Search This Blog

Friday, November 27, 2020

How I manage my device from Endpoint Manager - taste your own medicine - Part 1 of 4

Introduction

Glück & Kanja Consulting AG | Cloud Security Operations Center

Do you like managing devices? Do you like to keep them safe? Then read along in this blog post.

In our company we use Microsoft Defender for Endpoint (aka MDATP) to protect our devices at a deeper level. If you work with Microsoft technology and you can use internet management, MDATP is definitely something you should look at. As I am working mostly with devices, security has also been a major thing to take into consideration, especially since we all started to work from home and not having our internet traffic going through a company firewall and/or Proxy.

In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how it is set.

I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )

Prerequisites

- Microsoft Defender Advanced Threat Protection license – for more information read here

- Microsoft Endpoint Manager

 

Table of content

Security Recommendation 1 Update Git.
Security Recommendation 2 Update Microsoft Visual Studio Code.
Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’
Security Recommendation 4 Disable ‘Allow running plugins that are outdated’
Security Recommendation 5 Disable ‘Continue running background apps when Google Chrome is closed’
Security Recommendation 6 Enable EDR in block mode.
Security Recommendation 7 Set controlled folder access to enabled or audit mode.
Security Recommendation 8 Enable Local Security Authority (LSA) protection.
Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests.
Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content

 

Let’s make my device more secure

Fire up your Microsoft edge browser (if you do not have that installed, now is the time)

Go to https://securitycenter.microsoft.com/

Choose Device inventory you will see a list of devices.

clip_image002

Currently, my device is at Risk level: Low and Exposure Level: Low. That is pretty good, but it could be better!

clip_image004

Security Recommendation 1 Update Git

clip_image006

Click on Update Git

clip_image008

If we go BING it will give us this page: CVE - CVE-2020-27955 (mitre.org)

It says this particular CVE allows Remote Code Execution. We do not like that! Let’s send a request to our desktop team to update the app “Update GIT” and patch our device.

Unfortunately, the packager in our company is myself, so I will do this manually as we only have 10 devices to manage.

clip_image010

clip_image012

Go through the installation GUI. Done. 1 down 56 more to go!

 

 

Security Recommendation 2 Update Microsoft Visual Studio Code

Next on the list is Microsoft Visual Studio Code

clip_image014

clip_image016

This one had 2 CVE reports which indicated it is serious and needs to be updated.

Let’s see how we can create a ticket and send to the endpoint manager team.

clip_image018

Open full recommendation

clip_image020

Remediation Options

clip_image022

On this page we add info that needs to go to the endpoint management team. Let’s press Submit to this form.

Head over to https://endpoint.microsoft.com/

Go to Endpoint security -> Security tasks

clip_image024

As you can see my ticket was created and the desktop team is now notified to create this update and deploy it.

clip_image026

It even gives you the steps to go through. Could not be easier for the team to give me that update

 

 

Security Recommendation 3 Enable ‘Hide Option to Enable or Disable Updates’

clip_image028

MDATP tells us what to do. We have legacy options using GPO, Option 2 for modern management and option 3 for creating a script. Nice with possibilities!

We will head for option 2 and create a policy to make this recommendation.

Go to Admin center https://endpoint.microsoft.com/

Devices -> Configuration profiles -> Create Profile

clip_image030

Press create

clip_image032

Keep some nice naming standard

Next

clip_image034

Search for “hide option to”

clip_image036

Set it to Enabled

Skip scope tags unless you have custom tags for RBAC.

clip_image038

I have created a special group for my “High Security devices” assign the policy to this group.

 

 

Security Recommendation 4 and 5 Disable ‘Allow running plugins that are outdated’/ Disable ‘Continue running background apps when Google Chrome is closed’

clip_image040

Recommendations for Google Chrome, but as I moved to edge and I have copied all my stuff from Chrome to Edge I rather just uninstall Chrome, instead of having yet a browser to patch.

Another approach would be to ingest admx-file. I am not going to cover that in this post.

 

 

Security Recommendation 6 Enable EDR in block mode

clip_image042

To enable Endpoint detection and response, we have 2 steps. One is enabled on our ATP portal and the other in endpoint manager.

Read more about EDR here: Endpoint detection and response in block mode - Windows security | Microsoft Docs

Go to https://securitycenter.microsoft.com/ -> Settings -> Advanced features

clip_image044

Enable EDR in block mode

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Antivirus

Create policy and setup Cloud-delivered protection

clip_image046

Assign it to your device group and create it.

 

Security Recommendation 7 Set controlled folder access to enabled or audit mode

clip_image048

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image050

clip_image052

Give it a friendly name

clip_image054

Set Enable folder protection to “Block disk modification” (You might want to start using audit disk modification in a production environment, to gather events that were or would be triggered and denied access. It can break stuff.)

Assign it to your device and save it

 

 

Security Recommendation 8 Enable Local Security Authority (LSA) protection

clip_image056

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

clip_image058

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image060

Give it a friendly name

clip_image062

clip_image064

Add to a security group

Add –> done

 

 

Security Recommendation 9 Set User Account Control (UAC) to automatically deny elevation requests

clip_image066

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Edit W10-Security-EndpointProtection-Enabled-Device that we created earlier.

clip_image068

clip_image070

Go to the Local device security options

clip_image072

User account control

Review+save.

 

 

Security Recommendation 10 Block JavaScript or VBScript from launching downloaded executable content

clip_image074

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image075

clip_image076

Give it a friendly name

clip_image078

Assign it to your device and save it

 

To see the next 10 security recommendations go to part 2:

How I manage my device from Endpoint Manager - taste your own medicine - Part 2 of 4

No comments:

Post a Comment