%3CLINGO-SUB%20id%3D%22lingo-sub-1343641%22%20slang%3D%22en-US%22%3EHarden%20endpoint%20security%20for%20COVID-19%20and%20working%20from%20home%20with%20Threat%20%26amp%3B%20Vulnerability%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343641%22%20slang%3D%22en-US%22%3E%3CP%3EAttackers%20have%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F04%2F08%2Fmicrosoft-shares-new-threat-intelligence-security-guidance-during-global-crisis%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eshifted%20their%20focus%3C%2FA%3E%20to%20take%20advantage%20of%20the%20COVID-19%20outbreak.%20Recent%20threats%20have%20ranged%20from%20malicious%20coronavirus-themed%20email%20and%20social%20engineering%20campaigns%2C%20to%20exploitation%20of%20endpoint%20configuration%20weaknesses%20on%20remote%20worker%20devices%20being%20used%20outside%20the%20normal%20security-controlled%20office%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhile%20adhering%20to%20security%20best%20practices%20is%20always%20a%20good%20idea%2C%20it%20has%20now%20become%20imperative%20to%20harden%20your%20organization%E2%80%99s%20surface%20area%20against%20specific%20misconfiguration%20categories%20that%20can%20be%20leveraged%20to%20exploit%20the%20increase%20in%20remote%20work%20such%20as%20permissions%2C%20remote%20access%20control%2C%20lockout%20policies%2C%20network%20shares%2C%20security%20controls%2C%20and%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20help%20you%20effectively%20identify%2C%20assess%2C%20and%20remediate%20these%20endpoint%20misconfigurations%2C%20the%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20(ATP)%20research%20team%20has%20added%20new%20assessments%20to%20our%20already%20rich%20set%20of%20existing%20secure%20configuration%20assessments%20in%20Threat%20%26amp%3B%20Vulnerability%20Management%20(TVM)%2C%20which%20are%20geared%20towards%20hardening%20against%20threats%20related%20to%20the%20current%20outbreak.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20we%20are%20also%20introducing%20a%20new%20%E2%80%9CCOVID-19%E2%80%9D%20tag%20next%20to%20each%20of%20the%20COVID-19%20related%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Ftvm-security-recommendation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThreat%20%26amp%3B%20Vulnerability%20Management%20(TVM)%20security%20recommendations%3C%2FA%3E%20to%20help%20you%20easily%20search%20for%20these%20configuration%20assessments.%20To%20see%20this%20tag%2C%20open%20the%20security%20recommendations%20page%20in%20TVM%2C%20and%20filter%20to%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.microsoft.com%2Fsecurity-recommendations%3Ffilters%3Dstatus%253DActive%2CrecommendationTags%253Dcovid19%26amp%3Bpage_size%3D30%26amp%3Bfields%3Dtitle%2CrelatedComponent%2Cthreats%2CexposedDevicesWithTrends%2CremediationType%2CremediationTasks%2CimpactInfo%2Ctags%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eshow%20only%20the%20COVID-19%20related%20recommendations%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22recommendations_cut_red.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F187160i1408459D53A511C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22recommendations_cut_red.png%22%20alt%3D%22recommendations_cut_red.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EContinuous%20vulnerability%20assessment%20for%20remote%20worker%20devices%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20Threat%20%26amp%3B%20Vulnerability%20Management%20isn%E2%80%99t%20based%20on%20periodic%20scanning%2C%20but%20rather%20provides%20%3CSTRONG%3Econtinuous%20endpoint%20vulnerability%20assessment%3C%2FSTRONG%3E%20based%20on%20the%20built-in%20OS%20sensor%2C%20%26nbsp%3Bour%20vulnerability%20assessment%20will%20continue%20to%20seamlessly%20work%20for%20devices%20at%20home%20in%20exactly%20the%20same%20manner%20as%20it%20does%20in%20the%20office%20environment.%20It%20can%20be%20used%20to%20support%20the%20ongoing%20vulnerability%20assessment%20and%20monitoring%20of%20Windows%20patch%20status%2C%20as%20well%20as%20the%20use%20of%20potentially%20vulnerable%20applications%2C%20and%20remote%20collaboration%20tools%20that%20have%20grown%20in%20popularity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELeveraging%20advanced%20hunting%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%20to%20viewing%20this%20new%20information%20in%20the%20Microsoft%20Defender%20Security%20Center%2C%20you%20can%20also%20leverage%20our%20advanced%20hunting%20capabilities%20to%20slice%20and%20dice%20the%20findings%20based%20on%20your%20unique%20needs.%20Use%20the%20following%20examples%20below%20as%20reference%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EA%20summary%20per%20each%20COVID-19%20related%20assessment%20of%20how%20many%20machines%20are%20compliant%2Fnon-compliant%20with%20the%20recommended%20configuration%2C%20arranged%20by%20operating%20system%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3EDeviceTvmSecureConfigurationAssessment%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20where%20IsApplicable%20%3D%3D%201%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20join%20kind%3Dinner%20(%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20DeviceTvmSecureConfigurationAssessmentKB%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E)%20on%20ConfigurationId%26nbsp%3B%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20where%20Tags%20contains%20%22COVID%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20summarize%20ConfigurationName%3Dany(ConfigurationName)%2C%20TotalApplicableMachines%3Ddcount(DeviceId)%2C%20CompliantMachines%3Ddcountif(DeviceId%2C%20IsCompliant%20%3D%3D%201)%2C%20NonCompliantMachines%3Ddcountif(DeviceId%2C%20IsCompliant%20!