Search This Blog

Thursday, December 3, 2020

How I manage my device from Endpoint Manager - taste your own medicine - Part 2 of 4

Introduction

Glück & Kanja Consulting AG | Cloud Security Operations Center

This blog post is part of a series. If you did not see the How I manage my device from Endpoint Manager - taste your own medicine - Part 1 of 4, you should go through that first.

In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how to set them.

I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )

 

Prerequisites

- Microsoft Defender Advanced Threat Protection license – for more information read here

- Microsoft Endpoint Manager

 

Table of content

Security Recommendation 11 Block execution of potentially obfuscated scripts

Security Recommendation 12 Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Security Recommendation 13 Block process creations originating from PSExec and WMI commands

Security Recommendation 14 Block persistence through WMI event subscription

Security Recommendation 15 Set Interactive logon: Machine inactivity limit to 1-900 seconds

Security Recommendation 16 Disable Enumerate administrator accounts on elevation

Security Recommendation 17 Set Minimum password length to 14 or more characters

Security Recommendation 18 Set Enforce password history to 24 or more password(s)

Security Recommendation 19 Set Minimum password age to 1 or more day(s)

Security Recommendation 20 Disable Microsoft Defender Firewall notifications when programs are blocked for Domain profile

 

Let’s make my device more secure

Fire up your Microsoft edge browser (if you do not have that installed, now is the time)

Go to https://securitycenter.microsoft.com/

Choose Device inventory, select your device and see Security Recommendations for your device..

 

Security Recommendation 11 Block execution of potentially obfuscated scripts

clip_image002

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image004

clip_image006

Give it a friendly name

clip_image008

Assign it to your device and save it

 

Security Recommendation 12 Block executable files from running unless they meet a prevalence, age, or trusted list criterion

clip_image010

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image011

clip_image012

Give it a friendly name

clip_image014

Assign it to your device and save it

 

Security Recommendation 13 Block process creations originating from PSExec and WMI commands

clip_image016

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image017

clip_image018

Give it a friendly name

clip_image020

Assign it to your device and save it

 

Security Recommendation 14 Block persistence through WMI event subscription

clip_image022

This setting is not available at the given time.

It will be released very soon.

Use attack surface reduction rules to prevent malware infection - Windows security | Microsoft Docs

clip_image024

We will instead use OMA-URI to set this one.

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

clip_image026

clip_image028

Friendly naming

Now if you already added ASRRules these should not be overwritten, so go to the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASRRules and copy the content of that policy on a device with ASR fully configured.

clip_image030

Copy the values and paste them to notepad

Via this site, you can get the GUID from “Block persistence through WMI event subscription”

Use attack surface reduction rules to prevent malware infection - Windows security | Microsoft Docs

In my case I added this parameter

clip_image032

And the whole text goes into the value field of our OMA-URI

clip_image034

clip_image036

OMA-URI: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules

Value:

01443614-cd74-433a-b99e-2ecdc07bfc25=1|26190899-1602-49e8-8b27-eb1d0a1ce869=1|3b576869-a4ec-4529-8536-b80a7769e899=1|5beb7efe-fd9a-4556-801d-275e5ffc04cc=1|75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84=1|7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c=1|92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b=1|9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2=1|b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4=1|be9ba2d9-53ea-4cdc-84e5-9b1eeee46550=1|c1db55ab-c21a-4637-bb3f-a12568109d35=1|d1e49aac-8f56-4280-b9ba-993a6d77406c=1|d3e037e1-3eb8-44c8-a917-57927947596d=1|d4f940ab-401b-4efc-aadc-ad5f3c50688a=1|e6db77e5-3df2-4cf1-b95a-636979351e5b=1

DON’T forget to unassign your other Endpoint Security ASR Rules otherwise these policies will battle.

Save and assign to your device.

 

Security Recommendation 15 Set Interactive logon: Machine inactivity limit to 1-900 seconds

clip_image038

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Edit W10-Security-EndpointProtection-Enabled-Device that we created earlier.

clip_image040

clip_image042

My device will lock automatically after 5minutes. This could be much more aggressive, but I always lock my device when leaving it unattended, because you never know when my kids tend to try and get access to play roblox

 

Security Recommendation 16 Disable Enumerate administrator accounts on elevation

clip_image044

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image046

clip_image048

clip_image050

Search for Enumerate administrator accounts on elevation

clip_image052

Disabled

Assign it to your device and save it.

 

Security Recommendation 17 Set Minimum password length to 14 or more characters

clip_image054

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image056

clip_image058

clip_image060

Assign it to your device and save it.

(you should use Windows Hello for Business and get rid of the need to type your pw)

This is what your registry should look like.

clip_image062

 

Security Recommendation 18 Set Enforce password history to 24 or more password(s)

clip_image064

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Edit Profile W10-ConfigProfiles-DeviceRestrictions-Enable

clip_image066

Save it.

This particular setting did not get the security recommendation to disappear from MDATP, so I ended up with creating an OMA-URI setting instead

This is what your registry should look like.

clip_image068

 

Security Recommendation 19 Set Minimum password age to 1 or more day(s)

clip_image070

To my knowledge this is not a setting you can add by the gui. We will use OMA-URI to help us here

We will instead use OMA-URI to set this one.

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

clip_image071

clip_image073

Friendly naming

clip_image074

clip_image076

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinimumPasswordAge

Value: 1

Save and assign to your device.

This is what your registry should look like.

clip_image078

 

Security Recommendation 20 Disable Microsoft Defender Firewall notifications when programs are blocked for Domain profile

clip_image080

This is more like and end-user experience rather than a security concern. But nice to have.

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Firewall

clip_image082

clip_image084

Give it a friendly name

clip_image086

Turn on firewall for domain networks and disable inbound notifications

Assign to your device and create the policy.

 

To see the next 10 security recommendations go to part 3:

How I manage my device from Endpoint Manager - taste your own medicine - Part 3 of 4

No comments:

Post a Comment