Link to home
Create AccountLog in
Avatar of Jerry Seinfield
Jerry SeinfieldFlag for United States of America

asked on

MS defender for endpoint resolve vulnerabilities found on report

Hello Experts,


I recently ran Microsoft secure score and Azure advisor to check score for my customer who runs a hybrid cloud infrastructure with 2 DCs on prem plus 100 endpoints and users, and came across with following vulnerabilities that must be resolved.


Is there an easy way from the MS defender for endpoint console to mitigate and resolve all these vulnerabilities at once?


Should I create individual GPOs to resolve them? I hope that's not the case here.


Given the high number of vulnerabilities found, I need to find the best and fastest way to mitigate those:


List:


Block JavaScript or VBScript from launching downloaded executable content

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Block execution of potentially obfuscated scripts

Block persistence through WMI event subscription

Block Adobe Reader from creating child processes

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

Block all Office applications from creating child processes

Block Office applications from injecting code into other processes

Block Office applications from creating executable content

Block executable content from email client and webmail

Block Office communication application from creating child processes

Use advanced protection against ransomware

Block abuse of exploited vulnerable signed drivers

Block untrusted and unsigned processes that run from USB

Block Win32 API calls from Office macros

Block process creations originating from PSExec and WMI commands

Set LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'

Disable 'Allow Basic authentication' for WinRM Service

Set default behavior for 'AutoRun' to 'Enabled: Do not execute any autorun commands'

Disable Anonymous enumeration of shares

Disable 'Autoplay' for all drives

Turn on Microsoft Defender Credential Guard

Enable 'Local Security Authority (LSA) protection'

Enable 'Require additional authentication at startup'

Enable 'Network Protection'

Disable 'Enumerate administrator accounts on elevation'

Set controlled folder access to enabled or audit mode

Disable 'Allow Basic authentication' for WinRM Client

Enable scanning of removable drives during a full scan

Turn on Microsoft Defender Application Guard managed mode

Set User Account Control (UAC) to automatically deny elevation requests

Disable Solicited Remote Assistance


Avatar of Jerry Seinfield
Jerry Seinfield
Flag of United States of America image

ASKER

Any updates so far?

Avatar of Mike Taylor

Don't touch GPOs! Concentrate on Intune Computer Profiles. There are pre-made baselines from MS with lots of settings that address the above and if not, you can create custom ones.


If I were you, rather than sit and agonise over GPOs and specific line items, I would start with the Secure Score dash board and go through all the lists they have there and action them. This will improve the score and, by implication, mitigate or remove many of the issues on the list. If you get the score uo to 75-80% and it hasn't crossed off most if not all in that list I would be very surprised. I say this because I sat and did it in my lab and found it (a) easier (b) quicker than the other way, i.e. looking at your vulnerabilities and trying to fix them one at a time.

Hi Mike T,


Can you please elaborate on the Intune computer profile to mitigate these vulnerabilities?

Which one of the following profiles will help me to mitigate these vulnerabilities?


https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-create



ASKER CERTIFIED SOLUTION
Avatar of Mike Taylor
Mike Taylor
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer