Category: Microsoft
Category Archives: Microsoft
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Identifying drift in AI models: Best practices for generating consistent, reliable responses
Identifying drift in AI models: Best practices for generating consistent, reliable responses
Addressing the challenges of model drift is crucial for successful deployments of reliable, production-ready machine learning models. Explore insights into monitoring and mitigating model drift, with strategic recommendations to enhance the accuracy and longevity of machine learning models in real-world applications.
Key Challenges
Complexity in monitoring model drift
AI models naturally drift from their original input parameters and over time produce unwanted results once deployed. Inaccurate or outdated models due to drift can lead to suboptimal decision-making and pose potential business risk. To ensure accuracy throughout a model’s lifecycle, teams need a strategy for monitoring their model deployment with automated tooling and processes in place.
Interpreting and addressing the causes of model drift
Drift can be gradual or abrupt, and it can be challenging to identify and subsequently address. If not mitigated, it can digress further increasing negative business impact. Determining the cause of the drift is crucial for implementing effective corrective measures. Learning from what is working and not working will allow teams to pivot and correct when needed.
Evaluating the quality of training data
If the data used for training a model is of inadequate quality, the model may not be able to accurately interpret it. This can lead to changes in the data which translates into model drift. Teams need to ensure high quality training data for models and that it is a representative sample of the data to mitigate this.
Recommendations
As teams identifying model drift, you should:
Early detection of model drift is crucial for timely corrective actions. Monitoring allows for real-time tracking of model performance, enabling teams to identify and respond to drift promptly. Establish a robust system for automated monitoring of machine learning models in production. Regularly monitor model outputs and implement automated alerts for detecting drift early on.
Retraining models with fresh, relevant data is essential for preventing and mitigating model drift. Continuous retraining ensures that the model stays accurate and adapts to changes in the data distribution over time. Develop a continuous retraining strategy for models, incorporating new and high-quality data. Use reliable data sources that are representative of real-world scenarios and free from inconsistencies, errors, biases, and ethical challenges.
Automating the lifecycle of machine learning models enhances operational efficiency and reduces the risk of human error enabling teams to respond to model drift in a timely manner. Adopt MLOps practices to implement end-to-end automation for model management, including monitoring, retraining, and deployment. Leverage tools and techniques provided by tools to streamline operational management.
Understanding and identifying model drift
Teams building data-driven solutions actively explore ways to harness the power of their data through the development of machine learning (ML) models. However, teams challenged by the outputs of their models over time results in many of these solutions never making it into production.
For ML models to become an integral part of applications developed by any organization, it is essential to detect when an ML model drifts away from acceptable operation.
Model drift is not a technology problem; it is a change in the context of data that can be effectively managed by implementing effective analysis of the data they are trained on. This leads teams to ask, “What are the most effective methods for detecting drift in ML models?”
This article explores the key focus areas for identifying model drift where ISVs and Digital Natives can make improvements to deliver accurate ML models.
Understanding model drift and how it occurs
Drift is a concept in ML models where their performance, when deployed in production environments, slowly degrades over time. There are two distinct types of model drift, concept drift and data drift.
Concept drift occurs when the purpose of the original model changes over time and is recognized in four varieties, sudden drift, gradual drift, incremental drift, and reoccurring concepts.
Sudden drift occurs when a notable change happens in a brief period that has not yet been observed, for example, the impact of a global pandemic. Gradual drift is the opposite, occurring when a change has happened slowly over time, and this is observed in predictive models based on historical data. Incremental drift occurs when the change is not continuous, such as predicting sales of a specific product that changes in the future. Finally, recurring concepts are identifying repeating patterns, for example seasonal sales of products such as winter coats, where the model needs to be regular retraining to account for this occurrence.
Data drift, on the other hand, occurs when the distribution of the input data changes over time. For example, an ML model that predicts the likelihood of customers purchasing a product based on their age and income. If the distribution of ages and incomes of customers change significantly over time, the model will no longer be able to predict the likelihood of a purchase accurately.
It is important to understand the difference between these two types of drift because they require different approaches to address them.
