<img alt="" src="https://secure.hims1nice.com/151009.png" style="display:none;">
Skip to main content

Managing Device Vulnerabilities - Part 2

In Part 1 of this 2-part blog series, we looked at Microsoft Defender Vulnerability Management (MDVM) core capabilities ...

Cliff Embry
Posted by Cliff Embry
Managing Device Vulnerabilities - Part 2
image-3

In today's fast-paced business landscape, staying ahead of the competition requires efficient and effective solutions. According to Microsoft’s Work Trend Index, nearly 70% of employee report that they don’t have sufficient time in the day to focus on “work”, with more time being spent Communicating than Creating.

Microsoft 365 Copilot is designed, with Microsoft’s cloud trust platform at its core, to allow for employees to both be more productive, reduce the time spent searching for information, performing mundane tasks, and other low-value activities.

In Part 1 of this 2-part blog series, we looked at Microsoft Defender Vulnerability Management (MDVM) core capabilities that are included with Microsoft Defender for Endpoint P2. In this post, we will focus on the “Add-on” capabilities which include:

  1. Security baseline assessments
  2. Browser extensions assessment
  3. Digital certificate assessment
  4. Network share analysis
  5. Block vulnerable applications

You can find a breakdown of licensing requirements here: Compare Microsoft Defender Vulnerability Management offerings

Regardless of your current licensing, everyone can get their hands on a 120-day trial to evaluate the full product. This post will focus on additional capabilities included with the add-on and standalone versions of the solution.

 

Security Baseline Assessments

 

First, let’s look at security baseline assessments. Microsoft Defender Vulnerability Management leverages Center for Internet Security (CIS) and Security Technical implementation Guides (STIG) benchmarks for Windows 10 and above operating systems. These benchmarks can be customized to create security baselines that fit your organization's requirements. These baselines can be deployed to all or a subset of devices, or all devices, to assess compliance with the security baseline. Here is how to get started.

Navigate to the security portal under “Vulnerability Management” and select “Security Baselines.” Choose the “Profiles” tab and then select “Create” to create a new security baseline.

Managing Device Vulnerabilities - Security Baselines

Provide a name and optional description. You can decide at this time to activate the profile or leave it in an inactive state. In this example, the profile will be activated upon creation.

Managing Device Vulnerabilities - Profile

Choose your software and desired base benchmark. For this example, we will choose Windows 10 21H2 and the associated CIS benchmark.

Managing Device Vulnerabilities - Baseline Profile Scope

Then choose your compliance level. In this example, we will choose “Level 2 (L2) + BitLocker + Next Generation Windows Security (NG)” which maps to advanced E5/A5 capabilities, BitLocker, and NextGen Windows Security.

Managing Device Vulnerabilities - Baseline Profile

Managing Device Vulnerabilities - Baseline Profile Scope

At this point, you can choose what configuration settings make sense for your organization. Some features you may not be using or leveraging a 3rd party to fill those gaps.

Managing Device Vulnerabilities -  Profile Configuration Settings

For the example, I will select all configurations for this security baseline profile.

Managing Device Vulnerabilities -  Profile Configuration Settings

If you look at an individual setting, you can see details for the configuration settings.

Managing Device Vulnerabilities -  Profile Configuration Settings

Once configuration settings have been selected, continue with the profile creation wizard by selecting “next.” On the next page, you can choose which device groups to assess against the configuration baseline. After your selection, continue the wizard by selecting “next.”

Managing Device Vulnerabilities -  Profile Configuration Settings

Review your baseline assessment profile and select “done” once you are satisfied with the configuration.

Managing Device Vulnerabilities -  Profile Configuration Settings

Navigating back to the “Overview” tab under “Baseline Assessment,” you will now see some stats regarding your baseline assessment(s).

Managing Device Vulnerabilities -  Baseline Assessment

Hopping over to the “Settings” tab, you can see all configuration settings and their current compliance status.

Managing Device Vulnerabilities -  Compliance Status

Select any configuration setting to get details for the configuration requirements and information on device compliance in your organization.