%3D%201)%20by%20ConfigurationId%2C%20OSPlatform%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20sort%20by%20ConfigurationId%2C%20OSPlatform%20asc%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3EA%20detailed%20list%20of%20all%20misconfigured%20COVID-19%20related%20configurations%20on%20all%20machines%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3EDeviceTvmSecureConfigurationAssessment%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20where%20IsApplicable%20%3D%3D%201%20and%20IsCompliant%20%3D%3D%200%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20join%20kind%3Dinner%20(%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%20DeviceTvmSecureConfigurationAssessmentKB%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E)%20on%20ConfigurationId%26nbsp%3B%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20where%20Tags%20contains%20%22COVID%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20size%3D%222%22%3E%7C%20project%20DeviceName%2C%20OSPlatform%2C%20ConfigurationId%2C%20ConfigurationName%2C%26nbsp%3B%20ConfigurationCategory%2C%20ConfigurationSubcategory%2C%20ConfigurationDescription%2C%20RiskDescription%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20resources%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20our%20customers%20continue%20to%20adapt%20to%20a%20new%20norm%2C%20we%20are%20committed%20to%20providing%20the%20tools%2C%20help%2C%20and%20resources%20they%20need%20to%20effectively%20secure%20their%20organizations.%20Take%20a%20look%20below%20for%20additional%20guidance%20and%20information%20that%20may%20help.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fsecure-your-remote-workforce-with-microsoft-defender-atp%2Fba-p%2F1271806%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3ESecure%20your%20remote%20workforce%20with%20Microsoft%20Defender%20ATP%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F2020%2F04%2F08%2Fmicrosoft-shares-new-threat-intelligence-security-guidance-during-global-crisis%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20shares%20new%20threat%20intelligence%2C%20security%20guidance%20during%20global%20crisis%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EMicrosoft%20Defender%20ATP%20team%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1343641%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Blog_cover_slogan.png%22%20style%3D%22width%3A%20793px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F187633iDA1E8A8F26A503D9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Blog_cover_slogan.png%22%20alt%3D%22Blog_cover_slogan.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ELeverage%20new%20Threat%20%26amp%3B%20Vulnerability%20Management%20capabilities%20to%20harden%20endpoint%20security%20posture%20for%20COVID-19%20and%20working%20from%20home%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1343641%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ehardening%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Work%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecure%20configuration%20assessment%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20%26amp%3B%20Vulnerability%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1352451%22%20slang%3D%22en-US%22%3ERe%3A%20Harden%20endpoint%20security%20for%20COVID-19%20and%20working%20from%20home%20with%20Threat%20%26amp%3B%20Vulnerability%20Mana%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1352451%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20just%20silly%20MS.%20Slapping%20some%20useless%20tag%20on%20completely%20irrelevant%20issues%20and%20calling%20this%20a%20News.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1374749%22%20slang%3D%22en-US%22%3ERe%3A%20Harden%20endpoint%20security%20for%20COVID-19%20and%20working%20from%20home%20with%20Threat%20%26amp%3B%20Vulnerability%20Mana%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1374749%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F262426%22%20target%3D%22_blank%22%3E%40Gilad_Mittelman%3C%2FA%3E%26nbsp%3BThis%20looks%20good%20but%20one%20question%20I%20have%20for%20the%20MDATP%20team%20is%20when%20will%20you%20address%20the%20issues%20with%20Missing%20KBs%20for%20Windows%2010%20machines.%20We%20are%20trying%20to%20use%20MDATP%20to%20find%20machines%20missing%20patches%20but%20you%20don't%20even%20recognize%20superseded%20patches.%20For%20example%20you%20are%20showing%20hundreds%20of%20our%20machines%20missing%20KB4549951%26nbsp%3Bhowever%20this%20was%20superseded%20on%20April%2020%20by%26nbsp%3BKB4550945.%20This%20make%20it%20very%20frustrating%20for%20our%20desktop%20team%20to%20rely%20on%20MDATP%20to%20address%20threats.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Attackers have shifted their focus to take advantage of the COVID-19 outbreak. Recent threats have ranged from malicious coronavirus-themed email and social engineering campaigns, to exploitation of endpoint configuration weaknesses on remote worker devices being used outside the normal security-controlled office environment.