Importance of high-quality, responsible training data
High-quality training data is critical to the success of a deployed, production AI model. Collecting such data requires careful consideration of the data sources and their quality. To prevent model drift, it is important to use high-quality training data that is representative of the data that the model will encounter in the real world. This can help to ensure that the model is robust to changes in the data distribution and can generalize well to new data.
Choose reliable data sources for your model’s purpose
Select data sources that are representative of the data that the model will encounter in the real world. This ensures that the model is robust to changes in the data distribution and can generalize well to new data.
Ensure that the data sources are free from inconsistencies and errors, as well as avoiding biases and ethical challenges. Low-quality data can have a significant impact on data drift, leading to the model’s accuracy degrading over time.
Retrain models with new and updated data as it arises
Retraining an AI model with new, high-quality data is a key step in preventing model drift, ensuring that it remains accurate and dependable over time.
It is important to note that retraining a model with new data is not a one-time process. As the data distribution changes over time, it is important to continuously monitor the model’s performance with tooling and retrain when necessary.
Choosing tools and techniques for identifying and addressing model drift
There are various tools and techniques that can be used to identify and address model drift. Azure provides several technologies that can help with this, including Azure Machine Learning, which provides tools for monitoring and managing model drift. These tools can help to detect drift early and provide actionable insights to address it.
Knowing that there is a drift in a model’s outputs is only part of the solution. With regular, automated monitoring in place to detect drift, develop a process for conducting a root cause analysis of the drift when detected. Insights into what is causing the drift will enable you to act such as retraining the model with new data.
As you establish these practices, automating the end-to-end monitoring, retraining, and deployment of new models will provide you with effective operational management of your ML models.
Conclusion
Addressing model drift is critical for the successful deployment and longevity of machine learning models in production. Recognizing the importance of distinguishing between concept drift and data drift while leveraging tools and techniques for monitoring and addressing drift, is crucial.
As AI models become integral to applications developed by ISVs and Digital Natives, a proactive approach to understanding and managing model drift will contribute to the sustained success of these data-driven solutions.
Further Reading
Machine Learning Monitoring: Why You Should Care About Data and Concept Drift | Evidently AI
Data quality considerations – Cloud Adoption Framework | Microsoft Learn
Data Validation at Scale with Azure Synapse – Microsoft Community Hub
MLOps: Machine learning model management – Azure Machine Learning | Microsoft Learn
Model monitoring with Azure Machine Learning | Microsoft Learn
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Released: SCOM Management Packs for SQL Server, RS, AS (7.4.0.0)
Updates to SQL Server, SQL Server Dashboards, Reporting Services, and Analysis Services Management Packs are available (7.4.0.0). You can download the MPs from the links below. Majority of the changes are based on your direct feedback. Thank you.
Download Microsoft System Center Management Pack for SQL Server
Download Microsoft System Center Management Pack for SQL Server Dashboards
Download Microsoft System Center Management Pack for SQL Server Analysis Services
Download Microsoft System Center Management Pack for SQL Server Reporting Services
There are a lot of new features as well as some bug fixes in these MPs. You can find the full list by following the links below. Some of the bigger additions are:
For SQL MP
Added support for custom management server resource pools for agentless monitoring mode
Added new “SQL Connection Encryption Certificate Status” monitor for SQL Server on Linux, which targets DB Engine and checks if the server’s TLS certificate is valid
For AS MP
Added nine new performance collection rules
Improved the memory-related instance monitoring workflows
For RS MP
Added new “Securables Configuration Status” monitors
Improved accessibility for the Summary Dashboard view and Monitoring Wizard template
Updated the “Product Version Compliance” monitor with the most recent version of public updates for SQL Server
The operations guides for all SQL Server family of management packs live on learn.microsoft.com. The link to the operation guide for each MP can be found on the MP download page. Here are the links that show what’s new in these MPs:
Features and Enhancements in Management Pack for SQL Server
Features and Enhancements in Management Pack for SQL Server Dashboards
Features and Enhancements in Management Pack for SQL Server Analysis Services
Features and Enhancements in Management Pack for SQL Server Reporting Services
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Defender Experts’ recommendations for impactful security posture management
Introduction
The Microsoft Defender Experts for XDR service provides value to customers from both a proactive and reactive perspective. Proactively, we provide guidance to customers on overall security posture improvements and perform threat hunting to surface malicious activity in their environments. Simultaneously, our team reactively investigates and responds to incidents that occur in customer environments on their behalf. Working with both sides of the security equation, Defender Experts for XDR is uniquely positioned to understand the value of security controls and configurations in terms of their impact on the rate and severity of actual customer incidents.
