Microsoft has just introduced a new security feature that will make life a lot easier for IT professionals managing a remote workforce. The Redmond software giant has now enabled Microsoft Defender for Endpoint (MDE) to "contain" unmanaged and compromised Windows devices on the network.
In other words, if a Windows device on the network is deemed insecure or compromised, for whatever reason, other devices on the network will avoid it like the plague: there is no communication inside or outside the device.
This way, should a malicious actor manage to find their way into a network (opens in a new tab), they will be stopped in their tracks before they can do any serious damage. Target network mapping, identification of key endpoints (opens in a new tab), and exfiltration of sensitive data from all devices are essential, for example, in ransomware attacks.
Targeting unmanaged endpoints
In the meantime, IT security professionals will have an isolated, compromised device to play with.
"This action can help prevent nearby devices from being compromised while the security operations analyst locates, identifies, and remediates the threat on the compromised device," Microsoft said.
However, there is a caveat. This only works on devices embedded with Windows 10 (and later) or Windows Server 2019 (and later).
"Only devices running Windows 10 and later will perform the Contain action, which means only devices running Windows 10 and later enrolled in Microsoft Defender for Endpoint will block 'Contained' devices at this time," Microsoft says.
In other words, a compromised unmanaged device (opens in a new tab) can still affect other unmanaged devices.
The new feature can be found on the "Device inventory" page of the Microsoft 365 Defender portal. There, the administrator can choose the devices they want to contain, by selecting the “Contain Device” option in the actions menu.
Changes can take up to five minutes to take effect, he told himself.
If a confined device changes its IP address, other managed devices will also be able to recognize the change and block all communication from the new IP address.
Via: BleepingComputer (Opens in a new tab)