 

While adhering to security best practices is always a good idea, it has now become imperative to harden your organization’s surface area against specific misconfiguration categories that can be leveraged to exploit the increase in remote work such as permissions, remote access control, lockout policies, network shares, security controls, and more.

 

To help you effectively identify, assess, and remediate these endpoint misconfigurations, the Microsoft Defender Advanced Threat Protection (ATP) research team has added new assessments to our already rich set of existing secure configuration assessments in Threat & Vulnerability Management (TVM), which are geared towards hardening against threats related to the current outbreak.

 

In addition, we are also introducing a new “COVID-19” tag next to each of the COVID-19 related Threat & Vulnerability Management (TVM) security recommendations to help you easily search for these configuration assessments. To see this tag, open the security recommendations page in TVM, and filter to show only the COVID-19 related recommendations.

 

recommendations_cut_red.png

 

 

Continuous vulnerability assessment for remote worker devices

 

Since Threat & Vulnerability Management isn’t based on periodic scanning, but rather provides continuous endpoint vulnerability assessment based on the built-in OS sensor,  our vulnerability assessment will continue to seamlessly work for devices at home in exactly the same manner as it does in the office environment. It can be used to support the ongoing vulnerability assessment and monitoring of Windows patch status, as well as the use of potentially vulnerable applications, and remote collaboration tools that have grown in popularity.

 

Leveraging advanced hunting

 

In addition to viewing this new information in the Microsoft Defender Security Center, you can also leverage our advanced hunting capabilities to slice and dice the findings based on your unique needs. Use the following examples below as reference:

 

  1. A summary per each COVID-19 related assessment of how many machines are compliant/non-compliant with the recommended configuration, arranged by operating system:

DeviceTvmSecureConfigurationAssessment

| where IsApplicable == 1

| join kind=inner (

    DeviceTvmSecureConfigurationAssessmentKB

) on ConfigurationId  

| where Tags contains "COVID"

| summarize ConfigurationName=any(ConfigurationName), TotalApplicableMachines=dcount(DeviceId), CompliantMachines=dcountif(DeviceId, IsCompliant == 1), NonCompliantMachines=dcountif(DeviceId, IsCompliant != 1) by ConfigurationId, OSPlatform

| sort by ConfigurationId, OSPlatform asc

 

  1. A detailed list of all misconfigured COVID-19 related configurations on all machines:

DeviceTvmSecureConfigurationAssessment

| where IsApplicable == 1 and IsCompliant == 0

| join kind=inner (

    DeviceTvmSecureConfigurationAssessmentKB   

) on ConfigurationId  

| where Tags contains "COVID"

| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName,  ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription

 

 

Additional resources

 

As our customers continue to adapt to a new norm, we are committed to providing the tools, help, and resources they need to effectively secure their organizations. Take a look below for additional guidance and information that may help.

 

Microsoft Defender ATP team

 

 

2 Comments
Super Contributor

This is just silly MS. Slapping some useless tag on completely irrelevant issues and calling this a News.

Senior Member

@Gilad_Mittelman This looks good but one question I have for the MDATP team is when will you address the issues with Missing KBs for Windows 10 machines. We are trying to use MDATP to find machines missing patches but you don't even recognize superseded patches. For example you are showing hundreds of our machines missing KB4549951 however this was superseded on April 20 by KB4550945. This make it very frustrating for our desktop team to rely on MDATP to address threats.