Microsoft Threat Modeling Tool For Mac

Products must use only approved message authentication code (MAC) or hash-based message authentication code (HMAC) algorithms. A message authentication code (MAC) is a piece of information attached to a message that allows its recipient to verify both the authenticity of the sender and the integrity of the message using a secret key. Threat Dragon is a free, open-source threat modeling tool from OWASP. It can be used as a standalone desktop app for Windows and MacOS (Linux coming soon) or as a web application.

Microsoft Threat Modeling Tool For Mac -->

Trusted Windows (PC) download Microsoft Threat Analysis and Modeling 3.0. Virus-free and 100% clean download. Get Microsoft Threat Analysis and Modeling alternative downloads. The Microsoft Threat Modeling Tool helps engineers analyze the security of their systems to find and address design issues early in the software lifecycle.

Important

Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

This topic describes how to install, configure, update, and use Defender for Endpoint for Mac.

Caution

Running other third-party endpoint protection products alongside Defender for Endpoint for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in Passive mode.

What’s new in the latest release

Tip

If you have any feedback that you would like to share, submit it by opening Microsoft Defender for Endpoint for Mac on your device and navigating to Help > Send feedback.

To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender for Endpoint to be an 'Insider' device.

How to install Microsoft Defender for Endpoint for Mac

Prerequisites

  • A Defender for Endpoint subscription and access to the Microsoft Defender Security Center portal
  • Beginner-level experience in macOS and BASH scripting
  • Administrative privileges on the device (in case of manual deployment)

Microsoft Threat Modeling Tool Examples

Installation instructions

Microsoft Threat Modeling Tool Templates

There are several methods and deployment tools that you can use to install and configure Defender for Endpoint for Mac.

  • Third-party management tools:

  • Command-line tool:

System requirements

The three most recent major releases of macOS are supported.

Important

On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on New configuration profiles for macOS Catalina and newer versions of macOS.

Important

Mac

Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.

  • 11 (Big Sur), 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
  • Disk space: 1GB

Beta versions of macOS are not supported.

After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

Licensing requirements

Microsoft Defender for Endpoint for Mac requires one of the following Microsoft Volume Licensing offers:

  • Microsoft 365 E5 (M365 E5)
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)

Note

Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices.Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.

Network connections

The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them.

Spreadsheet of domains listDescription

Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
Download the spreadsheet here: mdatp-urls.xlsx.

Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:

  • Proxy autoconfig (PAC)
  • Web Proxy Autodiscovery Protocol (WPAD)
  • Manual static proxy configuration

If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.

Warning

Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.

SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.

To test that a connection is not blocked, open https://x.cp.wd.microsoft.com/api/report and https://cdn.x.cp.wd.microsoft.com/ping in a browser.

If you prefer the command line, you can also check the connection by running the following command in Terminal:

The output from this command should be similar to the following:

OK https://x.cp.wd.microsoft.com/api/report

OK https://cdn.x.cp.wd.microsoft.com/ping

Fl studio 20 dark skin free download. Caution

We recommend that you keep System Integrity Protection (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.

Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:

How to update Microsoft Defender for Endpoint for Mac

Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see Deploy updates for Microsoft Defender for Endpoint for Mac.

How to configure Microsoft Defender for Endpoint for Mac

Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint for Mac.

Microsoft Threat Modeling Tool For Mac

macOS kernel and system extensions

In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. For relevant details, see What's new in Microsoft Defender for Endpoint for Mac.

Resources

  • For more information about logging, uninstalling, or other topics, see Resources for Microsoft Defender for Endpoint for Mac.

  • Privacy for Microsoft Defender for Endpoint for Mac.

-->
Product/ServiceArticle
Web Application
Database
IoT Device
IoT Cloud Gateway
Dynamics CRM Mobile Client
Dynamics CRM Outlook Client
Identity Server

Use only approved symmetric block ciphers and key lengths

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

Products must use only those symmetric block ciphers and associated key lengths which have been explicitly approved by the Crypto Advisor in your organization. Approved symmetric algorithms at Microsoft include the following block ciphers:

  • For new code AES-128, AES-192, and AES-256 are acceptable
  • For backward compatibility with existing code, three-key 3DES is acceptable
  • For products using symmetric block ciphers:
    • Advanced Encryption Standard (AES) is required for new code
    • Three-key triple Data Encryption Standard (3DES) is permissible in existing code for backward compatibility
    • All other block ciphers, including RC2, DES, 2 Key 3DES, DESX, and Skipjack, may only be used for decrypting old data, and must be replaced if used for encryption
  • For symmetric block encryption algorithms, a minimum key length of 128 bits is required. The only block encryption algorithm recommended for new code is AES (AES-128, AES-192 and AES-256 are all acceptable)
  • Three-key 3DES is currently acceptable if already in use in existing code; transition to AES is recommended. DES, DESX, RC2, and Skipjack are no longer considered secure. These algorithms may only be used for decrypting existing data for the sake of backward-compatibility, and data should be re-encrypted using a recommended block cipher

