Microsoft announced new features for Removal storage management in MS Defender for endpoint and this helps to improve and secure more removal storage scenarios in Windows and below are the use cases that Windows Defender supports.
- Gain writing access to specific removable storage devices
- Use specific removable storage devices on specific machines
- Gain read/write/execute access to specific files on removable storage devices
- Gain write/execute access to specific removable storage devices when their machine is connected to the corporate network or through a VPN
And the below new features included in defender for endpoint.
- Support for file parameters
- Support for Azure AD machines or user group(s)
- Capturing a file as evidence on a network share
- Improvements to the removable storage access control investigation experience
- Network location as a condition
Support for file parameters
Defender for Endpoint now able to read, write, and execute access to specific files on removable storage. INK, BAT, BIN, CHM, CMD, COM, CPL, EXE file extensions can be blocked by Defender and let me explain the configurations involved in blocking file extensions. You would need to create two groups. 1. Create group for any removable storage devices 2. Create group for unallowed file extensions.Create a policy to deny read and execute access to any file under allowed file extension group for removable storage group.
- Create group for removable & portable storage devices.
Goto Microsoft Endpoint Manager Admin center and Devices -> Create Profile -> Choose platform: Windows 10 and later, Profile Type: Templates -> Custom. Under Configuration Settings, Add Row pane and provide below details.
- Name -> Any Removable Storage Group.
- OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
- Date Type -> String (XML file)
- Custom XML file -> Enter the below XML file
<Group Id=”{9b28fae8-72f7-4267-a1a5-685f747a7146}”>
<!. ../Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData –> <MatchType>MatchAny</MatchType>
<DescriptorIdList>
<PrimaryId>RemovableMediaDevices</PrimaryId>
<PrimaryId>CdRomDevices</PrimaryId>
<PrimaryId>WpdDevices</PrimaryId>
</DescriptorIdList>
</Group>
- Click Save and proceed with deploying configuration.
- Create group for Unallowed file extensions.
Under Configuration settings, Add Row pane to configure settings and provide the below formation.
- Name -> Unallowed file extensions
- OMA-URI -./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData
- Date Type -> String (XML file)
- Custom XML file -> Enter the below XML file
<Group Id=”{e5f619a7-5c58-4927-90cd-75da2348a30f}” Type=”File” MatchType=”MatchAny”>
<!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7be5f619a7-5c58-4927-90cd-75da2348a30f%7d/GroupData –>
<DescriptorIdList>
<PathId>*.exe</PathId>
<PathId>*.dll</PathId>
</DescriptorIdList>
</Group>
- Click Save and deploy the configuration.
- Deploy policy to deny Read and execute access.
You can use the below XML file to create policy and apply to removable storage group. It will block read and write access to the group. 40 in the policy means only need to restrict file system level access. In Add Row pane, specify name and OMA-URI (./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData) and Data type is String XML file and select Custom XML file and Click Save and apply policy configuration.
<PolicyRule Id=”{5038638c-9352-47bb-88df-8a659f0c02a7}”>
<!– ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b5038638c-9352-47bb-88df-8a659f0c02a7%7d/RuleData –>
<Name>Block Read and Write access to specific file</Name>
<IncludedIdList>
<GroupId>{9b28fae8-72f7-4267-a1a5-685f747a7146}</GroupId>
</IncludedIdList>
<ExcludedIdList>
</ExcludedIdList>
<Entry Id=”{1ecfdafb-9b7f-4b66-b3c5-f1d872b0961d}”>
<Type>Deny</Type>
<Options>0</Options>
<AccessMask>40</AccessMask>
<Parameters MatchType=”MatchAll”>
<File MatchType=”MatchAny”>
<GroupId>{e5f619a7-5c58-4927-90cd-75da2348a30f}</GroupId>
</File>
</Parameters>
</Entry>
<Entry Id=”{2925ecd8-40dc-42bb-a972-da0de839dd4f}”>
<Type>AuditDenied</Type>
<Options>3</Options>
<AccessMask>63</AccessMask>
</Entry>
</PolicyRule>
Support for Azure AD machines or user groups
Microsoft support for AD Object and Azure AD Object Id in Microsoft Defender for Endpoint. It allows the user to use specific removable storage devices to specific machine and the user cannot use any other storage device on the machine. Using Sid and ComputerSid in the policy, the user can control specific removable storage for specific users or machines. You can find the object ID for users & machines in Azure portal. SID is local user SID or user SID group or SID of the AD object or the object ID of the Azure AD object. ComputerSID is Local computer SID or computer SID group or the SID of the AD object or the Object Id of the AAD object. You can apply policy to specific user and specific computer, need to add both SID and computer SID in the same entry.
Capture the file as evidence on a network share
When you copy the file into authorized Removable storage device, the policy will copy the file into network share as evidence. “option” attribute allows you to capture copy of the file as evidence in the network share.
Improvements to the removable storage access control investigation experience
Investigation experience has been improved with new release by providing device control in the device timeline page. Removable storage access control event has been added in the machine timeline and go to Microsoft 365 security portal -> Devices -> Device page -> Timeline.
File name and patch information will be captured when file level policy is applied, and it will show in the Device control report (Reports -> Device Control and the report data latency reduced from 12 hours to 6 hours. In the Device control report, you can view the audit events & policy events. Audit events will show the number of audit events occurs when external device is connected. Policy events will show the number of policy when a device control policy is triggered. To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query.
Network location as a condition
You can create device control policies for the machines which are not connected to the corporate network using machines network location. “Network” and “VPNConnection” group types created recently. You can use the block people from accessing Removable storage when the machines is not connected to the corporate network. Microsoft mentioned these features are currently available in public preview for Microsoft defender for endpoints. There are few troubleshooting steps you can follow for policy issues. To confirm if the policy is applied on the machine, Open powershell as an administrator and run “Get-MpComputerStatus” and verify if latest date is showing in the DeviceControlPoliciesLastupdated. There are couple of reason the policy does not work. If you are not using correct markdown formatting for the “&” character and adding the byte mark (BOM) 0xEF 0xBB 0xBF at the beginning which causing XML parsing issues.
For more Info on Windows Defender and its capabilities, kindly read the article:
Configure Firewall rules to allow reusable settings with Windows Defender
