Responding to detected vulnerabilities

Published: December 16, 2009

Applies To: Forefront Client Security

During SSA scans, Client Security may detect a vulnerability. The definitions that Client Security uses to identify vulnerabilities provide a score and a severity for each vulnerability. The score represents the risk that a vulnerability will be exploited. The severity represents the possible consequences of the vulnerability.

The following table describes the possible vulnerability scores.

 

Score Description

High

The computer is at high risk of exploitation by a threat.

Medium

The computer is at moderate risk of exploitation by a threat. This could indicate that exposure to the vulnerability is mitigated by the configuration of the computer.

Low

The computer is at low risk of exploitation by a threat.

noteNote:
The Client Security agent does not report check results with a Low score to the collection server. The events remain in the Application log on the client computer.

Informational

No risk level is assigned. Use the information to assess the risk level of the vulnerability.

Typically, when the settings examined by an SSA check are configured by Group Policy on the scanned computer, the resulting score is Informational. It is assumed that settings configured by Group Policy conform to your organization's standards and are therefore intentional.

noteNote:
The Client Security agent does not report check results with an Informational score to the collection server. The events remain in the Application log on the client computer.

Error

No risk level could be determined. The console encountered an error. This could indicate an invalid or unexpected configuration for the computer.

If Client Security assigns a vulnerability a score of Low or Informational, the vulnerability does not appear in reports.

The following table describes the possible vulnerability severities. Severities are assigned to vulnerabilities by the Microsoft Security Response Center (MSRC).

 

Severity Description

Critical

The vulnerability could allow, without user action, the propagation of an Internet worm.

Important

The vulnerability could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.

Moderate

Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low

Exploitation of the vulnerability is extremely difficult or the impact is minimal.

Not applicable

The vulnerability is not related to a specific MSRC security bulletin.

Responding to security state assessment events

Your response to an SSA event depends on whether the vulnerability is intentional or unintentional.

Vulnerabilities may be unintentional, such as unapplied security updates or a user action that renders a computer susceptible to a threat.

Many organizations also have intentional vulnerabilities that cannot be removed. For example, a server might use the FAT file system so that it can share information with computers running old operating systems. Each SSA scan will generate an event because of the FAT drives, but these events are not useful because the vulnerability is intentional.

To respond to an unintentional vulnerability event

  1. Use the Properties tab to determine what vulnerability was found and use the links to the Security State Assessment report to learn more about the vulnerability and how to resolve it.

  2. If the vulnerability is unintentional, take the appropriate actions to resolve it.

  3. After the next SSA scan of the computer, view the Computer Detail report for that computer and ensure that the vulnerability no longer exists.

 
Show: