Title

Microsoft Defender Endpoint (MDE) must enable Endpoint Detection and Response (EDR) in block mode. (Cat II impact)

Discussion

Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Individuals of concern can include hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyberattacks on third parties. Applications and application developers must take the steps needed to ensure users cannot use an authorized application to launch DoS attacks against other systems and networks. For example, applications may include mechanisms that throttle network traffic so users are not able to generate unlimited network traffic via the application. Limiting system resources allocated to any user to a bare minimum may also reduce the ability of users to launch some DoS attacks. The methods employed to counter this risk will be dependent upon the application layer methods that can be used to exploit it. Satisfies: SRG-APP-000246, SRG-APP-000435

Check Content

Access the MDE portal as user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Verify the slide bar for "Enable EDR in block mode" is set to "On". If the slide bar for "Enable EDR in block mode" is not set to "On", this is a finding.

Fix Text

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Advanced features (under General). 2. Set the slide bar for "Enable EDR in block mode" to "On".

Additional Identifiers

Rule ID: SV-272888r1085705_rule

Vulnerability ID: V-272888

Group Title: SRG-APP-000246

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.