Microsoft Upgrades Defender To Lock Down Linux Devices For Their Own Good

Organizations using Microsoft's Defender for Endpoint will now be able to isolate Linux devices from their networks to stop miscreants from remotely connecting to them. The Register reports: The device isolation capability is in public preview and mirrors what the product already does for Windows systems. "Some attack scenarios may require you to isolate a device from the network," Microsoft wrote in a blog post. "This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature." Intruders won't be able to connect to the device or run operations like assuming unauthorized control of the system or stealing sensitive data, Microsoft claims.

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they're behind a full VPN tunnel, they won't be able to reach Microsoft's Defender for Endpoint cloud services. Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network. Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an "Isolate Device" tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

1 month from now: It did sound too good to be true

[thesjaakspoiler]

I get this bad feeling about Microsofts software making such decisions on it's own.
Before you know it we have some bug or some jolly hacker who manages to isolate every device running Defender.

Re: 1 month from now: It did sound too good to be

[iavael]

As far as I understand, it doesn't decide to isolate devices on it's own. This is triggered only by enterprise administrator.

Re: 1 month from now: It did sound too good to be

[sfcat]

As far as I understand, it doesn't decide to isolate devices on it's own. This is triggered only by enterprise administrator.

It is controlled by an API running on a Windows box. This is like buying a bank vault to store your valuables and trusting the key to your alcoholic brother-in-law with criminal tendencies.

Re:

[bleedingobvious]

It is controlled by an API running on a Windows box.

Glaringly wrong. It's controlled from a cloud console.

This isolation tooling is great. We have automated playbooks isolating these sods.

Re:

[aegisqc]

That is even more worst...

Here, create a MS Cloud account, so that you can use your MS Cloud Console, running exclusive and discriminatory MS Services, running on someone else's server stack that you have no control or oversight of, and that the best that can happen when shit hit the fan, is to call MS and create a stupid ticket.... LOL.

They need to stop trying to push the Cloud like a solution for all problem and like a religion...

Some people are not interested by this MS Cult, and yes, Linux users will pe

Re:

[bleedingobvious]

create a MS Cloud account, so that you can use your MS Cloud Console, running exclusive and discriminatory MS Services

OK. So just ever so slightly crazy then. .

Re:

[eneville]

They need to stop trying to push the Cloud like a solution for all problem and like a religion...

It is not religion, it is outsourcing IT, therefore business to them.

The model is great, every layer (service) the data goes through you have to pay. More services/"insurance" protection, more cost to the customer. That's all MS ever wanted, they didn't want to sell software in boxes, they wanted you to buy a monthly subscription, this gives them a less lumpy revenue stream.

Is it worth it? Absolutely not.

Re:

[Z00L00K]

What could possibly go wrong?

Re:

[aegisqc]

Linux/Unix device are generally more stable and more safe, compared to windows... does this mean Microsoft has abandoned the idea of trying to make their OS a secure as Linux, and instead decide to shift the attention on blocking others OSes instead of making better code ?

Not like there already a solution for this called NPS + Radius Server...... but that doesn't try to put the blame on Linux for being too good.........right ?

I needed that laugh this morning... lol

at what level does it mess with networking?

[Joe_Dragon]

at what level does it mess with networking?
Does it need linux kernel tracking?
needs to be updated for each kernel update?
stop docker traffic on the same host?
stop open vswitch?
VM host bridged networking?
VM host macvtap networking?

Re: at what level does it mess with networking?

[iavael]

Last time I looked at mdatp on Linux it didn't use own kernel modules, only mainline Linux uapi (fanotify, audit via auditd etc). Most likely for this function it uses netfilter or ebpf.

Re:

[ArmoredDragon]

This overall isn't a bad idea, and it's neither Windows nor Linux's fault either. The scenario they're helping with here is when you have vendors that issue gear that they insist on putting on your network, and then they also refuse to allow you to manage them or do any kind of modification whatsoever, and the OS they typically run is Linux. This is very common in instrumentation computers, especially in health care settings (European vendors are especially bad at this, you'd be surprised at just how horrid

Does It Isolate WSL?

