Responding to detected vulnerabilities
Applies To: Forefront Client Security
During SSA scans, Client Security may detect a vulnerability. The definitions that Client Security uses to identify vulnerabilities provide a score and a severity for each vulnerability. The score represents the risk that a vulnerability will be exploited. The severity represents the possible consequences of the vulnerability.
The following table describes the possible vulnerability scores.
| Score | Description |
|---|---|
High |
The computer is at high risk of exploitation by a threat. |
Medium |
The computer is at moderate risk of exploitation by a threat. This could indicate that exposure to the vulnerability is mitigated by the configuration of the computer. |
Low |
The computer is at low risk of exploitation by a threat. Note The Client Security agent does not report check results with a Low score to the collection server. The events remain in the Application log on the client computer. |
Informational |
No risk level is assigned. Use the information to assess the risk level of the vulnerability. Typically, when the settings examined by an SSA check are configured by Group Policy on the scanned computer, the resulting score is Informational. It is assumed that settings configured by Group Policy conform to your organization's standards and are therefore intentional. Note The Client Security agent does not report check results with an Informational score to the collection server. The events remain in the Application log on the client computer. |
Error |
No risk level could be determined. The console encountered an error. This could indicate an invalid or unexpected configuration for the computer. |
If Client Security assigns a vulnerability a score of Low or Informational, the vulnerability does not appear in reports.
The following table describes the possible vulnerability severities. Severities are assigned to vulnerabilities by the Microsoft Security Response Center (MSRC).
| Severity | Description |
|---|---|
Critical |
The vulnerability could allow, without user action, the propagation of an Internet worm. |
Important |
The vulnerability could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. |
Moderate |
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation. |
Low |
Exploitation of the vulnerability is extremely difficult or the impact is minimal. |
Not applicable |
The vulnerability is not related to a specific MSRC security bulletin. |
Responding to security state assessment events
Your response to an SSA event depends on whether the vulnerability is intentional or unintentional.
Vulnerabilities may be unintentional, such as unapplied security updates or a user action that renders a computer susceptible to a threat.
Many organizations also have intentional vulnerabilities that cannot be removed. For example, a server might use the FAT file system so that it can share information with computers running old operating systems. Each SSA scan will generate an event because of the FAT drives, but these events are not useful because the vulnerability is intentional.
To respond to an unintentional vulnerability event
Use the Properties tab to determine what vulnerability was found and use the links to the Security State Assessment report to learn more about the vulnerability and how to resolve it.
If the vulnerability is unintentional, take the appropriate actions to resolve it.
After the next SSA scan of the computer, view the Computer Detail report for that computer and ensure that the vulnerability no longer exists.