立即与支持人员聊天
与支持团队交流

Security Guardian Current - User Guide

Introducing Quest Security Guardian Using the Dashboard Tier Zero Objects Privileged Objects Assessments Findings Security Settings Appendix - Security Guardian Indicator Details

Discovery for Entra ID Discovery Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra Discovery for Discovery.

Vulnerability Template Vulnerability Risk What to find
User password last changed

Name:

Entra ID privileged role members whose passwords have not changed recently

Default Scope:

All Users

 

While it is not necessary to require mandatory periodic password resets, organizations should be aware of the password age of users that are members of Microsoft Entra built-in privileged roles.

Remediation:

Ensure that privileged role members have update their password to satisfy the organization’s password policy.

Users that are members of privileged roles that have not updated their password within last 90 days

NOTE: The number of days is editable.

Discovery for Entra ID Initial Access Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra Discovery for Initial Access.

Vulnerability Template Vulnerability Risk What to find
Entra ID tenant security defaults status Name:

Security defaults are enabled

 

Default scope:

N/A

Enabling security defaults is recommended for organizations that are using the free tier of Microsoft Entra ID licensing and want to increase their security posture. Organizations with premium Entra ID licensing should use Conditional Access polices for more granular control to achieve a higher security posture.

Remediation

If the organization is using the free tier of Microsoft Entra ID licensing, continue using security defaults. If the organization is using Microsoft Entra ID P1 or P2 licenses, continue using security defaults while the deployment of Conditional Access policies is planned. When security defaults are disabled, organizations should immediately enable Conditional Access policies to protect the organization. These policies should include at least those policies in the secure foundations category of Conditional Access templates. Organizations with Microsoft Entra ID P2 licenses that include Microsoft Entra ID Protection can expand on this list to include user and sign in risk-based policies to further strengthen the posture.

Entra ID tenants in scope that have security defaults enabled
Entra ID Guest account last used

Name:

Entra ID guest user accounts that are inactive

Default scope:

All users

When external partners no longer access your tenant, the guest accounts may become stale and vulnerable to attack.

Remediation:

Review inactive guest users, block them from signing in, and delete them from the directory.

Entra ID user accounts in scope that were last used more than 90 days ago

NOTE: The number of days is editable.

 

Entra ID Microsoft Authenticator number matching and additional contexts status

Name:

Entra ID Microsoft Authenticator policy does not require geographic location and application name contexts for all users

Default scope:

All users

Microsoft has added features for strong multifactor authentication (MFA to help reduce MFA fatigue attacks and accidental MFA approvals.

Remediation:

In Authentication methods, enforce the use of Microsoft Authenticator passwordless push notifications with show geographic location context and show application name context.

Entra ID user accounts in scope that do not have the Microsoft Authenticator policy assigned with geographic location and application name enabled
Entra ID users synchronized from Active Directory status

Synchronized Active Directory user is assigned an Entra ID privileged role

Default scope:

All users

 

NOTE: If no Active Directory collection is available, an Inconclusive message is returned.

Active Directory is considered less secure than Entra ID. By assigning an Entra ID Privileged role to a synchronized on-premises Active Directory user, attackers have a clear pathway to take over Entra ID if Active Directory is compromised.

Remediation:

Microsoft recommends using cloud-only accounts for Microsoft Entra ID privileged roles.

Remove synchronized Active Directory user accounts from direct and indirect membership of privileged roles. Active Directory users that require privileged access to Entra ID should be provided with a separate cloud-only Entra ID account.

Entra ID users in scope that are synchronized Active Directory users
Entra ID User consent for applications setting

Name:

Entra ID users are allowed to consent for all applications

Default scope:

All tenants selected at the time an Assessment is created

 

 

Before an application can access an organization's data, a user must grant the application permissions. Different permissions allow different levels of access. By default, all users are allowed to consent to applications for permissions that don't require administrator consent. To reduce the risk of malicious applications being granted access to the organization’s data by users, it is recommended that users can only consent to applications that have been published by a verified publisher.

Remediation:

Sign in to the Microsoft Entra admin center as a Global Administrator.

Browse to Identity | Applications | Enterprise applications | Consent and permissions | User consent settings.

Under User consent for applications, select “Allow user consent for apps from verified publishers, for selected permissions”. Alternatively, if appropriate, “Do not allow user consent” can be selected.

Entra ID tenants in scope that have “User consent for applications” set to allow user consent for apps
Entra ID Conditional Access Continuous Access Evaluation strictly enforce location

Name:

Entra ID Conditional Access policies do not protect all users with strictly enforce location for Continuous Access Evaluation

Default scope:

All users

 

Strictly enforce location is an enforcement mode for Continuous Access Evaluation that is configured in Conditional Access policies. This mode provides protection by immediately stopping access if the IP address detected by the resource provider isn't allowed by Conditional Access policy. This option is the highest security setting for Continuous Access Evaluation.

Remediation:

Implementing strictly enforce location for Continuous Access Evaluation requires that administrators understand the routing of authentication and access requests in their network environment. Policies like this one should be tested with a subset of users and applied cautiously. The setting to strictly enforce location for Continuous Access Evaluation is located in “Session”, “Customize continuous access evaluation”, “Strictly enforce location policies”.