[zenlessyank]

Asking for a friend.

Re:

[techno-vampire]

Windows as a Second Language?

Re:

[Joe_Dragon]

yes windows C

Just keep piling it on

[Anonymous Coward]

Windows has the craziest security I have ever seen. There are like a million different anti-virus-malware-ransom-what packages all installed, configured, and running at the same time. On top of that is a billion other little things here and there to make the system "more secure." Constantly slowing everything down.

The whole thing is a boat anchor. Judging by infection rates, this crap does no actual things to make the system more secure.

Why don't they focus on fixing the damn OS instead of applying band-aids all over it?

Re:

[CmdrPorno]

Might as well just revert back to early XP, which was far more stable than its predecessors because of the NT kernel, but very vulnerable to viruses and spyware, neither of which I have encountered on Windows 10 (and that was an era where perhaps 5% of all users kept consistent backups). Now, if you do get hit with ransomware, you just nuke the install and restore your data from the cloud. I miss the old-school viruses! Bring us back the original Outlook Express and its inherent security vulnerabilities.

Re:

[awwshit]

Any operating system that is used by a large number of people all over the world will be plagued with bad software. Users can and will be tricked into installing all kinds of things. Humans are the problem, not the operating system.

Re:

[Entrope]

One of the first rules of strict cyber security is "don't let normal users install unapproved software", often extending that even to scripts. Some rules even say "don't let users run unapproved software, and command shells are unapproved".

Yes, these rules often impede productive work, but they are pretty effective at keeping computers from getting rooted because of a user's error.

Re:

[geminidomino]

> Yes, these rules often impede productive work, but they are pretty effective at keeping computers from getting rooted because of a user's error.

So is filling all of the I/O device ports with epoxy.

Re:

[firewrought]

Pfftt... real security professionals recommend filling the chassis with molten lead.

Re:

[awwshit]

Take my statement, replace the word 'install' with the word 'run'. If your users can run software, any software, within their own security context then you can be compromised.

Read this:
https://www.cisa.gov/uscert/nc... [cisa.gov]

I'll quote it:
"The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious do

Re:

[Entrope]

The threat vector described there is exactly what is addressed by the broader category of security controls I mentioned in my second sentence. Banning desktop users from running command interpreters or shells is meant to keep them from getting pwned by malicious scripts and "LoLbin" attacks.

I will also note that other security controls are meant to protect against that same security threat: Using a smart proxy for all outbound web connections, preventing the retrieval of "active" content through such a pro

Re:

[awwshit]

Off in tangent land here... My point is that the OS does not matter, the human driving it does. Nothing about what you said is OS specific either.

https://redcanary.com/blog/byp... [redcanary.com]

Re:

[Entrope]

Why are you linking to a sales pitch moaning that application whitelisting doesn't stop whitelisted applications from doing things? That's such a stupid goalpost move that you should be ashamed of yourself.

The original threat was somebody downloading a novel (i.e. not whitelisted) executable. That threat is fully addressed by the security control -- even if the user tries to do something they should not. Trying to subvert on-system executables is a different threat, and is addressed by different security

Re:

[Ol Olsoc]

Any operating system that is used by a large number of people all over the world will be plagued with bad software. Users can and will be tricked into installing all kinds of things. Humans are the problem, not the operating system.

A large part of that is true - that humans are the problem. But Windows is not as secure as other OS's. There are enough Linux and Unix systems that should allow the bad guys to wreak havoc without ever booting Windows. We've heard the Obscurity is Security for so long now that no one who needs high security should ever use Windows, they should use as obscure an OS as they can find.

Meanwhile, the latest W10 update for one of my computers blocked all the software on it that goes to the network, and I had

Re:

[ufgrat]

Only if your windows system is run by a moron.

Your stereotype is a decade or more out of date.

Re:

[Dadoo]

Umm... The whole reason most people use Windows is because they believe it can be run by morons.

Re:

[Larry_Dillon]

It's easier to write new software than to fix bug and architectural issues, so they just add layers of complication instead of fixing underlying issues.

Split tunnels recommended, huh?

