Search This Blog

Friday, December 18, 2020

How I manage my device from Endpoint Manager - taste your own medicine - Part 4 of 4

Introduction

Glück & Kanja Consulting AG | Cloud Security Operations Center

This blog post is part of a series. If you did not see the first blogpost of the series, you should go through that first.

How I manage my device from Endpoint Manager - taste your own medicine - Part 1 of 4

How I manage my device from Endpoint Manager - taste your own medicine - Part 2 of 4

How I manage my device from Endpoint Manager - taste your own medicine - Part 3 of 4

In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how to set them.

I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )

 

Prerequisites

- Microsoft Defender Advanced Threat Protection license – for more information read here

- Microsoft Endpoint Manager

 

Table of content

Security Recommendation 31 Enable Network Protection

Security Recommendation 32 Disable Solicited Remote Assistance

Security Recommendation 33 Disable IP source routing

Security Recommendation 34 Set IPv6 source routing to highest protection

Security Recommendation 35 Set default behavior for AutoRun to not execute any autorun commands

Security Recommendation 36 Disable Configure Offer Remote Assistance

Security Recommendation 37 Turn on Microsoft Defender Credential Guard

Security Recommendation 38 Enable Microsoft network client: Digitally sign communications (always)

Security Recommendation 39 Disable the local storage of password and credentials

Security Recommendation 40 Disable Anonymous enumeration of shares

Security Recommendation 41 Disable JavaScript on Adobe Reader DC

Security Recommendation 42 Disable Flash on Adobe Reader DC

Security Recommendation 43 Disable Installation and configuration of Network Bridge on your DNS domain network

Security Recommendation 44 Disable Always install with elevated privileges

Security Recommendation 45 Enable Local Admin password

Security Recommendation 46 Set LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM

 

Let’s make my device more secure

Fire up your Microsoft edge browser (if you do not have that installed, now is the time)

Go to https://securitycenter.microsoft.com/

Choose Device inventory, select your device and see Security Recommendations for your device.

 

Security Recommendation 31 Enable Network Protection

clip_image002

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

clip_image004

clip_image006

Give it a friendly name

clip_image008

Assign to your device and create the policy.

 

Security Recommendation 32 Disable Solicited Remote Assistance

clip_image010

Covid 19 has sneaked into this one! If you disable this one you will not be able to use remote assistance, so if that is the current used solution, this option should not be added to your security baseline.

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image012

clip_image014

clip_image016

clip_image018

Disabled

Assign it to your device and save it.

 

Security Recommendation 33 Disable IP source routing

clip_image020

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image021

clip_image022

clip_image024

clip_image026

Enabled

Assign it to your device and save it.

 

Security Recommendation 34 Set IPv6 source routing to highest protection

clip_image028

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image029

clip_image022[1]

clip_image031

clip_image033

Enabled

Assign it to your device and save it.

 

Security Recommendation 35 Set default behavior for AutoRun to not execute any autorun commands

clip_image035

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image029[1]

clip_image036

clip_image038

clip_image040

Enabled

Assign it to your device and save it.

 

Security Recommendation 36 Disable Configure Offer Remote Assistance

clip_image042

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image043

clip_image044

clip_image046

clip_image048

Disabled

Assign it to your device and save it.

 

Security Recommendation 37 Turn on Microsoft Defender Credential Guard

clip_image050

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Account protection

Create Policy

clip_image052

clip_image054

Give it a friendly name

clip_image056

Assign it to your device and save it.

 

Security Recommendation 38 Enable Microsoft network client: Digitally sign communications (always)

clip_image058

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image060

clip_image062

clip_image064

Enabled

Assign it to your device and save it.

 

Security Recommendation 39 Disable the local storage of password and credentials

clip_image066

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

clip_image068

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image070

Give it a friendly name

clip_image072

clip_image074

Add to a security group

Add –> done

 

Security Recommendation 40 Disable Anonymous enumeration of shares

clip_image076

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

clip_image078

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image079

Give it a friendly name

clip_image080

clip_image081

Add to a security group

Add –> done

 

Security Recommendation 41 Disable JavaScript on Adobe Reader DC

clip_image083

This setting should go into the Acrobat Reader package deployment. But in this example, we will just add it to our baseline security script.

clip_image085

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image086

Give it a friendly name

clip_image087

clip_image081[1]

Add to a security group

Add –> done

 

Security Recommendation 42 Disable Flash on Adobe Reader DC

clip_image089

This setting should go into the Acrobat Reader package deployment. But in this example, we will just add it to our baseline security script.

clip_image091

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image086[1]

Give it a friendly name

clip_image092

clip_image093

Add to a security group

Add –> done

 

Security Recommendation 43 Disable Installation and configuration of Network Bridge on your DNS domain network

clip_image095

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image096

clip_image097

clip_image099

clip_image101

Enabled

Assign it to your device and save it.

 

Security Recommendation 44 Disable Always install with elevated privileges

clip_image103

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

clip_image105

clip_image107

clip_image109

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges

 

Security Recommendation 45 Enable Local Admin password

clip_image111

My device does not have a local admin enabled, so this recommendation does not apply to my device

clip_image113

clip_image115

clip_image117

I reported inaccuracy as I believe the recommendation should be cleverer.

clip_image119

clip_image121¨

clip_image123

I accept the risk as we do not use local administrators here. That are most likely not the case in a larger corporate company, and you should always make sure your local admin is safe.

 

Security Recommendation 46 Set LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM

clip_image125

To my knowledge there are currently no setting for this.

clip_image127

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

clip_image128

Give it a friendly name

clip_image087[1]

clip_image093[1]

Add to a security group

Add -> done

 

Summary

MDATP is highly recommended to gain more insight of how your security score

And with these settings put onto my device I only have 9 security recommendation left out of 57.

Happy implementation!

No comments:

Post a Comment