メインコンテンツへスキップ

Enable Vulnerability Scanning

Implementation Effort: Medium
Security and IT teams must configure vulnerability scanning across Azure, hybrid, and multicloud environments using either agentless or agent-based methods.

User Impact: Low
Vulnerability scanning is managed by administrators and security teams; end users are not directly involved.

Overview

Microsoft Defender for Servers includes integrated vulnerability scanning capabilities through Microsoft Defender Vulnerability Management (MDVM). This helps identify weaknesses in server workloads across Azure, AWS, GCP, and on-premises environments.

Scanning Methods

  • Agentless Scanning:

    • Enabled by default with Defender for Servers Plan 2 or Defender CSPM.
    • Requires no software installation on the VM.
    • Ideal for quick deployment and broad coverage.
  • Agent-Based Scanning:

    • Available with Defender for Servers Plan 1 or Plan 2.
    • Uses Microsoft Defender for Endpoint or other supported agents.
    • Offers deeper insights and real-time protection.

How to Enable Vulnerability Scanning

  1. Navigate to Defender for Cloud > Environment Settings.
  2. Select the relevant subscription.
  3. Under Monitoring coverage, choose the Defender for Servers plan and click Settings.
  4. In Settings and monitoring, turn on Vulnerability assessment for machines.
  5. Click Edit configuration to choose an assessment solution (e.g., MDVM).
  6. Click Apply and Save 1.

For Individual Machines

  • Go to the Inventory page and filter for Unhealthy resources.
  • Look for the recommendation: "Machines should have a vulnerability assessment solution."
  • Follow the remediation steps to enable scanning on those machines.

Failing to enable vulnerability scanning can leave critical vulnerabilities undetected, increasing the risk of exploitation. This capability supports the "Assume Breach" principle of Zero Trust by proactively identifying and mitigating weaknesses before they are exploited.

Reference