Microsoft has just introduced a new security feature that’s bound to make life a lot easier for IT pros handling a remote workforce. The Redmond software giant has now enabled Microsoft Defender for Endpoint (MDE) to “contain” unmanaged, and compromised Windows devices on the network.
In other words, if a Windows device on the network gets deemed unsafe, or compromised, for whatever reason, other devices on the network will avoid it like the plague - no communication comes in, or goes out of the device.
That way, in case a threat actor managed to weasel their way into a network, they’ll be stopped in their tracks, before they can do any serious damage. Mapping out the target network, identifying key endpoints, and exfiltrating sensitive data from all the devices, is key, for example, in ransomware attacks.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Targeting unmanaged endpoints
IT security pros, on the other hand, will have an isolated, compromised device, to play around with.
"This action can help prevent neighboring devices from becoming compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device," Microsoft said.
There’s a caveat, though. This only works on onboarded Windows 10 (and later) devices, or Windows Server 2019 (and later).
"Only devices running on Windows 10 and above will perform the Contain action meaning that only devices running Windows 10 and above that are enrolled in Microsoft Defender for Endpoint will block 'contained' devices at this time," Microsoft says.
In other words, a compromised unmanaged device can still affect other unmanaged devices.
The new feature can be found on the “Device inventory” page in the Microsoft 365 Defender portal. There, the admin can choose which devices to contain, by selecting the “Contain device” option from the actions menu.
It may take up to five minutes for the changes to take effect, it was said.
Should a contained device change its IP address, other managed devices will be able to recognize the change and block all communications coming from the new IP address, as well.