Please note that all symmetric block ciphers must be used with an approved cipher mode, which requires use of an appropriate initialization vector (IV). An appropriate IV, is typically a random number and never a constant value

The use of legacy or otherwise unapproved crypto algorithms and smaller key lengths for reading existing data (as opposed to writing new data) may be permitted after your organization's Crypto Board review. However, you must file for an exception against this requirement. Additionally, in enterprise deployments, products should consider warning administrators when weak crypto is used to read data. Such warnings should be explanatory and actionable. In some cases, it may be appropriate to have Group Policy control the use of weak crypto

Allowed .NET algorithms for managed crypto agility (in order of preference)

  • AesCng (FIPS compliant)
  • AuthenticatedAesCng (FIPS compliant)
  • AESCryptoServiceProvider (FIPS compliant)
  • AESManaged (non-FIPS-compliant)

Please note that none of these algorithms can be specified via the SymmetricAlgorithm.Create or CryptoConfig.CreateFromName methods without making changes to the machine.config file. Also, note that AES in versions of .NET prior to .NET 3.5 is named RijndaelManaged, and AesCng and AuthenticatedAesCng are >available through CodePlex and require CNG in the underlying OS

Use approved block cipher modes and initialization vectors for symmetric ciphers

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
StepsAll symmetric block ciphers must be used with an approved symmetric cipher mode. The only approved modes are CBC and CTS. In particular, the electronic code book (ECB) mode of operation should be avoided; use of ECB requires your organization's Crypto Board review. All usage of OFB, CFB, CTR, CCM, and GCM or any other encryption mode must be reviewed by your organization's Crypto Board. Reusing the same initialization vector (IV) with block ciphers in 'streaming ciphers modes,' such as CTR, may cause encrypted data to be revealed. All symmetric block ciphers must also be used with an appropriate initialization vector (IV). An appropriate IV is a cryptographically strong, random number and never a constant value.

Use approved asymmetric algorithms, key lengths, and padding

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

The use of banned cryptographic algorithms introduces significant risk to product security and must be avoided. Products must use only those cryptographic algorithms and associated key lengths and padding that have been explicitly approved by your organization's Crypto Board.

  • RSA- may be used for encryption, key exchange and signature. RSA encryption must use only the OAEP or RSA-KEM padding modes. Existing code may use PKCS #1 v1.5 padding mode for compatibility only. Use of null padding is explicitly banned. Keys >= 2048 bits is required for new code. Existing code may support keys < 2048 bits only for backwards compatibility after a review by your organization's Crypto Board. Keys < 1024 bits may only be used for decrypting/verifying old data, and must be replaced if used for encryption or signing operations
  • ECDSA- may be used for signature only. ECDSA with >=256-bit keys is required for new code. ECDSA-based signatures must use one of the three NIST approved curves (P-256, P-384, or P521). Curves that have been thoroughly analyzed may be used only after a review with your organization's Crypto Board.
  • ECDH- may be used for key exchange only. ECDH with >=256-bit keys is required for new code. ECDH-based key exchange must use one of the three NIST approved curves (P-256, P-384, or P521). Curves that have been thoroughly analyzed may be used only after a review with your organization's Crypto Board.
  • DSA- may be acceptable after review and approval from your organization's Crypto Board. Contact your security advisor to schedule your organization's Crypto Board review. If your use of DSA is approved, note that you will need to prohibit use of keys less than 2048 bits in length. CNG supports 2048-bit and greater key lengths as of Windows 8.
  • Diffie-Hellman- may be used for session key management only. Key length >= 2048 bits is required for new code. Existing code may support key lengths < 2048 bits only for backwards compatibility after a review by your organization's Crypto Board. Keys < 1024 bits may not be used.