Managing Device Vulnerabilities - Device Compliance

As you can see, performing baseline assessments can help guide an organization to a more mature endpoint security posture by leveraging CIS and STIG benchmarks. All information is in one place and provides guidance on configuration requirements.

 

Browser Extensions Assessment

 

Next, let’s review how MDVM can help provide visibility around vulnerable browser extensions for Microsoft Edge, Google Chrome, and Mozilla Firefox. Navigate to the “Browser extensions” page under the “inventories” pane to see devices on which the extensions are installed and enabled. Here you can see permission risks for the extension to assist with decisions when determining what browser extensions are allowed to run in the organization. This can assist with identifying risky extensions and with planning for the deployment or restriction of extensions.

Managing Device Vulnerabilities - Browser Extensions

Select a browser extension to open a flyout pane where you can learn more about the extension.

Managing Device Vulnerabilities - Browser Extensions

Try selecting the “Extension versions” tab to see the versions installed in your organization.

Managing Device Vulnerabilities -  Extension Versions

 

Digital Certificate Assessment

 

Next up, let’s stay under the “Inventories” pane and navigate to the “Certificates” tab to enlighten us on expired or misconfigured certificates that could leave your organization vulnerable. On this page, you can view a list of certificates installed for the entire endpoint estate in a central location. Selecting any of these certificates will provide full certificate details, issuing details, and device installation status.

Managing Device Vulnerabilities - Digital Certificates

This information can help identify certificates that are expired or near expiration, detect vulnerabilities (weak signature algorithms, shore key sizes, and weak signature hash algorithms), and help validate compliance with regulatory guidelines or organization policy.

 

Network Share Analysis

 

Let’s move on to network share analysis. Navigate to the MDVM “Recommendations” pane and filter on “OS/Shares.”

Managing Device Vulnerabilities - Network Share Analysis

The resulting list will provide recommendations for vulnerabilities identified in the organization. Here we can see 4 recommendations and the associated exposed devices per recommendation.

Managing Device Vulnerabilities - Security Recommendations

Select a recommendation to review the potential risk and investigate remediation options.

Managing Device Vulnerabilities - Security Recommendations

 

 

Block Vulnerable Applications

 

And last, but not least, we can block or warn on supported vulnerable applications. First, we need to ensure the advanced feature is enabled for Endpoints. In the security portal, navigate to “Settings” in the left-hand margin and choose “Endpoints” then “Advanced features.” Find “Allow or block file” and ensure it is toggled on.

Managing Device Vulnerabilities -  Block Vulnerable Applications

Now head back to the “Recommendations” pane under MDVM. Clear the filter set previously and then search for “Update” to find recommendations for updating software. In this example, we use Foxit Reader. Once you have identified your software that needs to be updated, select “Request remediation.”

Managing Device Vulnerabilities -  Request Remediation

In the “Remediation options” dropdown, select “Attention required” and select “Next.”

Managing Device Vulnerabilities - Remediation Report

For the “Choose mitigation action” selection, choose to block or warn the end user. Here we will choose to warn for evaluation purposes. Adjust the message you want your end users to see, then select “Next” to review and complete the wizard.

Managing Device Vulnerabilities -  Request Remediation

After completing the wizard, navigate to the MDVM “Remediations” page, then select an application to view details in the flyout for the blocked app. You can also unblock the app from the flyout on the right. Now, when users launch apps of these versions, they will receive the warning message provided.

Managing Device Vulnerabilities - Remediation

That’s it! This concludes Part 2 of the series. I hope you have learned how MDVM can provide immediate value, regardless of your current licensing status. If you’d like to see more posts like this, subscribe to the KiZAN blog mailing list, or follow us on LinkedIn.

Demo | Workshop | Managed Service

Learn how Microsoft Defender Vulnerability Management can identify vulnerabilities and remediate weaknesses in your organization.

 

KiZAN Logo Blue

KiZAN is a Microsoft National Solutions Provider with numerous gold and silver Microsoft competencies, including gold data analytics. Our primary offices are located in Louisville, KY, and Cincinnati, OH, with additional sales offices located in Tennessee, Indiana, Michigan, Pennsylvania, Florida, North Carolina, South Carolina, Georgia and Texas.