Skip to content

Links and guidance related to the return on mitigation report in the Microsoft Digital Defense Report

Notifications You must be signed in to change notification settings

reprise99/mddrguidance

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 

Repository files navigation

MDDR Guidance

Links and guidance related to the return on mitigation report in the Microsoft Digital Defense Report - Microsoft Digital Defense Report

image

These statistics show the percentage of customers that have the issues highlighted and then seeks to prioritze the controls and remediation actions to give customers direction on where investment is best placed

Below are listed various links and resources for each issue and guidance to address them

Higher

Poor user lifecycle management

If you use Entra ID, there is a lifecycle management capability that helps you manage user onboarding, offboarding and entitlement management (ensuring users only have access to what they require)

Lack of EDR coverage

Microsoft Learn documentation showing the various ways to onboard devices

Guidance on how MDE can integrate to Microsoft Defender for Cloud ensuring cloud workloads have the MDE sensor and are integrated fully, includes onboarding guidance

A blog series from Microsoft MVP Jeffrey Appel that includes effectively onboarding devices

Lack of detection controls

A guide on how to operationalize MDE with your SecOps team. Even if you use non Microsoft EDR, there are good lessons here that you can apply to whatever tooling

Resource exposed to public access

MDE tags devices that are publicly exposed to the internet with a specifc tag that is available in the UI and in Advanced Hunting to query on. Devices that are publicly accessible are more vulnerable to exploit and should be priortized for hardening and patching

Insufficient protections for local accounts

Windows LAPS is a Windows feature that manages the local administrator account on Windows devices, to reduce the risk of credential attacks like pass-the-hash, by ensuring each device has a local admin password that is unique and regularly changed

Missing security barrier between cloud and on-premise

The protect M365 guidance seeks to protect Active Directory and Microsoft Entra ID (previously Azure Active Directory) from each other in the case of compromise. If Active Directory is compromised we want to reduce the blast radius to Microsoft Entra ID and vice versa

Insecure Active Directory confguration

If you use Microsoft Defender for Identity, you can use the security posture assessments to find quick wins for securing accounts and configuration

A video from Trimarc security on how to get quick security wins in Active Directory

A blog from the Microsoft Detection and Response Team on issues seen in Active Directory in real life compromises

A blog from SpecterOps covering common misconfigurations in ADCS that allow domain domination

Locksmith is a lightweight tool developed by Trimarc security that queries ADCS and can detect and remediate misconfigurations

Insufficient device security controls

Guidance from the NCSC about hardening Windows devices

The inventory portal can show you the status of your devices, including whether they are enrolled in MDE, the health of the sensor and any residual device risk

Legacy cloud authentication is still used

Guidance to block legacy authentication in Microsoft Entra Conditional Access. Although this was disabled for Exchange Online by Microsoft, it is recommended you block it using CA also as non Exchange Online services or custom apps may be using legacy auth

No advanced password protection enabled

Both links show how to deploy Microsoft Entra ID Password Protection, a service that lets you block poor passwords both in the cloud and on-premises. Password protection works by blocking the most common bad passwords (such as Password123) and your own custom blocklist (YourCompanyName123)

Missing content based MFA protection mechanisms

Guidance on planning your strategy from moving away from weaker MFA methods (SMS/Phone) to modern and phishing resistant methods (FIDO2/Windows Hello for Business)

This graphic is a great visual explainer

Authentication Methods

Insecure operating system confguration

Intune device compliance rules allow you to configure policies and settings your devices must adhere to in order to be granted access via Conditional Access

Microsoft provides guidance around aligning to CIS and other benchmarks

Medium

Legacy and unsecure protocols

Guidance for disabling SMB v1 and other SMB policies

Great blog from Steve Syfuhs from Microsoft about NTLM and the struggles to remove it

Missing or inconsistent update management

Managing software updates and updates to Windows via Intune

Using WSUS to update Windows

Azure Update Manager is a unified service to help govern updates across all your machines, including Windows and Linux, across Azure, on-premises and other clouds

Missing cloud application management and monitoring

If you are licensed for Microsoft Defender for Cloud Apps you can connect in third party apps like ServiceNow, Atlassian, AWS for visibility into those apps. They are easy to connect and build use cases for

How to use the investigation tools and interface to investigate alerts and other suspicious activity

A SecOps guide to Microsoft Entra ID including how to respond to compromise, what events to look for as a detection team and how to protect users and devices

No privileged identity management solution

You can use Microsoft Entra PIM to manage privileged access to your environment by requiring additional approvals or security checks to elevate to privileged roles. This access can also be time bound

If you are just starting your PIM journey you can discover your current posture to show the spread of privileged access and use that as a foundation to reduce privilege across your environment

No MFA, or MFA not mandatory for privileged accounts

There is an out of the box security default that will enforce MFA for privileged accounts, turn this on!

If you want to go beyond Security Defaults, there are lots of great CA templates available here

Your most privileged accounts should be using phishing resistance MFA, enable it here!

Don't just enable passwordless for your most privileged accounts, enforce the use of it with authentication strengths

Weak email protection against common threats

SecOps guide for Microsoft Defender for Office 365 and how to respond to mail based attacks. As with all these guides, even if you use non Microsoft mail security, there is valuable guidance here

Guidance on bringing Office 365/Microsoft 365 inline with best practice

If you use third party mail filtering, you can get Exchange Online to do a secondary check by enabling Enhanced Filtering. Ain't nothing wrong with a second opinion when it comes to phishing

Legacy or unsupported operating systems

Sometimes there is no exciting guidance, you just need to update your old stuff!

Lower

No privilege separation

Guidance to secure privileged accounts, including seperation of on-premises admin accounts from cloud admin accounts, removal of mailboxes from admin accounts and separate admin accounts from regular day to day accounts

The section of the Microsoft Azure Well-Architected Framework that covers administrative account security

No hardened workstations used for administration

Understanding why privileged access devices are important and where they fit on your privileged management journey

The Microsoft Enterprise Access Model guidance, this model seeks to reduce the spread of privileged credentials and paths to privileged accounts by securing tier 0 assets and users

Missing data classifcation and sharing restrictions

Lists all the various locations to configure guest settings including Entra, SharePoint, OneDrive and Teams

Microsoft Learn documentation on protecting data with Microsoft Purview including information labels, insider risk and data compliance

No vulnerability management

Microsoft Defender now has vulnerabilty management capability which you can see within the M365 Defender Portal

You can integrate vulnerability management into Microsoft Defender for Cloud, this includes both virtual machines and vulnerability analysis for containers and other cloud native products

No adherence to the Least Privilege Principle

A list of tasks that can be completed in Microsoft Entra ID and the role that allows a user to complete that action while adhering to least privilege

Implementing least privilege administrative models in on-premises Active Directory

About

Links and guidance related to the return on mitigation report in the Microsoft Digital Defense Report

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published