[Entrope]

It's obnoxious for Microsoft to insist on split tunneling VPNs. At least some government security policies forbid use of split tunnels because it means the endpoint device's other communications cannot be monitored for problematic behavior -- it gives attackers another way around the network's firewalls.

(And before anyone says "zero trust", that doesn't change the government-imposed security policies.)

Re:

[Entrope]

Otherwise you need something on the client device that you trust (!!!!)

What do you think "Defender for Endpoint" is supposed to be?

The threat that is mitigated by this rule is that a compromised client connects to the enterprise via VPN while the attacker has another connection to the device. With split tunneling, the enterprise can't see that second connection. Blocking that attack mode might be a small gain in security, depending on your adversary model, but it's not "false".

what a joke

[dhammabum]

Microsoft protecting us from *Linux*??? With the monthly parade of critical vulnerabilities on their systems? This must be some pathetic move by MS to marginalise Linux. Next stage, they'll be saying to just migrate everything to the 'safety' of windows.

Re:what a joke

[Wyzard]

Microsoft protecting us from *Linux*??? With the monthly parade of critical vulnerabilities on their systems? This must be some pathetic move by MS to marginalise Linux. Next stage, they'll be saying to just migrate everything to the 'safety' of windows.

Look again at the first sentence of the quoted block:

mirrors what the product already does for Windows systems

Despite the sensationalized headline, this doesn't look like an attack on Linux. It looks much more like adding a useful feature for network admins who have Linux hosts on their network. On a centrally-managed corporate network, admins want to to disconnect compromised hosts but still be able to monitor and manage them, and now Microsoft's endpoint security software is able to do that on both Windows and Linux, instead of only on Windows. It's not just a blanket ban on all Linux machines.

Re:

[cavok76]

Does a router, switch, WAP, count as a lInux device, just because it's running it ?

Re:

[dhammabum]

It's not just a blanket ban on all Linux machines.

Never said that, would that be a strawman argument?

Joking aside, yeah, maybe, I can see the point of unified management. But what is this actually accomplishing? The admins discover they are compromised and don't know the extent. They run the lock down command. If the attackers are already on Linux systems with this program, it may lock them out. If the attackers are any good they could just make sure their presence isn't detected and just wait till the network opens again. If the attackers have root, I'm n

Re:

[ufgrat]

This must be some pathetic move by MS to marginalise Linux.

You don't "marginalize" Linux by shutting down a few misbehaving systems. So either you meant it was an attack on all Linux systems, or you wrote a very poor sentence.

Re:

[dhammabum]

What I meant was MS code would be controlling Linux systems, its the mental shift in end users that Linux systems become just more MS objects. And who said they were misbehaving? Someone pulling this big switch wouldn't know. If you really needed to disconnect a system from a network, you'd just put it on a non-routing VLAN or disable its virtual port or blackhole the address or whatever. This service is designed to make hapless admins feel like they are able to do something.

Re:

[sabbede]

What you're describing is already the norm for enterprise networks. Linux machines joined to AD, thus becoming "MS objects", with EDR security software managing each machine's firewall and locking them down (quarantining) if suspicious activity is detected.

Re:

[dhammabum]

Fair enough, sort of. AD joining is the linux box using AD as a service for authentication, etc., it isn't managing linux software or processes. Yes it does set file permissions. This doesn't seem as 'aggressive' somehow as this code, which has control over fundamental linux operations. This seems a step too far.

Re:

[Ol Olsoc]

It's not just a blanket ban on all Linux machines.

Never said that, would that be a strawman argument?

Nope - he's trying to confuse the argument.

Joking aside, yeah, maybe, I can see the point of unified management. But what is this actually accomplishing?

It is security theater.

Re:

[franzrogar]

Quote: "Despite the sensationalized headline, this doesn't look like an attack on Linux."

Nope, not an attack on Linux, the ONLY OS (apart itself) that will block.

How about *BSD, macOS, etc.?

