Chatta subito con l'assistenza
Chat con il supporto

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Discovery for Entra ID Persistence Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra Discovery for Persistence.

NOTE: Persistence techniques are used by adversaries to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Vulnerability Template Vulnerability Risk What to find
Entra ID Conditional Access cloud application inclusion status

Name:

Entra ID cloud applications that are not included in a conditional access policy

Default scope:

All Applications

 

 

Conditional Access policies allow administrators to assign controls to specific applications. Administrators can choose from the list of applications or services that include built-in Microsoft applications and any Microsoft Entra integrated applications. Ensure at least one conditional access policy applies to each Cloud application in the organization.

Remediation:

Enable a Conditional Access policy for the tenant that has "Target resources" set to include any cloud application that are not currently included in a Conditional Access policy.

 Entra ID Cloud applications in scope that are not included in a conditional access policy

Discovery for Entra ID Privilege Escalation Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra ID Discovery for Privilege Escalation.

NOTE: Privilege Escalation techniques are used by adversaries to gain higher-level privileges on a system, such as local administrator or root.

Vulnerability Template Vulnerability Risk What to find
Number of Global Administrators

Name:

More than recommended number of Global Administrators in the organization

Default scope:

N/A

 

Users who are assigned the Global Administrator role can read and modify almost every administrative setting in your Microsoft Entra organization. Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization.

Remediation:

Review the users assigned the Global Administrator role, determine the access required, and assign a more appropriate privileged role to the user.

 Total number of Global Administrators in the organization is more than or equal to 5

NOTE: The number of Global Administrators is editable.

Entra ID Role with Guest members

Name:

Guest accounts assigned to the Global Administrator role

Default scope:

N/A

 

 

Cyber-attackers use credential theft attacks to target administrator accounts and other privileged access to try to gain access to sensitive data.

Remediation:

Remove Guest accounts from the Global Administrator role.

If the Guest account is the initial Microsoft account used when the Entra ID was first setup, replace the Microsoft account with an individual cloud-based or synchronized account.

Roles in scope that have more than 0 Guest accounts as members

NOTE: The number of Guest accounts is editable.

Number of privileged role assignments

Name:

More than recommended number of privileged role assignments

Default Scope:

N/A

Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, the use of these privileged role assignments should be limited to fewer than 10 in the organization.

Remediation:

Review the privileged role assignments and reduce the number of assignments by removing access to principals that do not require it. If all principals require the access, use role-assignable groups to manage the access to privileged roles.

Total number of privileged role assignments in the organization is more than or equal to 10

NOTE: The number of privileged role assignments is editable.

Entra ID Conditional Access Continuous Access Evaluation disabled status

Name:

Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users

Default scope:

All users

 

Continuous access evaluation is auto enabled as part of the organization's Conditional Access policies. The key benefits of continuous access evaluation are:

  • user termination or password change/reset

  • user session revocation is enforced in near real time, network location change

  • Conditional Access location policies are enforced in near real time, and token export to a machine outside of a trusted network can be prevented with Conditional Access location policies. Remediation:

    Any Conditional Access policy that has disabled continuous access evaluation should be reviewed to ensure there is a legitimate reason it was created. The setting to disable Continuous Access Evaluation is located in “Session”, “Customize continuous access evaluation”, “Disable”.

 Entra ID user accounts in scope that are assigned a Conditional Access policy with Continuous Access Evaluation set todisabled

Creating a Discovery

You can create custom Discoveries based on pre-defined vulnerability templates.

NOTE: All of the available vulnerability templates are used in pre-defined Discoveries. You can refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for guidance when creating a new Discovery.

To create a Discovery:

  1. From the Discoveries list, click Create.

  2. Select a Workload (Active Directory or Entra ID).

  3. Enter a Discovery Type.

  4. Click Select Vulnerabilities to display a list of available vulnerability templates for the workload.

  5. Select each vulnerability template you want to add to the Discovery, then click Select.

  6. For each vulnerability added to the Discovery:

    1. Enter a Vulnerability Name.

    2. For Risk, enter the reason why the vulnerability is considered a risk. For Remediation, enter the recommendation for resolving the vulnerability.

      TIP: You can refer to Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID for examples of Risk and Remediation text.

  7. If the vulnerability includes a Scope, specify the objects that you want the Assessment to evaluate. Use the information in the following table for guidance.

    NOTES:

    • If the Tier Zero or Privileged objects checkbox is selected, all applicable Tier Zero or Privileged objects, both those collected from the provider (Security Guardian or BloodHound Enterprise) and any that were manually-created, will be included in/excluded from the scope (depending on which option you select).

    • If a vulnerability pertains to a specific object or set of objects, the Scope section will be hidden. For example, if the vulnerability pertains to users, only Tier Zero users will be included. If the vulnerability pertains to a specific AD group, such as Built-In administrators, only that group will be included.

    Scope selection Description
    All {objects} All objects in the workload that are the applicable object type, including both Tier Zero/Privileged and non-Tier Zero/Non-Privileged objects.
    Select {objects} Only the objects you specify based on your selection criteria will be included. When finished, click Add Object to add the object (s) to the Selected {Object}s list. If you want to exclude individual objects within your selection (for example, you selected an AD group but want to exclude individual members from the scope), click Add Exceptions and enter the object(s) as you would if you were adding objects.
    All Except Selected {objects} Only the objects you specify based on your selection criteria will be excluded from the scope. You can add multiple objects, separated by semicolons. When finished, click Add Object to add the object (s)to the Selected {Object}s list.

  8. Click Save.

Viewing, Editing, and Deleting a Discovery

From the Discoveries list, you can view the details of a Discovery. You can also edit or delete a user-created Discovery. You can also change the scope of a pre-defined Discovery (if applicable) and, in a few cases, the What to find value. (Refer to the Pre-defined Discoveries and Vulnerabilities for Active Directory and Entra ID sections for specific Vulnerability templates.)

 

NOTE: You cannot delete pre-defined Discoveries and the option will be disabled.

To view a Discovery:

Click the Discovery Type link.

To edit a Discovery:

  1. Either:

    • In the Discoveries list, select the Discovery that you want to edit.

      OR

    • Open the Discovery that you want to edit.

  2. Click Edit.

  3. Update the Discovery as needed.

  4. Click Save.

To delete a user-created Discovery:

NOTE: Currently, you can only delete one Discovery at a time.

  1. Either:

    • In the Discoveries list, select the Discovery that you want to delete.

      OR

    • Open the Discovery that you want to delete.

  2. Click Delete.

You will be prompted to confirm the deletion.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione