└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # MDDR Guidance
  2 | Links and guidance related to the return on mitigation report in the Microsoft Digital Defense Report - [Microsoft Digital Defense Report](https://aka.ms/mddr)
  3 | 
  4 | ![image](https://github.com/reprise99/mddrguidance/assets/88635951/1d550a11-fcba-4793-b232-3e70b225f28c)
  5 | 
  6 | These statistics show the percentage of customers that have the issues highlighted and then seeks to prioritze the controls and remediation actions to give customers direction on where investment is best placed
  7 | 
  8 | Below are listed various links and resources for each issue and guidance to address them
  9 | 
 10 | ## Higher
 11 | 
 12 | ### Poor user lifecycle management
 13 | 
 14 | #### [Microsoft Entra ID Lifecycle Management](https://learn.microsoft.com/en-us/azure/active-directory/governance/what-is-identity-lifecycle-management)
 15 | If you use Entra ID, there is a lifecycle management capability that helps you manage user onboarding, offboarding and entitlement management (ensuring users only have access to what they require)
 16 | 
 17 | ### Lack of EDR coverage
 18 | 
 19 | #### [Onboard to Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding?view=o365-worldwide)
 20 | Microsoft Learn documentation showing the various ways to onboard devices
 21 | 
 22 | #### [Integration with Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide)
 23 | Guidance on how MDE can integrate to Microsoft Defender for Cloud ensuring cloud workloads have the MDE sensor and are integrated fully, includes onboarding guidance
 24 | 
 25 | #### [MDE Blog Series](https://jeffreyappel.nl/tag/mde-series/)
 26 | A blog series from Microsoft MVP Jeffrey Appel that includes effectively onboarding devices
 27 | 
 28 | ###  Lack of detection controls
 29 | 
 30 | #### [Microsoft Defender for Endpoint SecOps Guide](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-sec-ops-guide?view=o365-worldwide)
 31 | A guide on how to operationalize MDE with your SecOps team. Even if you use non Microsoft EDR, there are good lessons here that you can apply to whatever tooling
 32 | 
 33 | ###  Resource exposed to public access
 34 | 
 35 | #### [Internet-facing devices](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/internet-facing-devices?view=o365-worldwide)
 36 | MDE tags devices that are publicly exposed to the internet with a specifc tag that is available in the UI and in Advanced Hunting to query on. Devices that are publicly accessible are more vulnerable to exploit and should be priortized for hardening and patching
 37 | 
 38 | ### Insufficient protections for local accounts
 39 | 
 40 | #### [LAPS](https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview)
 41 | Windows LAPS is a Windows feature that manages the local administrator account on Windows devices, to reduce the risk of credential attacks like pass-the-hash, by ensuring each device has a local admin password that is unique and regularly changed
 42 | 
 43 | ###  Missing security barrier between cloud and on-premise
 44 | 
 45 | #### [Protect M365](https://aka.ms/protectm365)
 46 | The protect M365 guidance seeks to protect Active Directory and Microsoft Entra ID (previously Azure Active Directory) from each other in the case of compromise. If Active Directory is compromised we want to reduce the blast radius to Microsoft Entra ID and vice versa
 47 | 
 48 | ### Insecure Active Directory confguration
 49 | 
 50 | #### [Microsoft Defender for Identity - Security Posture](https://learn.microsoft.com/en-us/defender-for-identity/security-assessment)
 51 | If you use Microsoft Defender for Identity, you can use the security posture assessments to find quick wins for securing accounts and configuration
 52 | 
 53 | #### [Top 10 Ways to Improve Active Directory Security Quickly](https://www.youtube.com/watch?v=Og5xfph7Gt0)
 54 | A video from Trimarc security on how to get quick security wins in Active Directory
 55 | 
 56 | #### [Total Identity Compromise](https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/total-identity-compromise-microsoft-incident-response-lessons-on/ba-p/3753391)
 57 | A blog from the Microsoft Detection and Response Team on issues seen in Active Directory in real life compromises
 58 | 
 59 | #### [Certified Pre-owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2)
 60 | A blog from SpecterOps covering common misconfigurations in ADCS that allow domain domination 
 61 | 
 62 | #### [Locksmith](https://github.com/TrimarcJake/Locksmith)
 63 | Locksmith is a lightweight tool developed by Trimarc security that queries ADCS and can detect and remediate misconfigurations
 64 | 
 65 | ### Insufficient device security controls
 66 | 
 67 | #### [Windows Device Security Controls](https://www.ncsc.gov.uk/collection/device-security-guidance/platform-guides/windows)
 68 | Guidance from the NCSC about hardening Windows devices
 69 | 
 70 | #### [MDE Device List](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide)
 71 | The inventory portal can show you the status of your devices, including whether they are enrolled in MDE, the health of the sensor and any residual device risk
 72 | 
 73 | ###  Legacy cloud authentication is still used
 74 | 
