Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
Slides from this month’s webinar are at:
https://www.slideshare.net/directorcia/january-2023-ciaops-need-to-know-webinar
If you are not a CIAOPS patron you want to view or download a full copy of the video from the session you can do so here:
http://www.ciaopsacademy.com.au/p/need-to-know-webinars
Watch out for next month’s webinar.
In today’s digital world, endpoint security is more important than ever. With the rise of cyberattacks and malware, it’s essential to have a robust security solution in place to protect your business from potential threats. One of the best options available is Microsoft Defender for Endpoint. In this blog post, we’ll take a look at the benefits of using Microsoft Defender for Endpoint to secure your business.
Real-time protection: Microsoft Defender for Endpoint provides real-time protection against malware and other threats. It uses advanced threat intelligence to detect and block malicious activity, keeping your business safe from harm.
Cloud-based: Microsoft Defender for Endpoint is a cloud-based solution, which means it can be accessed from anywhere with an internet connection. This makes it easy to manage and monitor your security, even when you’re on the go.
Easy to use: The user interface of Microsoft Defender for Endpoint is simple and easy to navigate. This makes it easy for even the most non-technical users to manage and monitor their security.
Automated security: Microsoft Defender for Endpoint automates many of the security processes, such as malware scanning and vulnerability assessments. This helps to reduce the risk of human error and ensures your security is always up-to-date.
Integration with other Microsoft products: Microsoft Defender for Endpoint integrates seamlessly with other Microsoft products, such as Office 365 and Azure. This allows for a more comprehensive security solution, as well as improved collaboration and productivity.
Advanced threat protection: Microsoft Defender for Endpoint offers advanced threat protection, including behavioral-based detection, machine learning, and ransomware protection. This provides an extra layer of security to keep your business safe from even the most sophisticated attacks.
Compliance and regulatory standards : Microsoft Defender for Endpoint can help you meet compliance and regulatory standards, such as HIPAA and PCI-DSS. This can help to reduce the risk of fines and reputational damage caused by non-compliance.
In conclusion, Microsoft Defender for Endpoint is an excellent security solution that offers real-time protection, cloud-based management, easy usability, automation, integration with other Microsoft products, advanced threat protection and compliance and regulatory standards. It is essential for any business looking to secure their endpoints. By using Microsoft Defender for Endpoint, you can rest assured that your business is protected from potential threats and that you are meeting compliance standards.
———————————————————————————————
If you have read this far, then you’ll really know that this post is about ChatGPT rather than Microsoft Defender for Endpoint.
This is what I asked ChatGPT to do:
write a blog post on the benefits of Microsoft defender for endpoint
Now it can also generate code as well like the response to:
create a powershell script to connect to Exchange online
to which it gave me:
Here is a basic PowerShell script that can be used to connect to Exchange Online:
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session
This script will prompt the user to enter their Exchange Online credentials, and then create a new PowerShell session using those credentials. It will then import the session, allowing you to run Exchange Online cmdlets. You can then run command specific to your needs like, getting mails, setting mailbox etc.
It is important to note that in order to run this script, you will need to have the Exchange Online PowerShell module installed on your machine. Also, make sure that you have the necessary permissions to access the Exchange Online instance.
Of course none of these answers are ‘prefect’, however they are surprisingly good and will be for many a great time saver. If you ask people what the toughest part of any process is, most will say that just getting started is. So using ChatGPT to at least handle this task should make it far easier to kick off any process. Best of all? You can do that today!
The interesting thing for me is that at the moment ChatGPT is just a stand alone chat style question and answer application. However, what happens when it starts being integrated with other service via API calls? What happens when the power of ChatGPT increases and improves.
If you have been at this IT ‘stuff’ for a long as I have you’ve seen many ‘revolutions’ and ‘this changes everything’ moments, many of which didn’t pan out. If nothing else, I think ChatGPT has lifted consciousness about AI and what it can potentially do to the wider population audience (i.e. muggels). What happens after that is the interesting part. Will that ‘enlightenment’ kick ChatGPT to the next level or will fade back into the shadows to be reborn again in the future? Only time will tell.
