How I manage my device from Endpoint Manager – taste your own medicine – Part 4 of 4

Introduction

This blog post is part of a series. If you did not see the first blogpost of the series, you should go through that first.

How I manage my device from Endpoint Manager – taste your own medicine – Part 1 of 4

How I manage my device from Endpoint Manager – taste your own medicine – Part 2 of 4

How I manage my device from Endpoint Manager – taste your own medicine – Part 3 of 4

In this blog post I will go through the security recommendations that MDATP suggested on my own device and will show you how this is implemented in Endpoint manager one by one, as we should know what the recommendations are and how to set them.

I started off with 57 security recommendations and this is my way towards 0 (or close to 0 )

 

Prerequisites

– Microsoft Defender Advanced Threat Protection license – for more information read here

– Microsoft Endpoint Manager

 

Table of content

Security Recommendation 31 Enable Network Protection

Security Recommendation 32 Disable Solicited Remote Assistance

Security Recommendation 33 Disable IP source routing

Security Recommendation 34 Set IPv6 source routing to highest protection

Security Recommendation 35 Set default behavior for AutoRun to not execute any autorun commands

Security Recommendation 36 Disable Configure Offer Remote Assistance

Security Recommendation 37 Turn on Microsoft Defender Credential Guard

Security Recommendation 38 Enable Microsoft network client: Digitally sign communications (always)

Security Recommendation 39 Disable the local storage of password and credentials

Security Recommendation 40 Disable Anonymous enumeration of shares

Security Recommendation 41 Disable JavaScript on Adobe Reader DC

Security Recommendation 42 Disable Flash on Adobe Reader DC

Security Recommendation 43 Disable Installation and configuration of Network Bridge on your DNS domain network

Security Recommendation 44 Disable Always install with elevated privileges

Security Recommendation 45 Enable Local Admin password

Security Recommendation 46 Set LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM

 

Let’s make my device more secure

Fire up your Microsoft edge browser (if you do not have that installed, now is the time)

Go to https://securitycenter.microsoft.com/

Choose Device inventory, select your device and see Security Recommendations for your device.

 

Security Recommendation 31 Enable Network Protection

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Attack surface reduction

Give it a friendly name

Assign to your device and create the policy.

 

Security Recommendation 32 Disable Solicited Remote Assistance

Covid 19 has sneaked into this one! If you disable this one you will not be able to use remote assistance, so if that is the current used solution, this option should not be added to your security baseline.

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Disabled

Assign it to your device and save it.

 

Security Recommendation 33 Disable IP source routing

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Enabled

Assign it to your device and save it.

 

Security Recommendation 34 Set IPv6 source routing to highest protection

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Enabled

Assign it to your device and save it.

 

Security Recommendation 35 Set default behavior for AutoRun to not execute any autorun commands

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Enabled

Assign it to your device and save it.

 

Security Recommendation 36 Disable Configure Offer Remote Assistance

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Disabled

Assign it to your device and save it.

 

Security Recommendation 37 Turn on Microsoft Defender Credential Guard

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Endpoint security -> Account protection

Create Policy

Give it a friendly name

Assign it to your device and save it.

 

Security Recommendation 38 Enable Microsoft network client: Digitally sign communications (always)

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Enabled

Assign it to your device and save it.

 

Security Recommendation 39 Disable the local storage of password and credentials

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

Give it a friendly name

Add to a security group

Add –> done

 

Security Recommendation 40 Disable Anonymous enumeration of shares

This setting has currently (to my knowledge) no UI yet.

Therefore, we are forced to create a PowerShell script to add the registry key mentioned.

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

Give it a friendly name

Add to a security group

Add –> done

 

Security Recommendation 41 Disable JavaScript on Adobe Reader DC

This setting should go into the Acrobat Reader package deployment. But in this example, we will just add it to our baseline security script.

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

Give it a friendly name

Add to a security group

Add –> done

 

Security Recommendation 42 Disable Flash on Adobe Reader DC

This setting should go into the Acrobat Reader package deployment. But in this example, we will just add it to our baseline security script.

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

Give it a friendly name

Add to a security group

Add –> done

 

Security Recommendation 43 Disable Installation and configuration of Network Bridge on your DNS domain network

If you use Remote assistance as your solution to take over devices, this policy should not be applied!

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

Enabled

Assign it to your device and save it.

 

Security Recommendation 44 Disable Always install with elevated privileges

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> Configuration Profiles

Create Profile

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges

 

Security Recommendation 45 Enable Local Admin password

My device does not have a local admin enabled, so this recommendation does not apply to my device

I reported inaccuracy as I believe the recommendation should be cleverer.

I accept the risk as we do not use local administrators here. That are most likely not the case in a larger corporate company, and you should always make sure your local admin is safe.

 

Security Recommendation 46 Set LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM

To my knowledge there are currently no setting for this.

Save the script

Go to https://endpoint.microsoft.com/ -> Devices -> Windows -> PowerShell scripts

Add

Give it a friendly name

Add to a security group

Add -> done

 

Summary

MDATP is highly recommended to gain more insight of how your security score

And with these settings put onto my device I only have 9 security recommendation left out of 57.

Happy implementation!