Microsoft Defender Advanced Threat Protection (ATP) now gives your devices and network a security score that tells admins the health of their environment based on how it’s configured.
A high score means the collective security configuration is in a good state across applications, operating systems, network, accounts, and security controls.
Microsoft calls the configuration score the ‘Microsoft Secure Score for Devices’, which is visible in the Threat and Vulnerability Management service dashboard component of Microsoft Defender Security Center.
SEE: Cheat sheet: Windows 10 PowerToys (free PDF) (TechRepublic)
The tool will be useful for security operations centers to scour a network for vulnerabilities that could be mitigated through appropriate configuration changes – for example, the use of highly privileged Administrator rights on accounts that don’t need that level of freedom.
Microsoft promises the data in the score card is the product of “meticulous and ongoing vulnerability discovery”, which involves, for example, comparing collected configurations with collected benchmarks, and collecting best-practice benchmarks from vendors, security feeds, and internal research teams.
Defender ATP users will see a list of recommendations based on what the scan finds. It contains the issue, such as whether a built-in administrator account has been disabled, the version of Windows 10 or Windows Server scanned, and a description of the potential risks.
For this particular risk, Microsoft explains that the built-in administrator account is a favorite target for password-guessing, brute-force attacks and other techniques, generally after a security breach has already occurred. Defender ATP also provides the number of accounts exposed on the network and an impact score.
Users can export a checklist of remediations to be undertaken in CSV format for sharing with team members and to ensure the measures are undertaken at the appropriate time. An organization’s security score should improve once remediations are completed.
SEE: Microsoft releases Defender ATP for Linux
Microsoft warns that there could be some false alarms related to only partial support for its Intune mobile device management platform.
“Microsoft Secure Score for Devices currently supports configurations set via Group Policy,” it notes.
“Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.”
It also points to four mandatory security updates released over the past few years that address issues in Windows Defender ATP that impede the analyses carried out by Microsoft Secure Score for Devices.