Forum Discussion

SteBeSec's avatar
SteBeSec
Iron Contributor
Jun 03, 2021

Feature Request: Please make TVM Security Recommendations a bit smarter

Hello MDE Devs,

 

I noticed that the security recommendations in MDE are...let's say "not smart". To give you some examples:

 

  • It is recommended that Bitlocker is enabled on virtual machines (VDIs). Why should someone enable Bitlocker on a machine that is virtual, hosted in a corporate owned datacenter and can't be stolen? 

  • The ASR Rule "Block credential stealing from the Windows local security authority subsystem" is recommended, even if Credential Guard is enabled on a machine. The article for the ASR Rule states that this rule is only useful if Credential Guard is not enabled: Use attack surface reduction rules to prevent malware infection | Microsoft Docs

  • The ASR Rule "Block persistence through WMI event subscription" is recommended, even if the machine is using SCCM - you can't enbable this rule if SCCM is present on a machine (this would block SCCM Agent from functioning correctly). It is only useful if youre not co-managing devices and are only using Intune or another MDM: Use attack surface reduction rules to prevent malware infection | Microsoft Docs

All of the above could be easily detected by MDE, so my feeling about this is, that not much effort was put in the recommendations.

Could you please have a look into this? A lot of recommendations just doesn't make any sense.

 

Best regards

Stefan

 

  • Joe Stern's avatar
    Joe Stern
    Iron Contributor
    I'm using Credential Guard *and* the ASR rule to block credential theft. Having the defense in depth doesn't affect performance meaningfully and helps keep desktops covered in the event of TPM failure.
    • SteBeSec's avatar
      SteBeSec
      Iron Contributor
      I‘ve added this already, but I would love to see more communication from Microsoft in this Community site. Unfortunately, it‘s silent most of the time - not a great Community experience.

Resources