cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Things to check and improve in Security portal

negrumanuel
Copper Contributor

‎Feb 20 2023 02:54 PM - edited ‎Feb 20 2023 02:55 PM

‎Feb 20 2023 02:54 PM - edited ‎Feb 20 2023 02:55 PM

Things to check and improve in Security portal

Hi team, 

 

I've been using the Security portal / Defender 365 / Secure Score and recommendations for some time now - in an attempt to get our overall security score to 95%. 

 

Here are a few things that should be checked and improved, in my view: 

 

- exclusions set in "365 Defender" do not make it to the Secure score section. Take for example the "set minimum pin length for startup to 6 characters or more". we comply for 1 device group but have an exclusion for another device group (wvd). Secure score should either mark the entry as completed, either allow me to set a further exception there. at the moment it stays in To address mode and i can't get rid of it. 

- some data is not available - it's been a week now since i cannot access LAPS report status to see what devices are not in line. i just get an error saying there was a problem fetching the data or something similar. 

- some entries are out of my control and i'm being taxed for -> Resolve unsecure domain configurations. We own 2 domains (root and child). both reported issues which were resolved and the domains disappeared from the report. No points gained. Now i still have 2 domains listed there - because we have domain trusts with our sister company and service providers. I cannot control or enforce rules on their side as these are domain managed outside our company. There should be an option to remove from the report domains not owned by us, so that the points are awarded. I don't want to put an exception as I don't get the points. 

- modify unsecure kerberos delegation to prevent impersonation. Our 2 DCs in the root domain are listed here. The entry in secure score gives little to no explanation as what to change or implemented. The only thing i found is to change the kerberos delegation on the AD object of the reported server. Guess what - it's already set to the correct delegation. So... more details please ?? how can this be achieved. 

- a bunch of attck surface reduction appear as not applied. Every now and then a bunch of ASR rules appear as not applied on a random computer. it usually goes aways after few hours - but what causes this ? I see like 10-15+ ASR rules not applied for 1 or 2 devices.. hours later, all back to normal. And no one is changing these ASRs on those devices !!

- computers offline for more than a week. user is on holidays..so ? why is the score taxed. I think there should be a mechanism to put a device in holidays and not have a bunch of entries light up (turn on sensor, fix sensor data collection, fix agent impaired communication). make it 15 days offline, not a week or whatever it is now. some parts of the world force employee to take 2 weeks (or more) block leave. 

- CVE patches 1 - at least tell us what files are problematic so i can identify the software. I have an alert now to update OpenSSL on an affected device. There is no OpenSSL on that device. It's driving me insane. If you find a device with software to patch and report CVEs against - tell me the path of the files you found buggy ! I can work out the software from there. The list of affected software you provide does not help me. see case above with OpenSSL. it's probably some DLL used by some tool or agent or something on that device which is triggering the alert. So much easier if I would know what files has the scanner picked up and flagged for CVE issues. 

- CVE patches 2 - you generate alerts to update windows os, .net..office..chrome..edge.. but with over 100 iOS devices enrolled in intune you are telling me you cannot report on CVE and patching suggestions for iOS ? like those nice automated emails you send whenever chrome has to be updated... hmmm..  

- default device group. seem to be catching devices - as it says 80 - but nothing is shown at preview. great - so how can i see what devices fall under the default group so I can get them out of there (and try to figure out why they are there in the first place)

- my device group has very clear filter rules. yet everytime i autopilot a new device, an object is added to the device list with the name "laptop-random". I have to exclude these. Why is this happening as my filters do not include this naming scheme.. 

 

probably a lot of ranting - apologies for not proof reading before submitting. 

 

Thanks

Daniel. 

Labels:
753 Views
0 Likes
0 Replies
Reply
0 Replies