Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Network device discovery and vulnerability assessments
Published Apr 13 2021 08:50 AM 45.6K Views
Microsoft

Earlier today we announced a new set of capabilities for Microsoft Defender for Endpoint that empower organizations to discover and secure network devices and unmanaged endpoints. This is especially critical in the new global hybrid working environment, which exposes the most challenging cybersecurity landscape we’ve ever encountered. 

 

The challenge: unmanaged network devices 

We know that users are 71% more likely to be infected on an unmanaged device and connecting from these devices to business networks from offers a high value target for attackers to launch broader attacks from. In recent years, we witnessed several cases where security vulnerabilities in networking gear were actively exploited in the wild by cybercriminals. In some cases, this meant that attackers had the capability to access computers connected directly to corporate networks from the internet (such as CDPwn, EternaBlue, EternalRed). 

 

From a vulnerability management standpoint, the large number of unmanaged network devices deployed in each organization creates a large surface area of attack, representing a significant risk to the entire enterprise.  These network devices must be secured and included in each organization's vulnerability management program. The first step is for an organization to make sure that every network device is discovered, accurately classified, and added to asset inventory.  

 

Network device discovery in Defender for Endpoint 

Defender for Endpoint customers can now take advantage of the new network discovery capabilities available in the Device inventory  section of the Microsoft 365 security center and Microsoft Defender Security Center consoles.  To do so a designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint’s threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.  

 

Vulnerability management for network devices 

After the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.  

 

 ND Picture 00.png

 

Figure 1: Security recommendation to update Cisco operating systems that run on routers, switches, and WLAN controllers 

 

ND Picture 000.png

Figure 2: Security recommendation details with all vulnerabilities associated with the Cisco IOS operating system 

 

Solution approach 

Network devices are not managed as standard endpoints since Defender for Endpoint does not have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. Depending on the network topology and characteristics, a one or more Windows devices onboarded to Microsoft Defender for Endpoint will perform authenticated scans of network devices using SNMP (read-only). 

 

OS coverage for vulnerability assessment 

Currently, the following operating systems are supported: 

 

  1. Cisco IOS, IOS-XE, NX-OS 
  2. Juniper JUNOS 
  3. HPE ArubaOS, Procurve Switch Software 
  4. Palo Alto Networks PAN-OS 

Note: Support for additional networking vendors and operating systems will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if they are not specified in this list. 

 

How to get started 

Your first step is to select a device that will perform the authenticated network scans. 

 

  1. Allocate an assessment device (client or server) that has a network connection to the management port for the target network devices. This can be any Windows device that has been onboarded to Defender for Endpoint.  Note: SNMP traffic between the Defender for Endpoint assessment device and the target network devices must be allowed (e.g., by the organization’s firewall). 
  2. Decide which network devices will be assessed for vulnerabilities (e.g., a Cisco switch or a Palo Alto Networks firewall).  
  3. Make sure SNMP read-only is enabled on all configured network devices to allow Defender for Endpoint assessment device to query the configured network devices. Note: ‘SNMP write’ is not needed for the proper functionality of this feature. 
  4. Obtain the IP addresses of the target network devices to be scanned (or the subnets where these devices are deployed).
  5. Obtain the SNMP credentials of the target network devices (e.g., Community String, noAuthNoPriv, authNoPriv, authPriv). You’ll be required to provide these when configuring a new assessment job 
  6. Proxy client configuration: No additional configuration is required other than the Defender for Endpoint device proxy requirements. 
  7. The following domains/URLs should be allowed/enabled in your firewall/proxy rules. This is essential to allow the network scanner to be authenticated and work properly.  Note: The following user permission option is required to configure assessment jobs: ‘Manage security settings in Security Center’.

login.windows.net  

*.securitycenter.windows.com 

login.microsoftonline.com 

*.blob.core.windows.net/networkscannerstable/* 

 

 Install the network scanner 

     1. In the Microsoft 365 security center console, go to Settings > Endpoints > Assessment jobs page. 

 

 ND Picture 01.png

 

 ND Picture 02.png

   

      2. Download the network scanner and install it on the designated Defender for Endpoint assessment device. 

 

ND Picture 03.png

 
     3. 
Network scanner installation & registration: 

  • Sign in using a Microsoft account that has the Defender for Endpoint permission called "Manage security settings in Security Center.". The sign-in process can be completed on the assessment device itself or any other device (i.e., your personal client device).

 ND Picture 04.png

  • To complete the network scanner registration process, copy and follow the URL that appears on the command line, and use the provided installation code to complete the registration process. Note: You may need to change Command Prompt settings to be able to copy the URL.  

 

Enter the code here: 

 

ND Picture 05.png

 

 Use your Microsoft account with the required threat and vulnerability management permissions to sign in. 

 

ND Picture 06.png

 

When finished, you should see the following messages in your browser and CMD that state that you have signed into the Microsoft Defender for Endpoint network scan agent application successfully:  

 

ND Picture 07.png

 

ND Picture 08.png

 

 

Configure a new network assessment job  

     1. In the Microsoft 365 security center console, go to Settings > Endpoints > Assessment jobs page. 

 

ND Picture 089.png

 

     2. Add a new network assessment job.  

 

ND Picture 09.png

 

     3. Follow the set-up flow:    

  • Choose an ‘Assessment job’ name and the ‘Assessment device’ on which the network scanner was installed. This device will perform the periodic authenticated scans. 

