Forum Discussion

braedachau's avatar
braedachau
Brass Contributor
Jan 01, 2021

Proactive Remediations - Security Recommendations Defender Endpoint

Hello,

 

Really stupid question - has anybody written detection and remediation PowerShell scripts for the following

1.  Disable Adobe Flash - Adobe DC Reader

2.  Disable Java Script - Adobe DC Reader

3.  ASR - Block persistence through WMI Event subscription.

 

This is probably not a problem for most of you as your systems are joined to a domain

However most of mine are not and are managed - yeah I know - don't say it.

Since Endpoint Analytics proactive remediation is not an option in a non joined scenario I need to run the PowerShell scripts within Intune to force the issue.

 

Thanks for your patience, and if you can share your scripts I would be truly grateful.

 

I might add - why has Microsoft not added these by default, even if they are not active.  I obviously have a lot to learn, so if you have a lot of patience - feel free.  I learn quickly.

 

I also note that a lot of security recommendations need alterations to the registry, so If you have one of these PowerShell scripts lying about, I wouldn't mind a look either.

 

I have attached a screenshot of my current security level.  I though I was doing well

 

Sincerely.

A amateur Admin, but keen to learn and get certified.

 

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Hi

    First off, you stated 'Proactive remediation is not an option in a non joined scenario'. As long as your devices are hybrid AD joined or AAD Joined, you are good to go. What join method are you using?

    I would recommend not using proactive remediations to configure settings as they can become quite cumbersome to maintain. I would advise to use different Intune profiles.
    For ASR for example: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#intune

    For the Adobe Reader, I would try to use a 'MST' configuration file during installation => https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/basics.html
    Would this solve your issue?
    • braedachau's avatar
      braedachau
      Brass Contributor

      Thijs Lecomte 

       

      Thanks for your reply.

      You cant disable persistence via WMI via Intune. 

      This one you can  - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c

      This one you cant - GUID -  e6db77e5-3df2-4cf1-b95a-636979351e5b

       

      As explained here

       

      https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction

       

      It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints.  I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all.  I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).

       

      I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).

       

      Thanks.

       

       

  • Lassaad's avatar
    Lassaad
    Brass Contributor

    braedachau 

     

    Hello ,

    #Disable autorun/autoplay on all drives
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f

    #Disable Flash on Adobe Reader DC : Flash is an unsecure technology with many known vulnerabilities
    REG ADD "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bEnableFlash /t REG_DWORD /d 0 /f

    #Disable JavaScript on Adobe Reader DC
    reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 00000001 /f

     

     

Resources