Re:

[sabbede]

"Microsoft will begin incrementally rolling out the functionality for all macOS devices to enable Network Protection on 1/31/2023 and expects to complete by 2/17/2023. "

https://learn.microsoft.com/en... [microsoft.com]

It's not an attack, it's support for a common feature of EDR software.

Re:

[ufgrat]

The number of vendors who show up with their Linux appliances running Ubuntu 14.04, php 5.x and .NET 3.x is staggering. And then they insist that you can't patch or upgrade their system because they haven't certified their crap code with anything written after 2018.

And of course, the last thing management wants to do is run their new Shiny Have to Have data acquisition tool past either a competent admin or security....

So yeah, there are times when Linux systems need to be isolated. If we can tell manageme

Re:what a joke

[dhammabum]

Did you have a chat with the CIO / CEO about how easy it is to hack these systems, what happens when they are compromised, how much it costs for lawyers, security auditors, etc. after a breach, what the reputation damage will cost the company, lost customers, etc? Use real examples from similar companies.

Another option - offer to run a pentest against it - with that bad a system just a canned attack out of burp (from portswigger.net, not expensive) will produce very damning data. It's fun. Then do a report with lots of red bars in it. Work out how to repeat some of the more dramatic attacks and demonstrate them.

For me, this kind of BS requires a red-line approach. You need to have enough respect and gravitas in the company to make yourself heard. This isn't popular or pleasant but when they are viscerally confronted with the problem, I found they reconsider. If they ignore you or don't care: time for a new job. In such an environment once there is a breach, you, the admin, will be blamed, not the idiot that wanted the system.

Re:

[ufgrat]

The last time I had a "chat" with the Assistant Director, it went something like this:

"I'm the *bleep* assistant director of this *bleep* organization. Any idiot can run a linux server, hell, my kid can install linux. Do it the way I say, or I'll fire your ass."

If the system is part of a pet project by a higher up, it doesn't matter how loud security or IT scream, that system will be accomodated.

Welcome to the real world.

Re:

[dhammabum]

Sure, assholes can almost always find enablers. I'm just saying I wouldn't work for them, and I've quit a job and not accepted another job because of it.

The real world is what you make of it.

Re:

[Ol Olsoc]

The number of vendors who show up with their Linux appliances running Ubuntu 14.04, php 5.x and .NET 3.x is staggering. And then they insist that you can't patch or upgrade their system because they haven't certified their crap code with anything written after 2018.

And of course, the last thing management wants to do is run their new Shiny Have to Have data acquisition tool past either a competent admin or security....

So yeah, there are times when Linux systems need to be isolated. If we can tell management (or the vendor) that Microsoft thinks a system is crap, then that's more ammunition we have for getting rid of the damned thing.

Let's say this hypothetical lazy vendor comes in with his horribly compromised computer.

What is the security of a Windows system that allows the dood to utterly wreck the highly secure Windows network.

Doesn't sound like a really secure system.

Re:

[ufgrat]

You've obviously never seen what a sophisticated network attack looks like. Most networks are not designed to deal with internal attacks.

Re:

[Ol Olsoc]

You've obviously never seen what a sophisticated network attack looks like. Most networks are not designed to deal with internal attacks.

Well then - looks like most networks are wide open and have zero security then, doesn't it? We call that born compromised.

Anyhow - it is good that the cure is a Windows only monoculture.

Re:

[ufgrat]

Are you trolling, or are you seriously that bad at comprehension?

Your logic of "most networks are wide open and have zero security" is obvious asinine, so why did you say it? I've seen the result (and the forensic breakdown) of a nation-state attack (Probably a country with a red flag and some yellow stars). Because of one poorly patched system (an instrument device running an old copy of Windows and a web browser), an entire department had to burn their network to the ground and start over-- because that

Re:

[Ol Olsoc]

Are you trolling, or are you seriously that bad at comprehension?

I'm trolling you hard. Why? Well first and foremost, you deserve it, and I don't like you.

Re:

[stooo]

It's like the Berlin wall. It was built to keep those crazy starving capitalists out....

Re:

[Opportunist]

Those imperialist capitalist pigs trying to steal our shiny new communism!

Re:

[thegarbz]

Yes, your reading comprehension is a joke. But you made a pro Linux con Microsoft post so have a +1 because apparently you're complete lack of clue about what is going on is "insightful".

What?

[gweihir]

A well-configured Linux client has one port open: SSH. There is no need to isolated SSH unless really bad passwords are used. What the hell is Microsoft doing?

Re:

[iAmWaySmarterThanYou]

You mean ssh keys with non trivial passphrase :-)

Re:

[gweihir]

Nope.

Re:

[tijgertje]

Also of course not giving the moron the root password.
While users with Windows machines are often local admin (and also logged in as admin), linux users aren't always logged in as root.

Re:

[ufgrat]

And there's never been an SSH vulnerability. And vendors always ship the most up-to-date and secure code.

Re:

[Viol8]

And there's never been a Windows Defender vulnerability and all Windows servers have the most up-to-date and secure patch level.

Re:

[ElizabethGreene]

No, servers have more holes in them than decade-old socks. You want some way to disconnect them from the network if it looks like they've been compromised. That's what this new feature is. We've had it in Defender ATP on Windows for a while now.

Re:

[Opportunist]

A well configured client probably doesn't have any ports open unless there is a compelling need to remote into it. But why'd I do that with a client on a general principle?

Re:

[gweihir]

Sure. But on a server you cannot use this isolation because if you do it stops being accessible and hence effectively stops being a server.

Re:

[Opportunist]

I don't question that. I question the meaningfulness of the posting I originally replied to.

Re:

[gweihir]

You do not occasionally want to ssh into a client? Well, I do. Lets make that "...has maximally one port open...". Better?

Re:

[Opportunist]

Where I work, that distinction between client and server is kinda fuzzy... let's agree on "I occasionally want to ssh into a machine" and leave it at that.

The machines I actually use as "clients" do not accept incoming connections. For good reason.

Re:

[gweihir]

Lets just say there are valid use-cases for ssh-in on a client, but if you have really high security needs on a client you may want to look for another solution. You can do basically all things with all activity originating from the client as well.

Hence the "ssh-in" I allow on some of my clients is basically convenience after a careful security analysis. My take is that it does not decrease security significantly more than outgoing connections, which can be hacked from other other side or by intermediaries

Re:

[Opportunist]

Most clients will certainly be allowed to run sshd for convenience reasons alone. But yes, there are clients where the security concerns outweigh the comfort ones. It's absolutely a matter of risk management, and in my field of work (security for financial institutes), more often than not security trumps usability.

Re:

[ElizabethGreene]

I've had this conversation on the Windows side a lot. You can't presume that attackers are outside and trying to get in. If users are actually using the box to do work it opens up inside-out attack vectors that zip right through your only-allow-ssh firewall rules. E.g. Do you use Pidgin for IM? It's had several remote code execution CVEs. Local apps that log with Log4j? Cisco Anyconnect? Any modern browser? Each of these only gets the attacker privileges in the logged-on user context, but that's sti

Microsoft created malware and want to protect it

[gavron]

Some history. Feel free to google any of this. These are facts. If you want to skip the history jump to the "###" in the text. In all cases where I say "program" if you don't know what this, pretend I said "app." If I say "directory" and you don't know what that is, pretend I said "folder".

Before personal computers there were S-100 bus computers where one could plug in S-100 cards and augment the computer. Think of it as a primitive PC.
Then there were personal computers (PCs). These included the Radi

Re:

[nukenerd]

Interesting stuff, but not quite right about this bit :

Then IBM introduced the IBM Personal Computer which over time with market share is now known as "the PC". It ran PC-DOS ..... IBM was good at making hardware, but didn't want the support burden. They did a deal with young Bill Gates and he and his nascent company (Microsoft) agreed to take on that "burden." Part of the deal was that they'd offer a "new" version of PC-DOS called MS-DOS, and thus Microsoft got its inroads into the PC world (at the time "the IBM Presonal Computer world.")