While the basics of security hygiene, such as patching, inventory, security baselining, and least privilege delegations are undeniably important, once those bases are covered there are many more specific controls that receive less attention but can be critical in mitigating the frequency and impact of future incidents. Leveraging our experience helping customers protect themselves, we’re thrilled to share some of the security controls and configurations we find most impactful in the real world.
Top Configuration Recommendations
Listed below, in no particular order, are the top configuration recommendations from Defender Experts for XDR.
Microsoft Defender for Office
——————————————————————————————————–
Restrict user ability to release emails from quarantine
The Exchange Online Protection (EOP) quarantine is leveraged widely to prevent suspicious emails from being delivered to user inboxes without entirely deleting them. Emails that match the anti-malware, anti-phishing, and anti-spam policies configured within a given tenant will most often be sent to quarantine. This protection is significantly curtailed when end users have the capability to indiscriminately release their own emails from quarantine. Our team has investigated an unfortunate number of incidents resulting from users searching out phishing emails that were quarantined, releasing them, and promptly compromising their own account. A full access permissions group in a quarantine policy permits this to happen and is strongly discouraged.
Fortunately, regardless of the quarantine policy applied, users can’t release their own messages that were quarantined as malware or high confidence phishing – they can only request their release. But for all other emails detected as phishing, one of the following permissions groups must be applied in order to prevent unrestricted quarantine release.
Limited access permissions group
This is the recommended permissions group for most environments that are not highly restricted. Limited access permits the user to preview quarantined messages (with hyperlinks disabled), view their headers, and request their release (in addition to deleting the email or blocking the sender).
No access is the most restrictive permissions group that can be applied to a quarantine policy. The default quarantine policy AdminOnlyAccessPolicy uses this permissions group. When this is configured, the most that a user could do with a quarantined message is view the email headers.
Implementation
Within the Microsoft Defender portal under Quarantine policy, create a new policy leveraging Limited access, No access, or Specific access with the action “Allow recipients to request a message to be released from quarantine.” Then apply this quarantine policy to your anti-phishing, anti-spam, and anti-malware policies.
Quarantine policies | Step 1 Create quarantine policies | Microsoft Learn
Quarantine policies | Anatomy of a quarantine policy | Microsoft Learn
Microsoft Defender for Endpoint
——————————————————————————————————-
Enable tamper protection
Tamper protection is a critical feature of Defender for Endpoint that protects security settings from being changed. When enabled, tamper protection prevents other key components of Defender for Endpoint, including virus and threat protection, antivirus (AV), real-time protection, automatic remediation, and tamper protection itself, from being disabled. If these security features can be disabled by an attacker, then their value is nullified. Once an attacker has compromised a device, it is commonly part of their attack chain to disable any security services running on the device, thereby enabling more severe and destructive follow-on actions. This activity has been observed in Cypherpunk, DarkSide, and Ryuk ransomware operations among many others. Every supported device onboarded with Defender for Endpoint should have tamper protection enabled. It is also advisable to seriously investigate any incidents involving attempted tampering, as they often point to ongoing compromise.
Implementation
Enable tamper protection via the Defender Portal, Intune, or Configuration Manager.
Protect security settings with tamper protection | Microsoft Learn
Enable network protection in block mode
Network protection is a Defender for Endpoint feature that leverages and extends Microsoft Edge SmartScreen to protect Windows, Linux, and macOs devices. SmartScreen, when in block mode, prevents network connections from the Edge browser to known malicious websites. When network protection is enabled in block mode, these malicious connections will also be blocked from all other supported browsers (Chrome, Firefox, Brave, and Opera, etc.) and non-browser applications. The default blocklist leverages Microsoft’s extensive threat intelligence resources to protect users across all customer environments from unintentionally visiting malicious websites. Furthermore, custom indicators can be configured within a given tenant to block network connections to additional undesired domains, Ips, and URLs.
If network protection is not enabled, or not in block mode, users are vulnerable to visiting websites that are known to be malicious. This is a very common occurrence in Defender Experts for XDR investigations, resulting in malware infections, credential compromise, or other malicious activity. The Microsoft Threat Intelligence community has already done the work to provide the threat intel, so why not leverage it to protect your organization?
Implementation
Network protection can be enabled via PowerShell, MDM, Group Policy, or Microsoft Configuration Manager.
Turn on network protection | Microsoft Learn
Block untrusted and unsigned processes that run from USB
This is an Attack Surface Reduction (ASR) rule that is prebuilt within Microsoft Defender Antivirus to help prevent USB malware. When enabled in block mode, this rule prevents the execution of unsigned or untrusted executables (.exe, .dll, .scr, .ps, .vbs, .js, etc.) that are either present on mounted removable media (e.g., USB or SD card) or that were copied to disk from removable media. For some organizations, USB malware is quite rare. But for organizations with a large, distributed set of end users, or organizations with a large quantity of bring your own device (BYOD) users, this can become a constant challenge. China-based nation-state group Twill Typhoon is known to utilize removable devices containing malicious executables to infect victims, and the LemonDuck and LemonCat mining malware also spread this using this technique, among others. Enabling this rule in block mode can be very effective at preventing these types of damaging USB malware.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block untrusted and unsigned processes that run from USB | Microsoft Learn
Block JavaScript or VBScript from launching downloaded executable content
This ASR rule detects attempts by JavaScript or VBScript to launch executables downloaded from the internet and blocks them from executing if enabled in block mode. This prevents a pattern of activity known to be utilized by multiple common types of malware. The FakeUpdates/SocGholish malware in particular leverages a JavaScript backdoor to download and/or launch its payload. FakeUpdates remains relatively prevalent (Manatee Tempest – from FakeUpdates to ransomware), infecting devices via drive-by downloads from malvertising (malicious advertising), SEO poisoning, and more. Russian state-sponsored threat actor Midnight Blizzard has also been observed utilizing phishing emails containing HTML attachments embedded with the EnvyScout JS dropper to compromise victims.
Some organizations may utilize legitimate line-of-business applications that exhibit this same behavior, so it is recommended to test this rule in audit mode prior to fully enabling in block mode. Refer to the Demystifying attack surface reduction rules blog series for more information on the transition from auditing to blocking.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block JavaScript or VBScript from launching downloaded executable content | Microsoft Learn
Block Office applications from creating executable content
This ASR rule detects attempts by Office applications (Word, Excel, and PowerPoint) to execute files written to disk, and execution of untrusted files saved by Office macros. In block mode, this rule prevents these executions. Office files have long been utilized to deliver and/or run malicious code, and unfortunately this remains a successful initial access vector into many organizations with insufficient protections. Emotet, Trickbot, Hancitor, and ZLoader malware are all frequently delivered via phishing emails that either directly attach or link to these types of malicious Office files. Individual threat actors including Iran-based nation-state group Mint Sandstorm, China-based nation-state group Canary Typhoon, and Vietnam-based nation-state group Canvas Cyclone, among others, have been known to utilize these methods as well.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block Office applications from creating executable content | Microsoft Learn
Block executable content from email client and webmail
This ASR rule detects executable files and scripts attempting to run directly from Microsoft Outlook, outlook.com, or other common webmail services. When enabled in block mode, these executions will be prevented. More sophisticated threat actors and Phishing-as-a-Service (PhaaS) providers have pivoted away from this technique, but this control provides valuable protection against the low-sophistication phishing attacks that can be just as damaging. Given that phishing is one of the most prevalent initial access vectors we see today, any controls that can be applied to reduce the frequency or severity of successful phishing, without disrupting business, should be.
Implementation
Ensure that Microsoft Defender Antivirus is turned on and Real-Time Protection and Tamper Protection are enabled. Then, enable the rule via Defender for Endpoint security settings management, MEM, Group Policy, or MDM.