 75 | #### [Block legacy authentication in Microsoft Entra Conditional Access](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication)
 76 | Guidance to block legacy authentication in Microsoft Entra Conditional Access. Although this was disabled for Exchange Online by Microsoft, it is recommended you block it using CA also as non Exchange Online services or custom apps may be using legacy auth
 77 | 
 78 | ### No advanced password protection enabled
 79 | 
 80 | #### [Elimate weak passwords in the cloud](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad)
 81 | #### [Elimate weak passwords on-premises](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises)
 82 | Both links show how to deploy Microsoft Entra ID Password Protection, a service that lets you block poor passwords both in the cloud and on-premises. Password protection works by blocking the most common bad passwords (such as Password123) and your own custom blocklist (YourCompanyName123)
 83 | 
 84 | ### Missing content based MFA protection mechanisms
 85 | 
 86 | #### [Authentication methods in Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods)
 87 | 
 88 | Guidance on planning your strategy from moving away from weaker MFA methods (SMS/Phone) to modern and phishing resistant methods (FIDO2/Windows Hello for Business) 
 89 | 
 90 | This graphic is a great visual explainer
 91 | 
 92 | ![Authentication Methods](https://learn.microsoft.com/en-us/azure/active-directory/authentication/media/concept-authentication-methods/authentication-methods.png)
 93 | 
 94 | ### Insecure operating system confguration
 95 | 
 96 | #### [Intune Device Compliance](https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started)
 97 | Intune device compliance rules allow you to configure policies and settings your devices must adhere to in order to be granted access via Conditional Access
 98 | 
 99 | #### [CIS Benchmarks](https://learn.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark)
100 | Microsoft provides guidance around aligning to CIS and other benchmarks
101 | 
102 | ## Medium 
103 | 
104 | ###  Legacy and unsecure protocols
105 | 
106 | #### [Detect, enable and disable SMBv1](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server)
107 | Guidance for disabling SMB v1 and other SMB policies
108 | 
109 | #### [Killing HTML is Hard](https://syfuhs.net/killing-ntlm-is-hard)
110 | Great blog from Steve Syfuhs from Microsoft about NTLM and the struggles to remove it
111 | 
112 | ###  Missing or inconsistent update management
113 | 
114 | #### [Software updates in Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure)
115 | Managing software updates and updates to Windows via Intune
116 | 
117 | #### [Windows Server Update Services (WSUS)](https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus)
118 | Using WSUS to update Windows
119 | 
120 | #### [Azure Update Manager](https://learn.microsoft.com/en-us/azure/update-center/overview?tabs=azure-vms)
121 | Azure Update Manager is a unified service to help govern updates across all your machines, including Windows and Linux, across Azure, on-premises and other clouds
122 | 
123 | ###  Missing cloud application management and monitoring
124 | 
125 | #### [Microsoft Defender for Cloud Apps - Connecting Apps](https://learn.microsoft.com/en-us/defender-cloud-apps/enable-instant-visibility-protection-and-governance-actions-for-your-apps)
126 | If you are licensed for Microsoft Defender for Cloud Apps you can connect in third party apps like ServiceNow, Atlassian, AWS for visibility into those apps. They are easy to connect and build use cases for
127 | 
128 | #### [Investigation and response in Microsoft Defender for Cloud Apps](https://learn.microsoft.com/en-us/defender-cloud-apps/investigate)
129 | How to use the investigation tools and interface to investigate alerts and other suspicious activity
130 | 
131 | #### [Microsoft Entra ID SecOps Guide](https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-introduction)
132 | A SecOps guide to Microsoft Entra ID including how to respond to compromise, what events to look for as a detection team and how to protect users and devices
133 | 
134 | ###  No privileged identity management solution
135 | 
136 | #### [Microsoft Entra Privileged Identity Management Guidance](https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure)
137 | You can use Microsoft Entra PIM to manage privileged access to your environment by requiring additional approvals or security checks to elevate to privileged roles. This access can also be time bound
138 | 
139 | #### [Discovery and Insights for Microsoft Entra roles](https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-security-wizard)
140 | If you are just starting your PIM journey you can discover your current posture to show the spread of privileged access and use that as a foundation to reduce privilege across your environment
141 | 
142 | ###  No MFA, or MFA not mandatory for privileged accounts
143 | 
144 | #### [Microsoft Entra ID - Security Defaults](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/security-defaults#require-administrators-to-do-multifactor-authentication)
145 | There is an out of the box security default that will enforce MFA for privileged accounts, turn this on!
