External devices like USBs are common tools people use to support daily business tasks like saving work in a convenient and portable way. While these devices help improve employee productivity and provide an easy way to back up files, they can also pose a threat to enterprise data, serving as a potential entry point for malware and viruses.
Over the last several months, Microsoft Defender for Endpoint has rolled out a handful of device control capabilities to help secure removable storage scenarios on Windows. Some of the common use cases we support include allowing specific users to:
Gain writing access to specific removable storage devices
Use specific removable storage devices on specific machines
Gain read/write/execute access to specific files on removable storage devices
Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN
Support for file parameters
We are pleased to announce Defender for Endpoint now allows organizations to better control how users read, write, and execute access to specific files on removeable storage. For example, by using file name/path/extension Defender for Endpoint can block end users from executing any file with INK, BAT, BIN, CHM, CMD, COM, CPL, EXE extensions.
For more details, please review Scenario 3 in our documentation found below:
With this release, we are expanding the Sid and ComputerSid properties to support AD Object and Azure AD Object Id to satisfy the following common scenarios:
An admin who is looking to restrict removable storage device access for both users and their machines. An example of this would be only allowing specific users to interact with specific removable storage devices on a specific machine. In this case, the qualified user must only initiate an authorized removable storage device on an authorized machine.
An admin who is looking to use one policy for removable storage management, while using Sid and ComputerSid inside the policy to control which users or machine groups can access certain removable storage.
An admin may want to track what files are being moved to an authorized removable storage device. The admin can create a policy to capture a copy of the file on their customized network share.
A new value added into the ‘Options’ attribute allows you to capture a copy of the file as evidence on the network share. The common scenario is as follows:
When an end user copies a file to an authorized removable storage device, device control will create a copy of the file as evidence on a network share.
Figure 1 - File information for removable storage event
Improvements to the removable storage access control investigation experience
After collecting user feedback, we found an opportunity to help improve investigation efficiency by providing device control events on the device timeline page. In addition to this improvement, we have made several other enhancements to the investigation experience over the last few months:
The removable storage access control event has been added into the machine timeline under Microsoft 365 security portal -> Devices -> Device page -> Timeline:
Figure 2 - Removable storage events on machine timeline page
When a file-level policy is triggered, the file path and name will be captured in the event and documented in the Advanced Hunting Device Control reports.
The Device Control report under security.microsoft.com -> Reports -> Device control – now receives updated data and visualizations in half the time. Reducing latency from 12 hours to 6 hours.
In certain scenarios where admins want to ensure better security across remote devices, they can enforce stricter policies on machines that are not connected to the corporate network by creating different Device control policies based on a machine’s network location using the ‘Network’ and ‘VPNConnection’ group types that were recently created control these policies.
We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to turn on preview features for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal.
Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.