 

ND Picture 10.png

 

  • Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed). 

ND Picture 11.png 

 

  • Add required SNMP credentials of the target network devices. 

ND Picture 12.png

 

 ND Picture 13.png

  • Save the newly-configured network assessment job to start the periodic network scan. 

 
Scan and add network devices 

In the set-up flow, you can perform a one-time test scan to verify that: 

 

  • There is connectivity between the Defender for Endpoint assessment device (network scanner) and the configured target network devices. 
  • The configured SNMP credentials are correct.  

ND Picture 14.png

 

Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network assessment job periodic scan (regardless of the device’s response).  

 

TIP: The scan results can also be exported. 

 

ND Picture 15.png

 

Newly-discovered devices will be shown under the new Network devices tab in the Device inventory page (it may take up to ~2hrs after adding an assessment job until the devices are updated). 

 

ND Picture 16.png

 

  

Thank you for your interest in the network devices discovery and vulnerability management feature. We encourage you to join us in the public preview program. This program lets you test new features in their early phases and enables you to provide feedback that will influence the final product. For those not already enrolled in the program, we encourage you to do so by turning on the preview features.  Once enrolled, we look forward to seeing your feedback at: mdatptvm@microsoft.com. 

 

More information about this feature and our broader range of unmanaged devices capabilities can be found in the Microsoft Defender for Endpoint product documentation. 

16 Comments
Gold Contributor

Hello Everyone. Such a tool as a vulnerability scanner is the future in many layers of security, the application by Microsoft of such an important service as - Microsoft 365 allows for even greater monitoring of threats and raises the standard of protection procedures! Thank you Great Article!

Copper Contributor

I tried to install the scanner, but it failed on 2 machines during registration, with an internal server error:

 

Exception - WDATP.MicrosoftGraphApiFetcher.General.AadException: Object reference not set to an instance.

 

Any clues?

Gold Contributor

 

Hi! ErikOppedijk You wrote a comment on the blog is best to start the discussion here:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/ct-p/MicrosoftSecurityandCom...

there members will definitely hint a solution!

Good luck 

Silver Contributor

@Tomer_Reisner while reviewing this new functionality in my tenant, I noticed a Device Discovery page which is a bit different than this discovery tool but I can't find any info about it. Can you point me in the right direction?

The page has the following information

Discovery setup

Configure how devices are discovered in your network. Device discovery improves your visibility over all the devices in your network so you can take action to protect them. Discovered devices appear in the device list.

Copper Contributor

For the question of @Dean Gross , you can find the additional info on the Discovery here: Endpoint Discovery - Navigating your way through unmanaged devices - Microsoft Tech Community

Microsoft

Regarding the issue reported by @ErikOppedijk , I confirm that in some cases, during this installation of the ‘Network scanner’, an error occurs that blocks the completion of the setup. 

As a result, users will not be able to use the new functionality until a fix is issued. 

We are aware of this issue and working to correct it as soon as possible.

Iron Contributor

Hello @Tomer_Reisner thank you fir the share. 

Iron Contributor

@Tomer_Reisnerwill it poll Firewall OS version and vulnerabilities only, or will it pull the VPN software version as well (e.g. Cisco AnyConnect and PAlo Alto Global Protect).

 

Dear early adopters, as an example, can you please confirm if "Network device discovery and vulnerability management" picked the recent PAN GP vulnerability? Details below:

 

CVE-2021-3057 GlobalProtect App: Buffer Overflow Vulnerability When Connecting to Portal or Gateway

https://security.paloaltonetworks.com/CVE-2021-3057

Copper Contributor

Great article and a feature that is essential for organisations with an array of technologies.

In the six months since this post, has there been any updates in the supported OS list?  Is there any guidance or a roadmap to introduce additional supported OS?

 

Copper Contributor

hi,

 

we like to enable this network discovery, but before we do that we are analyzing if this perform any issues on a certain network

 

  • Will there any performance issue device where the network scanner is installed on. Must it be a stand only pc that is only doing this ? or it is possible to use a server that is already used for other purposes
  • Will there be any performance issue on the network when scan is busy on a certain ip range ?

Can you let me know ?

kind regards

Quinzy

 

Iron Contributor

This feature should be a super-light touch.  The Microsoft Defender for Endpoint network does very little - that is polls your firewall with SNMP now and again to get software versions.

Copper Contributor

Hi, 

 

  • Will be there an impact when for example the network scanner is broken/corrupt on the system where the network scanner was installed. Would it interfere other production software.

This to know whether it is better to use a workstation/server where no other production software is running or not.

 

  • I guess also there is no extra cost , this is all in our E5 license

 

@Sergg 

 

kind regards

quinzy

Copper Contributor

Hello, all -

 

Which SNMP version is supported by the assessment device?  SNMPv2, SNMPv3...?

 

Regards-

 

Paul

Copper Contributor

Does Defender for Servers (vs Defender for Endpoints for Servers) support Network Device Discovery?

Microsoft

What if result of scan is not appearing in the portal & how to locate them.

Copper Contributor

I have done several attempts to get the network scanner working, but they all fail. I am able to download and install the scanner, but after that I cannot use it. The scanner does not show in the dropdown list when setting up a scan. Sometimes I am able to start a scan, but then the results wil never show. and I see "Failed to load data".

Version history
Last update:
‎Jun 09 2021 12:18 PM
Updated by: