Description:
Agentless scanning in Microsoft Defender for Endpoint allows for scanning and assessing the security posture of virtual machines (VMs) without the need for installing agents on those machines. This feature is useful for environments where installing agents is not feasible or preferred. Agentless scanning scans the VM’s traffic, configuration, and vulnerabilities, providing visibility into potential risks without requiring additional agents on the machines.
Rationale:
Enabling Agentless Scanning helps ensure that all machines, including those where agents cannot be installed, are still being scanned for vulnerabilities and misconfigurations. This provides enhanced visibility and security for all virtual machines in the environment, helping to detect threats and mitigate security risks. It's especially useful for protecting virtual machines in Azure, where traditional agent installations may not be possible or desired.
Impact:
Enabling Agentless Scanning ensures all virtual machines are scanned for vulnerabilities, even those that cannot have an agent installed. However, enabling this feature might introduce additional network traffic and processing overhead as it requires evaluating the system’s configurations and behaviors remotely. The benefits include enhanced visibility into security threats across all machines without the requirement for agent installation.
Default Value:
By default, Agentless Scanning is not enabled in Microsoft Defender for Endpoint. It must be manually configured to be activated.
Pre-requisites:
Microsoft Defender for Endpoint must be enabled.
Azure Security Center or Microsoft Defender for Cloud should be configured.
The user must have Owner, Contributor, or Security Admin role permissions to modify security settings.
Virtual machines (VMs) should be associated with Defender for Endpoint.
Audit:
Sign in to Azure portal as a Global Administrator or Security Admin.
Navigate to Microsoft Defender for Cloud.
Verify the status of Agentless Scanning under the Security Center settings and check whether the component is enabled for your machines.
Implementation Steps (Manual):
Sign in to the Azure portal:
Use an account with Owner, Contributor, or Security Admin privileges.
Navigate to Microsoft Defender for Cloud:
In the Azure portal, go to Microsoft Defender for Cloud (formerly known as Azure Security Center).
Enable Agentless Scanning:
In Microsoft Defender for Cloud, go to Environment Settings.
Under Defender plans, ensure that Microsoft Defender for Endpoint is enabled for your environment.
Navigate to Endpoint security and find the section for Agentless Scanning.
Toggle the setting to On for Agentless Scanning for your virtual machines (VMs).
If not already enabled, follow the prompts to activate this feature for your virtual machines.
Verify Scanning Settings:
After enabling Agentless Scanning, verify that the machines that are part of the Defender for Endpoint setup are being scanned.
Go to Security Center > Security Policy and ensure that the Agentless Scanning component is active for your machines.
Check the Security Recommendations section to verify that agentless scanning is being used to assess machine vulnerabilities.
Monitor Logs and Alerts:
Use Azure Monitor to track and analyze scanning results.
Check for alerts or logs indicating vulnerabilities detected on machines that are part of the agentless scanning configuration.
Test the Configuration:
After enabling the feature, test by reviewing the security recommendations for a VM that should be scanned using the agentless method. Ensure that vulnerabilities or misconfigurations are detected even if the agent was not installed on the machine.
Backout Plan (Manual):
Sign in to the Azure portal:
Use an account with Owner, Contributor, or Security Admin privileges.
Navigate to Microsoft Defender for Cloud:
Go to Microsoft Defender for Cloud.
Disable Agentless Scanning:
In Microsoft Defender for Cloud, go to Environment Settings.
Under Defender plans, toggle off Agentless Scanning.
This will stop the scanning for machines that don’t have the agent installed.
Test and Validate:
After disabling Agentless Scanning, test the scanning configuration to ensure that the machines no longer receive assessments without an installed agent.
Verify that the Security Center alerts and logs indicate that agentless scanning has been disabled.