New Removable Storage Management Capabilities in MS Defender

Microsoft announced new features for Removal storage management in MS Defender for endpoint and this helps to improve and secure more removal storage scenarios in Windows and below are the use cases that Windows Defender supports.

  • Gain writing access to specific removable storage devices
  • Use specific removable storage devices on specific machines
  • Gain read/write/execute access to specific files on removable storage devices
  • Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN

And the below new features included in defender for endpoint.

  • Support for file parameters
  • Support for Azure AD machines or user group(s)
  • Capturing a file as evidence on a network share
  • Improvements to the removable storage access control investigation experience
  • Network location as a condition

Support for file parameters

               Defender for Endpoint now able to read, write, and execute access to specific files on removable storage. INK, BAT, BIN, CHM, CMD, COM, CPL, EXE file extensions can be blocked by Defender and let me explain the configurations involved in blocking file extensions. You would need to create two groups. 1. Create group for any removable storage devices 2. Create group for unallowed file extensions.Create a policy to deny read and execute access to any file under allowed file extension group for removable storage group.

  1. Create group for removable & portable storage devices.

        Goto Microsoft Endpoint Manager Admin center and Devices -> Create Profile -> Choose platform: Windows 10 and later, Profile Type: Templates -> Custom. Under Configuration Settings, Add Row pane and provide below details.

  • Name -> Any Removable Storage Group.
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{9b28fae8-72f7-4267-a1a5-685f747a7146}”>
   <!. ../Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData –>                <MatchType>MatchAny</MatchType>
                <DescriptorIdList>
                    <PrimaryId>RemovableMediaDevices</PrimaryId>
                    <PrimaryId>CdRomDevices</PrimaryId>
                    <PrimaryId>WpdDevices</PrimaryId>
                </DescriptorIdList>
            </Group>

  • Click Save and proceed with deploying configuration.
  1. Create group for Unallowed file extensions.

         Under Configuration settings, Add Row pane to configure settings and provide the below formation.

  • Name -> Unallowed file extensions
  • OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
  • Date Type -> String (XML file)
  • Custom XML file -> Enter the below XML file

<Group Id=”{e5f619a7-5c58-4927-90cd-75da2348a30f}” Type=”File” MatchType=”MatchAny”>
   <!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7be5f619a7-5c58-4927-90cd-75da2348a30f%7d/GroupData –>
    <DescriptorIdList>
                    <PathId>*.exe</PathId>
                    <PathId>*.dll</PathId>
     </DescriptorIdList>
</Group>

  • Click Save and deploy the configuration.
  1. Deploy policy to deny Read and execute access.
                You can use the below XML file to create policy and apply to removable storage group. It will block read and write access to the group. 40 in the policy means only need to restrict file system level access. In Add Row pane, specify name and OMA-URI (./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData) and Data type is String XML file and select Custom XML file and Click Save and apply policy configuration.

    <PolicyRule Id=”{5038638c-9352-47bb-88df-8a659f0c02a7}”>
<!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b5038638c-9352-47bb-88df-8a659f0c02a7%7d/RuleData –>
    <Name>Block Read and Write access to specific file</Name>
    <IncludedIdList>
        <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
    </IncludedIdList>
    <ExcludedIdList>
    </ExcludedIdList>
   <Entry Id=”{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}”>
      <Type>Deny</Type>
      <Options>0</Options>
      <AccessMask>40</AccessMask>
                 <Parameters MatchType=”MatchAll”>
                                             <File MatchType=”MatchAny”>
                <GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30f}</GroupId>
            </File>
                 </Parameters>
   </Entry>
   <Entry Id=”{2925ecd8-40dc-42bb-a972-da0de839dd4f}”>
      <Type>AuditDenied</Type>
      <Options>3</Options>
      <AccessMask>63</AccessMask>
   </Entry>
</PolicyRule>

Support for Azure AD machines or user groups

                     Microsoft support for AD Object and Azure AD Object Id in Microsoft Defender for Endpoint. It allows the user to use specific removable storage devices to specific machine and the user cannot use any other storage device on the machine. Using Sid and ComputerSid in the policy, the user can control specific removable storage for specific users or machines. You can find the object ID for users & machines in Azure portal. SID is local user SID or user SID group or SID of the AD object or the object ID of the Azure AD object. ComputerSID is Local computer SID or computer SID group or the SID of the AD object or the Object Id of the AAD object. You can apply policy to specific user and specific computer, need to add both SID and computer SID in the same entry.

Capture the file as evidence on a network share

               When you copy the file into authorized Removable storage device, the policy will copy the file into network share as evidence. “option” attribute allows you to capture copy of the file as evidence in the network share.

Improvements to the removable storage access control investigation experience

              Investigation experience has been improved with new release by providing device control in the device timeline page. Removable storage access control event has been added in the machine timeline and go to Microsoft 365 security portal -> Devices -> Device page -> Timeline.

File name and patch information will be captured when file level policy is applied, and it will show in the Device control report (Reports -> Device Control and the report data latency reduced from 12 hours to 6 hours. In the Device control report, you can view the audit events & policy events. Audit events will show the number of audit events occurs when external device is connected. Policy events will show the number of policy when a device control policy is triggered. To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query.

Network location as a condition

             You can create device control policies for the machines which are not connected to the corporate network using machines network location. “Network” and “VPNConnection” group types created recently. You can use the block people from accessing Removable storage when the machines is not connected to the corporate network.  Microsoft mentioned these features are currently available in public preview for Microsoft defender for endpoints. There are few troubleshooting steps you can follow for policy issues. To confirm if the policy is applied on the machine, Open powershell as an administrator and run “Get-MpComputerStatus” and verify if latest date is showing in the DeviceControlPoliciesLastupdated. There are couple of reason the policy does not work. If you are not using correct markdown formatting for the “&” character and adding the byte mark (BOM) 0xEF 0xBB 0xBF at the beginning which causing XML parsing issues.

For more Info on Windows Defender and its capabilities, kindly read the article:
Configure Firewall rules to allow reusable settings with Windows Defender

Share:

Facebook
Twitter
LinkedIn
Picture of Karthick Jokirathinam

Karthick Jokirathinam

Contact Us

=
On Key

More Posts

E-Commerce Security - Solutions for Online Retailers
Azure

E-commerce Security – Solutions for Online Retailers

Today’s hyper-charged e-commerce landscape demands top-notch cybersecurity measures. Cybersecurity for this bustling sector isn’t just about ticking a technical box; it’s the cornerstone of building trust. As businesses and consumers flock to the online space, the

Read More »
WME Cybersecurity Briefings No. 017
Cyber Security

WME Security Briefing 08 July 2024

SnailLoad: A New Stealthy Threat to Web Privacy Overview: Researchers discover a concerning new side-channel attack technique: SnailLoad. It exploits inherent weaknesses in the internet to potentially monitor a user’s web activity without requiring any direct access to

Read More »
WME Cybersecurity Briefings No. 016
Cyber Security

WME Security Briefing 27 June 2024

ExCobalt Cyber Gang Targets Russian Sectors with New GoRed Backdoor Overview An unknown Golang-based backdoor GoRed is being employed by the cybercrime gang ExCobalt. This group has roots dating back to at least 2016 and possibly originates

Read More »
Top 7 Office 365 Backup Solutions
Cloud Computing

Top 7 Office 365 Backup Solutions

Let’s explore the top 7 Microsoft 365 (Office 365) backup and recovery solutions. These solutions feature, among others, automated backups, detailed reporting, and efficient deduplication. We will guide you through their pros and cons and what

Read More »
WME Cybersecurity Briefings No. 015
Cyber Security

WME Security Briefing 24 June 2024

Google’s Privacy Sandbox Faces Scrutiny Over User Tracking Allegations Overview Google’s Privacy Sandbox was initially designed to replace third-party cookies in Chrome. It was a more privacy-conscious solution, but the Austrian privacy group Noyb is now

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=