However, I think that if you are interested in seeing where ChatGPT could go then start using as I have and exploring the possibilities. I can honestly say it has helped me commercially (this blog post is a good example, even the part ChatGPT didn’t write for me). The best way to sum it up at this stage is:
We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be lulled into inaction. – Bill Gates
Who knows? In a short while maybe I can automate ChatGPT to do all my blog posts and you’d never be the wiser!
Link to video = https://www.youtube.com/watch?v=CQOcUrS93FA
Thanks to the integration between Microsoft Edge browser, Cloud Apps Discovery (which is part of Defender for Cloud Apps) and Defender for Endpoint you can quickly and easily block most web based applications. In the example I prevent Facebook access on a Windows 11 device using the Edge browser. It is important to note that this blocking capability currently won’t work with third party browsers, however there are other ways of blocking sites with these browsers using other methods that are not covered in this video.
[CORRECTION] – Please note that in the video I may have indicated that this is possible with Microsoft 365 Business Premium. By default, it is not. Apologies for the confusion I may have caused here
This is a video run through of the recent articles I wrote:
Microsoft Defender for Endpoint device isolation
Microsoft Defender for Endpoint restrict app execution
This video will show you how to both isolate a device and restrict app execution on a device. Both of these are great ways to respond to a suspected device security threat and limit security breeches while still allowing remote troubleshooting.
In a recent blog I looked at how Microsoft Defender for Endpoint can allow an administrator to restrict a device from communicating with everything except the Defender for Endpoint admin console. You’ll find that post here:
Microsoft Defender for Endpoint device isolation
Isolating a device is a pretty drastic measure, however Defender for Endpoint does have another device restriction option that is probably less intrusive known as Restrict app execution.
What Restrict app execution does is that it present applications that are not signed by Microsoft from running.
To Restrict app execution on a device firstly navigate to:
https://security.microsoft.com
and select the Device inventory from the options on the left. This will display a list of all the devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list. In the top right hand side should appear an option Restrict app execution as shown above.
Once you select this option you’ll need to provide a reason for this restriction and press the Confirm button. This action will be logged in the admin console for later reference.
You will see the action item display as shown above. You can also cancel if required here.
On the device, in a matter of moments, a message will now appear:
and if a non Microsoft application is run you’ll see:
putty.exe
Brave browser
This process is using Windows Defender Application Control (WDAC) that I have spoken about before:
Windows Defender Application Control (WDAC) basics
which you can apply yourself via a policy, but in this case, it is being applied on the fly, which is impressive!
To remove this device restriction, all you need to do is select
the Remove app restriction which can be again found in the top right of the device page.
You’ll again be prompted to enter a reason for removing the restriction and then you’ll need to select the Confirm button.
The Action center confirmation will then appear as shown above and in a very short period of time the restriction will be removed from the device.
These confirmation can be found in the Action center option on the left hand side menu under the Actions & submissions item as shown above.
This is handy option in Defender for Endpoint for isolating a possible security issue on a device while minimising the impact to the user. Of course, smart attackers will use Microsoft tools located on the device, such as PowerShell to compromise machines to avoid this restriction. However, typically, they will also need to run a non-Microsoft application somewhere along the line which this technique will block.
For more information about Microsoft Defender Restrict app execution see the Microsoft documentation here:
and remember that Restrict app execution is another feature that can be used with Defender for Endpoint when responding to security threats on devices.
Let’s say that you have device that you believe has a security threat serious enough that it should be ‘unplugged’ from the network. Doing so physically makes it hard to troubleshoot any incident unless you are in front of that machine. However, Defender for Endpoint allows you to isolate the machine from the network while still remaining connected to the Defender for Endpoint console.
To initiate the device isolation navigate to:
https://security.microsoft.com
and select the Device inventory option from the menu on the left hand side. That should show you a list of all devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list that appears.
In the top right side of the device page you will find the option to Isolate a device. If you can’t see that option check the ellipse (three dots). Select the ellipse to display the menu shown above. In that menu should be an option Isolate device, which you should select.
You’ll now see a dialog appear as shown above asking you to confirm that you wish to isolate the selected device. You also have the option here to allow Outlook, Teams and Skype for Business while device is isolated if desired. You’ll also need to enter a reason for isolating the device. When all that is done, select the Confirm button.
You should now see the action confirmed in the security console as shown above. You also have the ability to cancel this if needed here.
