Detections
Analytics

MS.DEFENDER.4.6v1 - The custom policy SHOULD include an action to block access to sensitive

Information

Some apps may inappropriately share accessed files or not conform to agency policies for access to sensitive information. Defining a DLP policy with an action to block access from restricted apps and unwanted Bluetooth applications prevents unauthorized disclosure by those programs.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If restricted app and unwanted Bluetooth app restrictions are desired, associated devices must be onboarded with Defender for Endpoint before the instructions below can be completed.

1. Sign in to the Microsoft Purview compliance portal.

2. Under Solutions, select Data loss prevention.

3. Select Policies from the top of the page.

4. Find the custom DLP policy configured under [MS.DEFENDER.4.1v2 Instructions](#msdefender41v2-instructions) in the list and click the Policy name to select.

5. Select Edit Policy.

6. Click Next on each page in the policy wizard until you reach the Advanced DLP rules page.

7. Select the relevant rule and click the pencil icon to edit it.

8. Under Actions, click Add an action.

9. Choose Audit or restrict activities on device

10. Under File activities for all apps, select Apply restrictions to specific activity.

11. Check the box next to Copy or move using unallowed Bluetooth app and set its action to Block.

12. Under Restricted app activities, check the Access by restricted apps box and set the action drop-down to Block.

13. Click Save to save the changes.

14. Click Next on each page until reaching the Review your policy and create it page.

15. Review the policy and click Submit to complete the policy changes.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-5, 800-53|AC-6, 800-53|AC-7, 800-53|AC-16, 800-53|AC-17, 800-53|AC-18, 800-53|AC-19, 800-53|AC-20, 800-53|CA-7, 800-53|CA-8, 800-53|CM-2, 800-53|CM-5, 800-53|CM-6, 800-53|CM-7, 800-53|CM-8, 800-53|CP-2, 800-53|CP-6, 800-53|CP-7, 800-53|CP-9, 800-53|CP-10, 800-53|IA-2, 800-53|IA-3, 800-53|IA-4, 800-53|IA-5, 800-53|IA-6, 800-53|IA-8, 800-53|RA-5, 800-53|SC-4, 800-53|SC-7, 800-53|SC-28, 800-53|SC-36, 800-53|SI-3, 800-53|SI-4, 800-53|SI-7, 800-53|SI-10, 800-53|SI-12, 800-53|SI-15, 800-53|SI-16

Plugin: microsoft_azure

Control ID: c4ee2432b4cb0079acea5e48cc18a896f4c1a1b3e2af89f5cd1949d810b85e83