Microsoft has just introduced a new security feature that’s bound to make life a lot easier for IT pros handling a remote workforce. The Redmond software giant has now enabled Microsoft Defender for Endpoint (MDE) to “contain” unmanaged, and compromised Windows devices on the network.
In other words, if a Windows device on the network gets deemed unsafe, or compromised, for whatever reason, other devices on the network will avoid it like the plague - no communication comes in, or goes out of the device.
That way, in case a threat actor managed to weasel their way into a network (opens in new tab), they’ll be stopped in their tracks, before they can do any serious damage. Mapping out the target network, identifying key endpoints (opens in new tab), and exfiltrating sensitive data from all the devices, is key, for example, in ransomware attacks.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Targeting unmanaged endpoints
IT security pros, on the other hand, will have an isolated, compromised device, to play around with.
"This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device," Microsoft said.
There’s a caveat, though. This only works on onboarded Windows 10 (and later) devices, or Windows Server 2019 (and later).
> This nasty Windows 10 zero-day vulnerability finally has an unofficial fix (opens in new tab)
> Microsoft takes action to eliminate potential Windows 11 vulnerability (opens in new tab)
> Microsoft has uncovered loads of Windows 11 security threats – here’s what you need to do (opens in new tab)
"Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block 'contained' devices at this time," Microsoft says.
In other words, a compromised unmanaged device (opens in new tab) can still affect other unmanaged devices.
The new feature can be found on the “Device inventory” page in the Microsoft 365 Defender portal. There, the admin can choose which devices to contain, by selecting the “Contain device” option from the actions menu.
It may take up to five minutes for the changes to take effect, it was said.
Should a contained device change its IP address, other managed devices will be able to recognize the change and block all communications coming from the new IP address, as well.
- Keep your workforce safe with the best antivirus solutions around (opens in new tab)
Via: BleepingComputer (opens in new tab)