Almost immediately, the device being isolated will warn the current use that isolation is taking place and the network is disabled as shown above. At that point the user will no longer be able to navigate beyond their current machine (i.e. no browsing Internet or local LAN, no printing and no emails). More importantly, any other covert sessions will also be blocked preventing a security threat from spreading.
As an administrator you will however be able to launch a Live response session in the Defender console, as shown above, to triage the device and run PowerShell scripts if needed.
If you now look in the menu in the top right of this device when you have completed your work, you will see an option Release from isolation as shown above, for that device.
You will once again need to provide a reason why this device is being released from insolation and then select the Confirm button to complete the process.
The Action center will appear again as the isolation is removed. You again, have the option to cancel this if you wish.
The history of the actions taken to isolate and release the device can be found in the Action center menu option under the Actions & submissions heading on the left in the Microsoft Security center.
Defender for Endpoint allow you to quickly and easily isolate a suspected device from all network connections but allow it to remain connected to the Defender console for remote troubleshooting. If you want to read more about this process then consult the Microsoft documentation here:
Let’s say that you have kicked off the Microsoft Defender for Business setup wizard as shown above. For the purposes of this article I’ll also assume that this is part of a Microsoft 365 Business Premium tenant.
Let’s assume that you have now completed that process, which you can read about here:
Use the setup wizard in Microsoft Defender for Business
After the wizard has completed I suggest you head to the Settings options in https://security.microsoft.com and then select Endpoints and finally, select Advanced features, where you should see the above screen full of options on the right.
At this point I’d suggest you go and enable all the options listed. Now, not all of them will be relevant but I’d still recommend they be turned on none the less. Do it once and you won’t need to come back is my philosophy.
Leave that location open as we’ll be coming back here.
Next, head over to your Microsoft Endpoint Manager and select Endpoint security on the left, then Microsoft Defender for Endpoint, which should result in the above screen.
Here you want to ensure the Connection status is Enabled (i.e. green check mark) as shown.
If it isn’t for some reason, then head back to https://security.microsoft.com, Settings, Endpoint, Advanced features.
Scroll through the list of items until you find the Microsoft Intune connection as shown above. Ensure that it is turned On. If it isn’t, turn it On, wait at least 15 minutes and check back in Endpoint Manager for the Connection status to be Enabled (i.e. you see the green check mark). If it is already On and the green check mark doesn’t appear, turn the setting Off for at least 15 minutes and then turn it back On. You know, kinda reboot it. The connection status should go green after that in my experience.
When the Connection status is Enabled go and turn all the options on the page to On as shown above.
Return to https://security.microsoft.com and select the Onboarding option as shown above.
My recommendation is that you manually onboard the first Windows 10 device in your environment using a local script. That will ensure everything is working quickly and easily.
Simply download the script provided and run it on one of the Endpoint Manager enrolled devices in your environment.
Once the script has run successfully return to the console and select Device inventory from the menu on the left as shown. Within 15 minutes or so, you should see the machine that you ran the script on appear here.
Congratulations, you have successfully onboarded your first device to Defender for Business in your tenant. You are now free to continue to configure additional devices using the policies provided. I always like to do the very first device in the environment manually so I know everything is working as expected. If I then get issues, I know to troubleshoot my deployment policies.
I’m once again joined by Jeff Alexander from Microsoft to talk about the latest security developments in the Microsoft Defender platform. I’ll also share the latest news and updates from the Microsoft Cloud.
Take a listen and let us know what you think – feedback@needtoknow.cloud
You can listen directly to this episode at:
https://ciaops.podbean.com/e/episode-283-jeff-alexander/
Subscribe via iTunes at:
https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2
The podcast is also available on Stitcher at:
http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr
Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.
This episode was recorded using Microsoft Teams and produced with Camtasia 2021.
Brought to you by www.ciaopspatron.com
Resources
Become a Microsoft 365 Defender Ninja
Microsoft 365 Defender short and sweet videos
Microsoft Digital Defense Report 2021
Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users
Streamlining the submissions experience in Microsoft Defender for Office 365
Cyber Signals: Defending against cyber threats with the latest research, insights, and trends
Helping users stay safe: Blocking internet macros by default in Office
New settings available to configure local user group membership in endpoint security
Announcing general availability of vulnerability management support for Android and iOS
CIAOPS 