That implies that Microsoft only entered the scene with MS-DOS. In fact they supplied PC-DOS to IBM from Day 1. I say supplied because MS did not write it, only ported it to the IBM PC (which used an Intel 8086). DOS was written for an 8088 by Tim Paterson at Seattle Computer Products. MS bought it for peanuts and hired Paterson to do the porting. IBM did not attach much importance to the PC idea at the time, so their sloppy contract did not prevent

Re:

[sabbede]

Good EDR software automatically locks down a computer when suspicious behavior is detected. Being linux is not suspicious, but a linux machine trying to connect to the admin shares on a dozen other endpoints with local admin creds is probably infected with something, so the EDR software installed on it will kill the relevant processes and block all network traffic that isn't to the EDR management system. Basic enterprise security.

Re:

[KlomDark]

"free and open source (FOSS) "

You really think anyone here needs to be told that the acronym for that is FOSS?

I think you just like typing FOSS.

Now maybe you should FOSS your teeth, they are nasty as allgetout.

What changes on the Linux machine?

[gnasher719]

Is this just a change on a companies network, so machines cannot connect to anything, or a harmless change to the Linux machine through documented Linux APIs, so _it_ doesnâ(TM)t try to connect, or actually hacking into these machines?

Re:

[dhammabum]

Don't know what this system does specifically, but it would only affect the machine(s) it is running on. It could be as simple as a set of firewall rules that block all traffic except to the MS box. Or they could do stuff with interfaces and force traffic through some filter before it leaves the host. You install it, so it will have full access to system devices and drivers. The API to the MS server is just used for signalling events or whatever.

This allows large companies to use Linux

[ei4anb]

My company has been working with MSFT to pilot test these features. It enables us to offer the same security controls as we do for Windows and MacOS, so Linux laptops are now allowed on our network by security policy. I am currently using an Intune enrolled & compliant laptop with Ubuntu 22.04 LTS for my daily work with Office365, Teams etc. That was not possible last year. We block access from non-compliant laptops.

Re:

[airport76]

So this is what it really is: compliance-ware and security circus. Great. Folks, you cannot buy security, you have to build it.

Re:

[sabbede]

Yeah, and deploying software like this is part of building and maintaining a secure environment, instead of assuming that you built such a perfectly secure environment that you'll never need to monitor it.

Re:

[JasterBobaMereel]

If it modifies the Linux device, my answer is simply No

If it restricts it's network access on the network then my answer is .... why doesn't it do this already for every device type, I assumed it would already do this for any new/unknown device?

Re:

[Dagmar d'Surreal]

Large companies could already use Linux.

This helps Microsoft protect Linux users from evil, evil desktop shortcuts.

Re:

[volcan0]

how do you prevent a user getting into single-user mode ?

The irony.

[JustNiz]

If you really care about a secure network, the first thing you'd ban is any windows devices.

IS that what happened?

[kpoole55]

I went to a website, thought it was well known and shouldn't be a problem and a pop-up stating it was Windows Defender noted that my computer was not secure in some way that wold allow others to access it and in the name of security had blocked any network access with directions on how to contact Microsoft to secure my computer and unblock the network.

Of course, I use Linux on all but one of my computers and the Windows machine wasn't even powered on that day. The block, or at least the damn pop-up, couldn

Tell me you've never heard of sandboxing before...

[ElizabethGreene]

It's a pretty common incident response practice to disconnect or sandbox a potentially compromised machine until it can be remediated. You can do this with AV, at the switch by moving it to the naughty VLAN, or by physically pulling the cable and turning off the wifi.

That defender can do it isn't some woo-woo conspiracy; it's just basic functionality.

Glad I removed everything Microsoft.

[oldgraybeard]

My networks no longer use any Microsoft products. Been a few years now 2018 or so and still no reason to go back.

This does not sound like a good idea

[whitroth]

Let's see - I worked for a large civilian sector agency of the US government as a contractor for 10 years (note how much more you paid in taxes for me, than had I been a fed). Our group ran Linux server, and workstations. The *only* time our servers were compromised (and only one of them) was when someone got into the agency's Windows boxes, and made a trail.

Embrace, Extend, Extinguish

[hduff]

Nothing has changed.

What are the equivalent Linux tools?

[couchslug]

SSL.