146 | 
147 | #### [Microsoft Entra ID Conditional Access Templates](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation)
148 | If you want to go beyond Security Defaults, there are lots of great CA templates available here
149 | 
150 | #### [Go Passwordless](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
151 | Your most privileged accounts should be using phishing resistance MFA, enable it here!
152 | 
153 | #### [Conditional Access Authentication Strengths](https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-strengths)
154 | Don't just enable passwordless for your most privileged accounts, enforce the use of it with authentication strengths
155 | 
156 | ###  Weak email protection against common threats
157 | 
158 | #### [Microsoft Defender for Office 365 SecOps Guide](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-sec-ops-guide?view=o365-worldwide)
159 | SecOps guide for Microsoft Defender for Office 365 and how to respond to mail based attacks. As with all these guides, even if you use non Microsoft mail security, there is valuable guidance here
160 | 
161 | #### [Configure your Microsoft 365 tenant for increased security](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security?view=o365-worldwide)
162 | Guidance on bringing Office 365/Microsoft 365 inline with best practice
163 | 
164 | #### [Enhanced Filtering for Exchange Online](https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors)
165 | If you use third party mail filtering, you can get Exchange Online to do a secondary check by enabling Enhanced Filtering. Ain't nothing wrong with a second opinion when it comes to phishing
166 | 
167 | ###  Legacy or unsupported operating systems
168 | 
169 | Sometimes there is no exciting guidance, you just need to update your old stuff!
170 | 
171 | ## Lower 
172 | 
173 | ###  No privilege separation
174 | 
175 | #### [Securing privileged access](https://learn.microsoft.com/en-us/azure/active-directory/roles/security-planning)
176 | Guidance to secure privileged accounts, including seperation of on-premises admin accounts from cloud admin accounts, removal of mailboxes from admin accounts and separate admin accounts from regular day to day accounts
177 | 
178 | #### [Well Architected Framework - Admin Design](https://learn.microsoft.com/en-us/azure/well-architected/security/design-admins)
179 | The section of the Microsoft Azure Well-Architected Framework that covers administrative account security
180 | 
181 | ###  No hardened workstations used for administration
182 | 
183 | #### [Privileged access devices](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices)
184 | Understanding why privileged access devices are important and where they fit on your privileged management journey
185 | 
186 | #### [Enterprise access model](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model)
187 | The Microsoft Enterprise Access Model guidance, this model seeks to reduce the spread of privileged credentials and paths to privileged accounts by securing tier 0 assets and users
188 | 
189 | ###  Missing data classifcation and sharing restrictions
190 | 
191 | #### [Microsoft 365 Guest Settings](https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-guest-settings?view=o365-worldwide)
192 | Lists all the various locations to configure guest settings including Entra, SharePoint, OneDrive and Teams
193 | 
194 | #### [Protecting data with Microsoft Purview](https://learn.microsoft.com/en-us/purview/information-protection)
195 | Microsoft Learn documentation on protecting data with Microsoft Purview including information labels, insider risk and data compliance
196 | 
197 | ###  No vulnerability management
198 | 
199 | #### [Microsoft Defender VM](https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management?view=o365-worldwide)
200 | Microsoft Defender now has vulnerabilty management capability which you can see within the M365 Defender Portal
201 | 
202 | #### [Defender VM in Azure](https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management)
203 | You can integrate vulnerability management into Microsoft Defender for Cloud, this includes both virtual machines and vulnerability analysis for containers and other cloud native products
204 | 
205 | ###  No adherence to the Least Privilege Principle 
206 | 
207 | #### [Least privileged roles by task in Microsoft Entra ID](https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task)
208 | A list of tasks that can be completed in Microsoft Entra ID and the role that allows a user to complete that action while adhering to least privilege
209 | 
210 | #### [Least privilege in on-premises Active Directory](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models)
211 | Implementing least privilege administrative models in on-premises Active Directory
212 | 


--------------------------------------------------------------------------------