Use approved random number generators

Threat modeling tools
TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

Products must use approved random number generators. Pseudorandom functions such as the C runtime function rand, the .NET Framework class System.Random, or system functions such as GetTickCount must, therefore, never be used in such code. Use of the dual elliptic curve random number generator (DUAL_EC_DRBG) algorithm is prohibited

  • CNG- BCryptGenRandom(use of the BCRYPT_USE_SYSTEM_PREFERRED_RNG flag recommended unless the caller might run at any IRQL greater than 0 [that is, PASSIVE_LEVEL])
  • CAPI- cryptGenRandom
  • Win32/64- RtlGenRandom (new implementations should use BCryptGenRandom or CryptGenRandom) * rand_s * SystemPrng (for kernel mode)
  • .NET- RNGCryptoServiceProvider or RNGCng
  • Windows Store Apps- Windows.Security.Cryptography.CryptographicBuffer.GenerateRandom or .GenerateRandomNumber
  • Apple OS X (10.7+)/iOS(2.0+)- int SecRandomCopyBytes (SecRandomRef random, size_t count, uint8_t *bytes )
  • Apple OS X (<10.7)- Use /dev/random to retrieve random numbers
  • Java(including Google Android Java code)- java.security.SecureRandom class. Note that for Android 4.3 (Jelly Bean), developers must follow the Android recommended workaround and update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random

Do not use symmetric stream ciphers

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
StepsSymmetric stream ciphers, such as RC4, must not be used. Instead of symmetric stream ciphers, products should use a block cipher, specifically AES with a key length of at least 128 bits.

Use approved MAC/HMAC/keyed hash algorithms

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

Products must use only approved message authentication code (MAC) or hash-based message authentication code (HMAC) algorithms. Super mario bros download mac os x.

A message authentication code (MAC) is a piece of information attached to a message that allows its recipient to verify both the authenticity of the sender and the integrity of the message using a secret key. The use of either a hash-based MAC (HMAC) or block-cipher-based MAC is permissible as long as all underlying hash or symmetric encryption algorithms are also approved for use; currently this includes the HMAC-SHA2 functions (HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) and the CMAC/OMAC1 and OMAC2 block cipher-based MACs (these are based on AES).

Use of HMAC-SHA1 may be permissible for platform compatibility, but you will be required to file an exception to this procedure and undergo your organization's Crypto review. Truncation of HMACs to less than 128 bits is not permitted. Using customer methods to hash a key and data is not approved, and must undergo your organization's Crypto Board review prior to use.

Use only approved cryptographic hash functions

TitleDetails
ComponentWeb Application
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

Products must use the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512). If a shorter hash is needed, such as a 128-bit output length in order to fit a data structure designed with the shorter MD5 hash in mind, product teams may truncate one of the SHA2 hashes (typically SHA256). Note that SHA384 is a truncated version of SHA512. Truncation of cryptographic hashes for security purposes to less than 128 bits is not permitted. New code must not use the MD2, MD4, MD5, SHA-0, SHA-1, or RIPEMD hash algorithms. Hash collisions are computationally feasible for these algorithms, which effectively breaks them.

Allowed .NET hash algorithms for managed crypto agility (in order of preference):

  • SHA512Cng (FIPS compliant)
  • SHA384Cng (FIPS compliant)
  • SHA256Cng (FIPS compliant)
  • SHA512Managed (non-FIPS-compliant) (use SHA512 as algorithm name in calls to HashAlgorithm.Create or CryptoConfig.CreateFromName)
  • SHA384Managed (non-FIPS-compliant) (use SHA384 as algorithm name in calls to HashAlgorithm.Create or CryptoConfig.CreateFromName)
  • SHA256Managed (non-FIPS-compliant) (use SHA256 as algorithm name in calls to HashAlgorithm.Create or CryptoConfig.CreateFromName)
  • SHA512CryptoServiceProvider (FIPS compliant)
  • SHA256CryptoServiceProvider (FIPS compliant)
  • SHA384CryptoServiceProvider (FIPS compliant)

Use strong encryption algorithms to encrypt data in the database

TitleDetails
ComponentDatabase
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesChoosing an encryption algorithm
StepsEncryption algorithms define data transformations that cannot be easily reversed by unauthorized users. SQL Server allows administrators and developers to choose from among several algorithms, including DES, Triple DES, TRIPLE_DES_3KEY, RC2, RC4, 128-bit RC4, DESX, 128-bit AES, 192-bit AES, and 256-bit AES

SSIS packages should be encrypted and digitally signed

TitleDetails
ComponentDatabase
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesIdentify the Source of Packages with Digital Signatures, Threat and Vulnerability Mitigation (Integration Services)
StepsThe source of a package is the individual or organization that created the package. Running a package from an unknown or untrusted source might be risky. To prevent unauthorized tampering of SSIS packages, digital signatures should be used. Also, to ensure the confidentiality of the packages during storage/transit, SSIS packages have to be encrypted

Add digital signature to critical database securables

TitleDetails
ComponentDatabase
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesADD SIGNATURE (Transact-SQL)
StepsIn cases where the integrity of a critical database securable has to be verified, digital signatures should be used. Database securables such as a stored procedure, function, assembly, or trigger can be digitally signed. Below is an example of when this can be useful: Let us say an ISV (Independent Software Vendor) has provided support to a software delivered to one of their customers. Before providing support, the ISV would want to ensure that a database securable in the software was not tampered either by mistake or by a malicious attempt. If the securable is digitally signed, the ISV can verify its digital signature and validate its integrity.

