You're reading from IT Audit Field Manual Strengthen your cyber defense through proactive IT auditing

Product type Paperback

Published in Sep 2024

Publisher Packt

ISBN-13 9781835467930

Length 336 pages

Edition 1st Edition

Tools

AWS

Concepts

Cybersecurity

Author (1):

Lewis Heuermann

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Foundations of IT Auditing FREE CHAPTER

2. Chapter 1: Introduction to IT Auditing

3. Chapter 2: Audit Planning and Preparation

4. Part 2: Auditing IT Systems and Networks

5. Chapter 3: Cisco Switches and Routers: Access Methods and Security Assessments

6. Chapter 4: Next-Generation Firewall Auditing

7. Chapter 5: Cloud Security Auditing

8. Chapter 6: Endpoint Security: Windows 10 and Windows 11

9. Chapter 7: Linux Systems Auditing

10. Chapter 8: Wireless Access Points and Storage Technology Auditing

11. Chapter 9: Data Protection and Privacy Considerations

12. Chapter 10: Reporting and Remediation

13. Chapter 11: Advanced Topics in IT Auditing

14. Chapter 12: Building an IT Audit Career

15. Index

Why subscribe?

16. Other Books You May Enjoy

Appendix: Conclusion and Future Outlook

Auditing Microsoft Defender

As an IT auditor, you must understand how to assess the configuration and effectiveness of Windows Defender on Windows 10 and 11 endpoint devices. In enterprise environments, you can expect to encounter Microsoft Defender for Endpoint, which includes advanced tools such as threat and vulnerability management, Endpoint Detection and Response (EDR), and several other tools. In this section, you will work through the process of auditing Microsoft Defender using various tools and resources that already exist in the OS you might have at home. The concepts are similar and you will likely have better access to these tools to practice.

See the official Microsoft Defender for Endpoint documentation to review the Enterprise solution:

https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstrations

Configuring Microsoft Defender Antivirus settings

Let’s begin with configuring Windows Defender. To ensure optimal protection, start by confirming the configuration of Windows Defender settings according to best practices. Use the Microsoft Defender for Endpoint documentation (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/) as a reference for the recommended settings, such as the following:

Enabling real-time protection
Configuring cloud-delivered protection
Setting up automatic sample submission
Defining exclusions (if necessary)

You can configure these settings using Group Policy, PowerShell, or the Windows Security app.

PowerShell is a common tool for running audit scripts. If you find you are suddenly getting a lot of errors such as access denied, then you should attempt to run PowerShell as an administrator. The following figure shows that the installed version is 7.4.1 and that it is run in Administrator mode.

We will explore a few PowerShell scripts that you can leverage during a Windows audit throughout this chapter.

PowerShell provides a powerful set of cmdlets for auditing Microsoft Defender Antivirus. Use the following cmdlets to retrieve critical information:

Get-MpComputerStatus: Retrieves the current status of antivirus software on the device
Get-MpPreference: Retrieves the current preferences for antivirus software on the device
Get-MpThreat: Retrieves the history of threats detected on the device

Figure 6.3 – PowerShell Window

One way to enable real-time protection is to use a PowerShell command window. Figure 6.3 shows what a typical prompt will look like when you enter as an administrator. Let’s take a look at what a PowerShell command would look like:

Set-MpPreference -DisableRealtimeMonitoring $false

The preceding snippet tells Windows Defender to use real-time protection. The DisableRealtimeMonitoring setting takes a Boolean input of True or False. We, of course, want to avoid disabling real-time monitoring unless the organization has a specific reason or separate solution in place.

Another way to check whether real-time protection is enabled is to use this command:

(Get-MpComputerStatus).RealTimeProtectionEnabled

For more advanced auditing and automation, spend some time studying the Microsoft Defender for Endpoint API (https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/apis-intro). The API allows you to retrieve data about device health, alerts, and vulnerabilities programmatically, which can lighten the manual auditing load on the audit team.

Validating Microsoft Defender Antivirus’ effectiveness

To validate the effectiveness of your Microsoft Defender Antivirus configuration, use the Microsoft Defender Testground website (https://demo.wd.microsoft.com/). This website allows you to safely expose your device to simulated threats and assess how well Microsoft Defender Antivirus detects and mitigates them.

You should also regularly review Microsoft Defender Antivirus event logs and reports to identify potential issues or gaps in protection. Here is a list of key logs and reports to include in your routine reviews:

Windows Defender Operational log (Event Viewer)
Microsoft Defender Antivirus event logs (Applications and Services Logs\Microsoft\Windows\Windows Defender)
Microsoft Defender Security Intelligence report (Windows Security app)

Comparing configurations against security baselines

To ensure that your Microsoft Defender Antivirus configurations align with industry best practices, compare them to the Windows Security baselines (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines). These baselines, such as the Security Compliance Toolkit (SCT), provide a starting point for secure configurations and can help you identify areas for improvement.

Continuous monitoring and improvement

Regularly audit and update your Microsoft Defender Antivirus configurations to keep pace with emerging threats and evolving best practices. Use the Microsoft Defender for Endpoint documentation and stay informed about the latest security updates and features.