Title

Microsoft Defender Endpoint (MDE) must be configured for a least privilege model by implementing Role-Based Access Control (RBAC). (Cat II impact)

Discussion

When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Check Content

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >> Endpoints >> Roles (under Permissions). 2. For each defined role: - Click on the role to enter the edit role screen. - Verify the Permissions are configured as defined by the authorizing official (AO). - Verify the appropriate user groups are assigned as defined by the AO. - Click "Cancel". If Settings >> Endpoints >> Roles (under Permissions) does not display roles as defined by the AO, this is a finding. When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

Fix Text

Access the MDE portal as a user with at least a Security Administrator or equivalent role: 1. In the navigation pane, select Settings >>Endpoints >> Roles (under Permissions). 2. Select "+Add role". 3. Enter a Role Name, select Permissions as defined by the AO, and then click "Next". 4. Select the appropriate group as defined in MSDE-00-000300.

Additional Identifiers

Rule ID: SV-272887r1085739_rule

Vulnerability ID: V-272887

Group Title: SRG-APP-000211

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.