Security recommendations for Servers appeared after 18th March

%3CLINGO-SUB%20id%3D%22lingo-sub-1305492%22%20slang%3D%22en-US%22%3ESecurity%20recommendations%20for%20Servers%20appeared%20after%2018th%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1305492%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20someone%20may%20know%20the%20answer%20to%20this.%20I%20noticed%20an%20increase%20in%20the%20total%20number%20of%20machines%20for%20some%20of%20the%20Security%20recommendations%20within%20WDATP%20for%20a%20number%20of%20recommendations.%20Such%20as%26nbsp%3BDisable%20'Enumerate%20administrator%20accounts%20on%20elevation'.%20I%20noticed%20the%20number%20had%20increased%20by%20exactly%20the%20number%20of%20servers%20we%20have%20deployed%20within%20our%20estate.%20I%20have%20checked%20GPO%20and%20confirmed%20this%20has%20never%20been%20set%20for%20these%20devices%20in%20the%20past%2C%20but%20suddenly%20WDATP%20Started%20detecting%20it%20after%20the%2018th%20March.%26nbsp%3B%20These%20devices%20have%20been%20on-boarded%20for%20almost%20a%20year%20now%2C%20and%20I%20am%20interested%20in%20why%20WDATP%20may%20suddenly%20be%20detecting%20Security%20Recommendations%20for%20servers%20which%20were%20already%20onboarded.%20Or%20where%20I%20can%20check%20if%20any%20changes%20or%20updates%20have%20been%20applied.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401299%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20recommendations%20for%20Servers%20appeared%20after%2018th%20March%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401299%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F504140%22%20target%3D%22_blank%22%3E%40NBfromFJ%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20did%20you%20onboard%20the%20servers%3F%20If%20you%20used%20the%20Azure%20security%20center%20to%20install%20the%20Microsoft%20Monitoring%20agent%2C%20then%20you%20should%20see%20the%20recommendations%20on%20the%20AZ%20security%20center%20recommendation%20page%20as%20well.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Security%2FSecurityMenuBlade%2F5%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%23blade%2FMicrosoft_Azure_Security%2FSecurityMenuBlade%2F5%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20portal%20is%20evolving%20and%20now%20actively%20reports%20various%20factors%20like%20below.%20These%20are%20also%20reflected%20on%20MDATP%20portal%20as%20security%20recommendations.%26nbsp%3B%20Its%20a%20great%20way%20to%20set%20policies%20and%20increase%20your%20protection%20score.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AZ-Security-Center-Recommendations.png%22%20style%3D%22width%3A%20690px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F192934i8F04755A0A231293%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22AZ-Security-Center-Recommendations.png%22%20alt%3D%22AZ-Security-Center-Recommendations.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ENOTE%3A%20I%20would%20recommend%20to%20carefully%20analyze%20each%20recommendation%20and%20see%20if%20it%20causes%20more%20issues%2C%20you%20dont%20need%20to%20follow%20EVERY%20action%20points%2C%20if%20you%20do%20so%20you%20might%20end%20up%20having%20a%20broken%20system.%20So%20evaluate%2C%20plan%2C%20test%20and%20then%20apply%20on%20production%20systems.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Visitor

Hello Community,

 

I hope someone may know the answer to this. I noticed an increase in the total number of machines for some of the Security recommendations within WDATP for a number of recommendations. Such as Disable 'Enumerate administrator accounts on elevation'. I noticed the number had increased by exactly the number of servers we have deployed within our estate. I have checked GPO and confirmed this has never been set for these devices in the past, but suddenly WDATP Started detecting it after the 18th March.  These devices have been on-boarded for almost a year now, and I am interested in why WDATP may suddenly be detecting Security Recommendations for servers which were already onboarded. Or where I can check if any changes or updates have been applied.

1 Reply
Highlighted

@NBfromFJ 

 

How did you onboard the servers? If you used the Azure security center to install the Microsoft Monitoring agent, then you should see the recommendations on the AZ security center recommendation page as well. https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/5

 

The portal is evolving and now actively reports various factors like below. These are also reflected on MDATP portal as security recommendations.  Its a great way to set policies and increase your protection score. 

AZ-Security-Center-Recommendations.png

NOTE: I would recommend to carefully analyze each recommendation and see if it causes more issues, you dont need to follow EVERY action points, if you do so you might end up having a broken system. So evaluate, plan, test and then apply on production systems.