Entra ID user accounts in scope that do not have Continuous Access Evaluation strictly enforce location enabled in an assigned Conditional Access policy
Entra ID Conditional Access policy mfa status

Name:

Entra ID Conditional Access

policies do not protect all non-privileged users with multi-factor authentication (MFA)

Default scope:

All except Privileged users

 

Attackers frequently target end users. After attackers gain entry, additional access to privileged information can be requested for the exposed account. Attackers can also download other data such as the entire directory to do a phishing attack on the organization.

Remediation:

Improve protection by requiring multi-factor authentication (MFA) for all users. Enable a Conditional Access policy for the tenant that has:

“Users” set to include “All users” and exclude emergency access or break-glass accounts.

In “Target resources”, “Cloud apps” set to include “All cloud apps”.

In “Access controls” “Grant”, set “Grant access” to “Require multifactor authentication”

Organizations with Security Defaults enabled will enforce MFA for all users in some situations (based on factors such as location, device, role, and task) without requiring a Conditional Access policy.

NOTE: Microsoft recommends excluding the following accounts from Conditional Access policies:

  • Emergency access or break-glass accounts (to prevent tenant-wide account lockout)

  • Service accounts and service principals (non-interactive accounts normally used by back-end services which cannot programmatically complete MFA).

Entra ID user accounts in scope that do not have require multi-factor authentication enabled in an assigned Conditional Access policy
Entra ID tenant on-premises synchronization time

Name:

Synchronization with on-premises Active Directory is delayed

Scope:

All tenants selected at the time an Assessment is created

 

NOTE: If no Active Directory collection is available, an Inconclusive message is returned.

Delays in synchronization with on-premises Active Directory can be due to misconfiguration or issues with the Microsoft Entra Connect server.

Remediation:

Login to Microsoft Entra Connect Health and review any potential sync errors.

Entra ID tenants in scope that have not synchronized with on-premises Active Directory in 12 hours.

 

Discovery for Entra ID Persistence Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra Discovery for Persistence.

Vulnerability Template Vulnerability Risk What to find
Entra ID Conditional Access cloud application inclusion status

Name:

Entra ID cloud applications that are not included in a conditional access policy

Default scope:

All Applications

 

 

Conditional Access policies allow administrators to assign controls to specific applications. Administrators can choose from the list of applications or services that include built-in Microsoft applications and any Microsoft Entra integrated applications. Ensure at least one conditional access policy applies to each Cloud application in the organization.

Remediation:

Enable a Conditional Access policy for the tenant that has "Target resources" set to include any cloud application that are not currently included in a Conditional Access policy.

Entra ID Cloud applications in scope that are not included in a conditional access policy

Discovery for Entra ID Privilege Escalation Vulnerabilities

The following table describes the vulnerabilities identified in the pre-defined Entra ID Discovery for Privilege Escalation.

Vulnerability Template Vulnerability Risk What to find
Number of Global Administrators

Name:

More than recommended number of Global Administrators in the organization

Default scope:

N/A

 

Users who are assigned the Global Administrator role can read and modify almost every administrative setting in your Microsoft Entra organization. Microsoft recommends that you assign the Global Administrator role to fewer than five people in your organization.

Remediation:

Review the users assigned the Global Administrator role, determine the access required, and assign a more appropriate privileged role to the user.

Total number of Global Administrators in the organization is more than or equal to 5

NOTE: The number of Global Administrators is editable.

Entra ID Role with Guest members

Name:

Guest accounts assigned to the Global Administrator role

Default scope:

N/A

 

 

Cyber-attackers use credential theft attacks to target administrator accounts and other privileged access to try to gain access to sensitive data.

Remediation:

Remove Guest accounts from the Global Administrator role.

If the Guest account is the initial Microsoft account used when the Entra ID was first setup, replace the Microsoft account with an individual cloud-based or synchronized account.

Roles in scope that have more than 0 Guest accounts as members

NOTE: The number of Guest accounts is editable.

Number of privileged role assignments

Name:

More than recommended number of privileged role assignments

Default Scope:

N/A

Some roles include privileged permissions, such as the ability to update credentials. Since these roles can potentially lead to elevation of privilege, the use of these privileged role assignments should be limited to fewer than 10 in the organization.

Remediation:

Review the privileged role assignments and reduce the number of assignments by removing access to principals that do not require it. If all principals require the access, use role-assignable groups to manage the access to privileged roles.

Total number of privileged role assignments in the organization is more than or equal to 10

NOTE: The number of privileged role assignments is editable.

Entra ID Conditional Access Continuous Access Evaluation disabled status

Name:

Entra ID Conditional Access policy configured to disable Continuous Access Evaluation for users

Default scope:

All users

 

Continuous access evaluation is auto enabled as part of the organization's Conditional Access policies. The key benefits of continuous access evaluation are:

  • user termination or password change/reset

  • user session revocation is enforced in near real time, network location change

  • Conditional Access location policies are enforced in near real time, and token export to a machine outside of a trusted network can be prevented with Conditional Access location policies. Remediation:

    Any Conditional Access policy that has disabled continuous access evaluation should be reviewed to ensure there is a legitimate reason it was created. The setting to disable Continuous Access Evaluation is located in “Session”, “Customize continuous access evaluation”, “Disable”.

Entra ID user accounts in scope that are assigned a Conditional Access policy with Continuous Access Evaluation set todisabled
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级