Use SQL server EKM to protect encryption keys

TitleDetails
ComponentDatabase
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesSQL Server Extensible Key Management (EKM), Extensible Key Management Using Azure Key Vault (SQL Server)
StepsSQL Server Extensible Key Management enables the encryption keys that protect the database files to be stored in an off-box device such as a smartcard, USB device, or EKM/HSM module. This also enables data protection from database administrators (except members of the sysadmin group). Data can be encrypted by using encryption keys that only the database user has access to on the external EKM/HSM module.

Use AlwaysEncrypted feature if encryption keys should not be revealed to Database engine

TitleDetails
ComponentDatabase
SDL PhaseBuild
Applicable TechnologiesSQL Azure, OnPrem
AttributesSQL Version - V12, MsSQL2016
ReferencesAlways Encrypted (Database Engine)
StepsAlways Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in Azure SQL Database or SQL Server databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to the Database Engine (SQL Database or SQL Server). As a result, Always Encrypted provides a separation between those who own the data (and can view it) and those who manage the data (but should have no access)

Store Cryptographic Keys securely on IoT Device

TitleDetails
ComponentIoT Device
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesDevice OS - Windows IoT Core, Device Connectivity - Azure IoT device SDKs
ReferencesTPM on Windows IoT Core, Set up TPM on Windows IoT Core, Azure IoT Device SDK TPM
StepsSymmetric or Certificate Private keys securely in a hardware protected storage like TPM or Smart Card chips. Windows 10 IoT Core supports the user of a TPM and there are several compatible TPMs that can be used: https://docs.microsoft.com/windows/iot-core/secure-your-device/tpm#discrete-tpm-dtpm. It is recommended to use a Firmware or Discrete TPM. A Software TPM should only be used for development and testing purposes. Once a TPM is available and the keys are provisioned in it, the code that generates the token should be written without hard coding any sensitive information in it.

Example

As can be seen, the device primary key is not present in the code. Instead, it is stored in the TPM at slot 0. TPM device generates a short-lived SAS token that is then used to connect to the IoT Hub.

Generate a random symmetric key of sufficient length for authentication to IoT Hub

TitleDetails
ComponentIoT Cloud Gateway
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesGateway choice - Azure IoT Hub
ReferencesN/A
StepsIoT Hub contains a device Identity Registry and while provisioning a device, automatically generates a random Symmetric key. It is recommended to use this feature of the Azure IoT Hub Identity Registry to generate the key used for authentication. IoT Hub also allows for a key to be specified while creating the device. If a key is generated outside of IoT Hub during device provisioning, it is recommended to create a random symmetric key or at least 256 bits.

Ensure a device management policy is in place that requires a use PIN and allows remote wiping

TitleDetails
ComponentDynamics CRM Mobile Client
SDL PhaseDeployment
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
StepsEnsure a device management policy is in place that requires a use PIN and allows remote wiping

Ensure a device management policy is in place that requires a PIN/password/auto lock and encrypts all data (e.g. BitLocker)

TitleDetails
ComponentDynamics CRM Outlook Client
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
StepsEnsure a device management policy is in place that requires a PIN/password/auto lock and encrypts all data (e.g. BitLocker)

Ensure that signing keys are rolled over when using Identity Server

TitleDetails
ComponentIdentity Server
SDL PhaseDeployment
Applicable TechnologiesGeneric
AttributesN/A
ReferencesIdentity Server - Keys, Signatures and Cryptography
StepsEnsure that signing keys are rolled over when using Identity Server. The link in the references section explains how this should be planned without causing outages to applications relying on Identity Server.

Ensure that cryptographically strong client ID, client secret are used in Identity Server

TitleDetails
ComponentIdentity Server
SDL PhaseBuild
Applicable TechnologiesGeneric
AttributesN/A
ReferencesN/A
Steps

Ensure that cryptographically strong client ID, client secret are used in Identity Server. The following guidelines should be used while generating a client ID and secret:

  • Generate a random GUID as the client ID
  • Generate a cryptographically random 256-bit key as the secret