asked on
MS defender for endpoint resolve vulnerabilities found on report
Hello Experts,
I recently ran Microsoft secure score and Azure advisor to check score for my customer who runs a hybrid cloud infrastructure with 2 DCs on prem plus 100 endpoints and users, and came across with following vulnerabilities that must be resolved.
Is there an easy way from the MS defender for endpoint console to mitigate and resolve all these vulnerabilities at once?
Should I create individual GPOs to resolve them? I hope that's not the case here.
Given the high number of vulnerabilities found, I need to find the best and fastest way to mitigate those:
List:
Block JavaScript or VBScript from launching downloaded executable content
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Block execution of potentially obfuscated scripts
Block persistence through WMI event subscription
Block Adobe Reader from creating child processes
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Block all Office applications from creating child processes
Block Office applications from injecting code into other processes
Block Office applications from creating executable content
Block executable content from email client and webmail
Block Office communication application from creating child processes
Use advanced protection against ransomware
Block abuse of exploited vulnerable signed drivers
Block untrusted and unsigned processes that run from USB
Block Win32 API calls from Office macros
Block process creations originating from PSExec and WMI commands
Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
Disable 'Allow Basic authentication' for WinRM Service
Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'
Disable Anonymous enumeration of shares
Disable 'Autoplay' for all drives
Turn on Microsoft Defender Credential Guard
Enable 'Local Security Authority (LSA) protection'
Enable 'Require additional authentication at startup'
Enable 'Network Protection'
Disable 'Enumerate administrator accounts on elevation'
Set controlled folder access to enabled or audit mode
Disable 'Allow Basic authentication' for WinRM Client
Enable scanning of removable drives during a full scan
Turn on Microsoft Defender Application Guard managed mode
Set User Account Control (UAC) to automatically deny elevation requests
Disable Solicited Remote Assistance
Don't touch GPOs! Concentrate on Intune Computer Profiles. There are pre-made baselines from MS with lots of settings that address the above and if not, you can create custom ones.
If I were you, rather than sit and agonise over GPOs and specific line items, I would start with the Secure Score dash board and go through all the lists they have there and action them. This will improve the score and, by implication, mitigate or remove many of the issues on the list. If you get the score uo to 75-80% and it hasn't crossed off most if not all in that list I would be very surprised. I say this because I sat and did it in my lab and found it (a) easier (b) quicker than the other way, i.e. looking at your vulnerabilities and trying to fix them one at a time.
ASKER
Hi Mike T,
Can you please elaborate on the Intune computer profile to mitigate these vulnerabilities?
ASKER
Which one of the following profiles will help me to mitigate these vulnerabilities?
https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create
ASKER
Any updates so far?