how it is set.
I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )
Prerequisites
– Microsoft Defender Advanced Threat Protection license – for more information read here
– Microsoft Endpoint Manager
Table of content
Security Recommendation 1 Update Git.
Security Recommendation 2 Update Microsoft Visual Studio Code.
Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’
Security Recommendation 4 Disable ‘Allow running plugins that are outdated’
Security Recommendation 5 Disable ‘Continue running background apps when Google Chrome is closed’
Security Recommendation 6 Enable EDR in block mode.
Security Recommendation 7 Set controlled folder access to enabled or audit mode.
Security Recommendation 8 Enable Local Security Authority (LSA) protection.
Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests.
Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content
Let’s make my device more secure
Fire up your Microsoft edge browser (if you do not have that installed, now is the time)
Go to https://securitycenter.microsoft.com/
Choose Device inventory you will see a list of devices.
Currently, my device is at Risk level: Low and Exposure Level: Low. That is pretty good, but it could be better!
Security Recommendation 1 Update Git
Click on Update Git
If we go BING it will give us this page: CVE – CVE-2020-27955 (mitre.org)
It says this particular CVE allows Remote Code Execution. We do not like that! Let’s send a request to our desktop team to update the app “Update GIT” and patch our device.
Unfortunately, the packager in our company is myself, so I will do this manually as we only have 10 devices to manage.
Go through the installation GUI. Done. 1 down 56 more to go!
Security Recommendation 2 Update Microsoft Visual Studio Code
Next on the list is Microsoft Visual Studio Code
This one had 2 CVE reports which indicated it is serious and needs to be updated.
Let’s see how we can create a ticket and send to the endpoint manager team.
Open full recommendation
Remediation Options
On this page we add info that needs to go to the endpoint management team. Let’s press Submit to this form.
Head over to https://endpoint.microsoft.com/
Go to Endpoint security -> Security tasks
As you can see my ticket was created and the desktop team is now notified to create this update and deploy it.
It even gives you the steps to go through. Could not be easier for the team to give me that update
Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’
MDATP tells us what to do. We have legacy options using GPO, Option 2 for modern management and option 3 for creating a script. Nice with possibilities!
We will head for option 2 and create a policy to make this recommendation.
Go to Admin center https://endpoint.microsoft.com/
Devices -> Configuration profiles -> Create Profile
Press create
Keep some nice naming standard
Next
Search for “hide option to”
Set it to Enabled
Skip scope tags unless you have custom tags for RBAC.
I have created a special group for my “High Security devices” assign the policy to this group.
Security Recommendation 4 and 5 Disable ‘Allow running plugins that are outdated’/ Disable ‘Continue running background apps when Google Chrome is closed’
Recommendations for Google Chrome, but as I moved to edge and I have copied all my stuff from Chrome to Edge I rather just uninstall Chrome, instead of having yet a browser to patch.
Another approach would be to ingest admx-file. I am not going to cover that in this post.
Security Recommendation 6 Enable EDR in block mode
To enable Endpoint detection and response, we have 2 steps. One is enabled on our ATP portal and the other in endpoint manager.
Read more about EDR here: Endpoint detection and response in block mode – Windows security | Microsoft Docs
Go to https://securitycenter.microsoft.com/ -> Settings -> Advanced features
Enable EDR in block mode
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Antivirus
Create policy and setup Cloud-delivered protection
Assign it to your device group and create it.
Security Recommendation 7 Set controlled folder access to enabled or audit mode
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction
Give it a friendly name
Set Enable folder protection to “Block disk modification” (You might want to start using audit disk modification in a production environment, to gather events that were or would be triggered and denied access. It can break stuff.)
Assign it to your device and save it
Security Recommendation 8 Enable Local Security Authority (LSA) protection
This setting has currently (to my knowledge) no UI yet.
Therefore, we are forced to create a PowerShell script to add the registry key mentioned.
Save the script
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts
Add
Give it a friendly name
Add to a security group
Add –> done
Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests
Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles
Edit W10-Security-EndpointProtection-Enabled-Device that we created earlier.
Go to the Local device security options
User account control
Review+save.
Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content
Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction
Give it a friendly name
Assign it to your device and save it
To see the next 10 security recommendations go to part 2:
How I manage my device from Endpoint Manager – taste your own medicine – Part 2 of 4
Mattias Melkersen is a community driven and passionate modern workplace consultant with 20 years’ experience in automating software, driving adoption and technology change within the Enterprise. He lives in Denmark and works at Mindcore.
He is an Enterprise Mobility Intune MVP, Official Contributor in a LinkedIn group with 41.000 members and Microsoft 365 Enterprise Administrator Expert.
Mattias blogs, gives interview and creates a YouTube content on the channel "MSEndpointMgr" where he creates helpful content in the MEM area and interview MVP’s who showcase certain technology or topic.
Official Contributor here "Modern Endpoint Management":
https://www.linkedin.com/groups/8761296/