Block executable content from email client and webmail | Microsoft Learn
Microsoft Entra ID
——————————————————————————————————-
Ensure multifactor authentication (MFA) is enabled for all users in administrative roles in Entra ID
For a long time, MFA was heralded as the ultimate impenetrable line of defense against account compromise. While we know now that there are many ways to bypass it such as cookie/token theft, SIM swapping, social engineering, etc., MFA remains a valuable control for defense in depth. All administrative user accounts should require MFA, but there are a few critical roles in particular that should be prioritized for this control:
The global admin role has the most powerful overall permissions within a tenant and should be protected accordingly.
The power of the billing admin is less widely known, but it can in fact take over a tenant from anyone, including the global admin! With the power to move subscriptions to an associated billing tenant, the billing admin could transfer subscriptions to a tenant where they hold global admin, giving them complete control.
Implementation
Within Entra ID, create a Conditional Access policy that applies to administrative roles requiring MFA on all cloud applications.
Require MFA for administrators with Conditional Access – Microsoft Entra ID | Microsoft Learn
Require MFA for self-service password reset (SSPR)
Self-service password reset enables users to reset their own password without needing to go through a help desk. When performing a password reset, users should be required to robustly verify their identity in order to prevent potential account takeover. SSPR permits four types of authentication methods, which includes email and mobile phone. A determined attacker can typically gain access to one of these methods with relative ease. Octo Tempest has been known to take over accounts via SSPR using access to user phones acquired through SIM swapping, among other methods. Requiring two authentication methods in order to complete SSPR might not stop every attacker, but it does introduce an additional defensive layer to the process that could make all the difference.
Implementation
Within Entra ID under password reset, set authentication methods to two.
Select authentication methods and registration options – Microsoft Entra ID | Microsoft Learn
Microsoft Defender for Identity
——————————————————————————————————-
Set a honeytoken account
A honeytoken account works like a security alarm; it is a dormant account with no legitimate business purpose, so any activity that occurs on the account generates an alert. This facilitates the identification of attacker activity that may otherwise have gone unnoticed. A honeytoken is a very simple and effective detective control, and can be leveraged in multiple different ways as described in Deceptive defense: best practices for identity based honeytokens in Microsoft Defender for Identity. While attack prevention is preferable to retroactive detection, these days it is not reasonable to expect that an organization will avoid being breached. It is vital to be prepared to detect attacks that get past the outer layer of defense in order to mitigate their impact.
Implementation
Create or repurpose an account with no business purpose, and ensure its privileges are removed. Tag this account as a honeytoken within the Defender portal under Settings > Identities > Honeytoken.
Entity tags in Microsoft Defender for Identity – Microsoft Defender for Identity | Microsoft Learn
Conclusion
Every organization can take actions to improve their security posture, but the sheer volume of control recommendations can sometimes overwhelm organizations into inaction. Through this blog post, the Defender Experts for XDR team has aimed to provide a discrete list of configurations and controls that we have observed to be impactful through our daily work with Microsoft customers. We hope that these recommendations will be implemented, or at least considered, for the protection of your organization as well.
If you’re interested in learning more about Defender Experts for XDR, visit the Microsoft Defender Experts for XDR web page or the Defender Experts for XDR docs page.
Microsoft Tech Community – Latest Blogs –Read More
Corporate Comms Discussion – January
What a great discussion with Wendy Sherwood about what was done at CBRE with Viva Connections and Viva Engage. Lots of great stuff from creating goals to thinking about the hybrid workforce. Take a listen.
Microsoft Tech Community – Latest Blogs –Read More
Build an Azure Logic App to send an alert when the provisioning state changes for your Azure VWAN
Prerequisites:
Before diving into the implementation, make sure you have the following in place:
An active Azure subscription.
An existing Azure Virtual WAN environment.
A contributor role to create the Azure Logic App
Step 1:
Begin by navigating to the Azure portal and creating a new Logic App. Select a resource group, provide a unique name, choose the appropriate region, select the plan (Standard or Consumption), and leave the Zone redundancy to ‘disabled’. You should have something like this:
Step 2:
Set up a System-Assigned Managed Identity to allow the logic app to query the provisioning status for the Virtual WAN.
Within the Azure portal, navigate to the Logic App you created. Select Identity from the left blade. Then, select the system-assigned identity button, set the status to On, and select Save.
Assign the “Reader” role access via Role Assignments to the Azure Logic App managed identity within the scope of where the Azure VWAN resides in your subscription.
Step 3:
Configure and run your Logic App by navigating to the code view of your Logic App within the Azure Portal and paste the following:
{
“definition”: {
“$schema”: “https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#”,
“actions”: {
“HTTP_2”: {
“inputs”: {
“authentication”: {
“type”: “ManagedServiceIdentity”
},
“body”: {
“query”: “resources | where type == ‘microsoft.network/virtualwans’ | extend provisioningState = tostring(properties.provisioningState) | project name,provisioningState”
},
“headers”: {
“Content-Type”: “application/json”
},
“method”: “POST”,
“queries”: {
“api-version”: “2021-03-01”
},
“uri”: “https://management.azure.com/providers/Microsoft.ResourceGraph/resources”
},
“runAfter”: {},
“type”: “Http”
}
},
“contentVersion”: “1.0.0.0”,
“outputs”: {},
“parameters”: {},
“triggers”: {
“Recurrence”: {
“recurrence”: {
“frequency”: “Minute”,
“interval”: 1
},
“type”: “Recurrence”
}
}
},
“parameters”: {}
}
Note: If you would like to monitor the provisioning state of your virtual hubs instead, you can change the query line above to be the following:
“query”: “resources | where type == ‘microsoft.network/virtualhubs’ | extend provisioningState = tostring(properties.provisioningState) | project name,provisioningState”
Step 4:
After you have run your Logic App, navigate to the run history, click on the recent run, click on the “HTTP” step, scroll down to copy the “body” section and paste it in a Notepad (We will need it in the next step to Parse the output of the HTTP response). See image below:
Step 5:
Navigate to the Logic app designer, click on new step and search for “Parse JSON” (You should be able to see it as the first option under Actions). Click on Parse JSON. In the Content field, select “Body” and in the Schema field, click on “Use Sample Payload to generate Schema” and paste the body you copied from the previous step in the box as shown below:
Step 6:
Click on new step and search for “Condition” under the Built-in connectors. Under Condition, select “Provisioning State” is not equal to “Succeeded”. Under “True”, search for Send an email (V2), fill out the necessary fields for example: Body, Subject, To, etc. as shown below then hit save.
At the end, your logic app designer should look similar to this:
Step 7:
Let’s test the Azure Logic App and simulate a “Failed” state for your Azure Virtual WAN.
Navigate to your Azure Virtual WAN.
Under “Settings” on the left blade, select on Configuration.
Change the branch-to-branch configuration to “disabled” and hit save.
Immediately navigate to the overview page while the page is loading and click ok on the top. (We are doing this intentionally to cause the provisioning state to change to “Failed”)
Note: You may need to repeat steps 3 & 4 again but this time you will enable the branch-to-branch configuration and hit save.
5. You should be able to see the status changes to “Failed” for your Azure Virtual WAN and an alert has been sent to the email you specified in the Logic App.
Note: This is only for testing purposes, please use caution while testing this in your production environment.
6. If you would like to bring your Azure Virtual WAN to the “Succeeded” provisioning state, please run the following PowerShell command after making the necessary changes to the name, and the resource group name:
Get–AzVirtualWan –Name “your_resource_name” –ResourceGroupName “your_resource_group_name” | Update–AzVirtualWan
Conclusion:
Using the Azure Logic App to notify you when a provisioning state changes in your Azure Virtual WAN can help you to proactively address potential issues and minimize downtime. This automated approach enhances your operational efficiency and allows you to monitor your Azure Virtual WAN estate.
Microsoft Tech Community – Latest Blogs –Read More
Corporate Comms Discussion – January
What a great discussion with Wendy Sherwood about what was done at CBRE with Viva Connections and Viva Engage. Lots of great stuff from creating goals to thinking about the hybrid workforce. Take a listen.
Microsoft Tech Community – Latest Blogs –Read More
Corporate Comms Discussion – January
What a great discussion with Wendy Sherwood about what was done at CBRE with Viva Connections and Viva Engage. Lots of great stuff from creating goals to thinking about the hybrid workforce. Take a listen.
Microsoft Tech Community – Latest Blogs –Read More