Microsoft Defender for Business post setup wizard recommendations

image

Let’s say that you have kicked off the Microsoft Defender for Business setup wizard as shown above. For the purposes of this article I’ll also assume that this is part of a Microsoft 365 Business Premium tenant.

image

Let’s assume that you have now completed that process, which you can read about here:

Use the setup wizard in Microsoft Defender for Business

image

After the wizard has completed I suggest you head to the Settings options in https://security.microsoft.com and then select Endpoints and finally, select Advanced features, where you should see the above screen full of options on the right.

At this point I’d suggest you go and enable all the options listed. Now, not all of them will be relevant but I’d still recommend they be turned on none the less. Do it once and you won’t need to come back is my philosophy.

Leave that location open as we’ll be coming back here.

image

Next, head over to your Microsoft Endpoint Manager and select Endpoint security on the left, then Microsoft Defender for Endpoint, which should result in the above screen.

Here you want to ensure the Connection status is Enabled (i.e. green check mark) as shown.

If it isn’t for some reason, then head back to https://security.microsoft.com, Settings, Endpoint, Advanced features.

image

Scroll through the list of items until you find the Microsoft Intune connection as shown above. Ensure that it is turned On. If it isn’t, turn it On, wait at least 15 minutes and check back in Endpoint Manager for the Connection status to be Enabled (i.e. you see the green check mark). If it is already On and the green check mark doesn’t appear, turn the setting Off for at least 15 minutes and then turn it back On. You know, kinda reboot it. The connection status should go green after that in my experience.

image

When the Connection status is Enabled go and turn all the options on the page to On as shown above.

image

Return to https://security.microsoft.com and select the Onboarding option as shown above.

My recommendation is that you manually onboard the first Windows 10 device in your environment using a local script. That will ensure everything is working quickly and easily.

Simply download the script provided and run it on one of the Endpoint Manager enrolled devices in your environment.

image

Once the script has run successfully return to the console and select Device inventory from the menu on the left as shown. Within 15 minutes or so, you should see the machine that you ran the script on appear here.

Congratulations, you have successfully onboarded your first device to Defender for Business in your tenant. You are now free to continue to configure additional devices using the policies provided. I always like to do the very first device in the environment manually so I know everything is working as expected. If I then get issues, I know to troubleshoot my deployment policies.

Need to Know podcast–Episode 283

I’m once again joined by Jeff Alexander from Microsoft to talk about the latest security developments in the Microsoft Defender platform. I’ll also share the latest news and updates from the Microsoft Cloud.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-283-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2021.

Brought to you by www.ciaopspatron.com

Resources

Jeff Alexander

Microsoft 365 Defender

Become a Microsoft 365 Defender Ninja

Microsoft 365 Defender short and sweet videos

Microsoft Digital Defense Report 2021

Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users

Streamlining the submissions experience in Microsoft Defender for Office 365

Cyber Signals: Defending against cyber threats with the latest research, insights, and trends

Helping users stay safe: Blocking internet macros by default in Office

New settings available to configure local user group membership in endpoint security

Announcing general availability of vulnerability management support for Android and iOS

Windows 365 Enterprise: February 2022 updates

Sending From Email Aliases – Public Preview

Defender for Endpoint remediation levels

If you read the Microsoft documentation:

Automation levels in automated investigation and remediation capabilities

you find that there are 5 different levels of remediation automation you can set:

– No automated response

– Semi – require approval for all folders

– Semi – require approval for non-temp folders

– Semi – require approval for core folders

– Full – remediate threats automatically

which are all detailed here:

Levels of Automation

Note:

Full automation is recommended and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.

Thus, Automation levels rely on Device Groups in Defender for Endpoint.

image

You see this when you create a Device Group as shown above.

image

With Defender for Endpoint P2 you find Device Groups via https://security.microsoft.com | Settings | Endpoints | Device groups as shown above.

image

However, with Defender for Business (above), you’ll see that there are no options currently for Device Groups. This basically means that the all remediation will be performed automatically.

I don’t that it is really a problem, but is another difference between Defender for Endpoint P2 and Defender for Business. I have not tested Defender for Endpoint P1 but I assume that it have the same lack of Device Groups as Defender for Business has, but I would to check to be 100% sure.

Defender for Endpoint server licensing

I will preface this with the ‘standard’ disclosure here that:

1. I am not a licensing expert

2. You should speak with a licensing expert to obtain clarification and verification of anything here

3. I have done my best in regards the information presented here but it may change over time, so again see point 2.

With that out of the way, a very common question I receive is around the licensing of servers with Defender for Endpoint. The summary I have found, taken from a reply from Microsoft licensing I found is the following:

In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following, Windows E5/A5, Microsoft 365 E5/A5 or Microsoft 365 E5 Security subscription licenses. Microsoft Defender for Endpoint Server is an add-on for customers with a combined minimum of 50 licenses of eligible Microsoft Defender for Endpoint SKUs.

Microsoft Defender for Endpoint (Server)

When you have acquired a separate Microsoft Defender for Endpoint (Server) license, you cannot assign them to a specific server or whatsoever. You need to make sure you own the number of licenses with the amount of Windows Servers you want to provision with Microsoft Defender for Endpoint (Server). If you don’t have the right amount of licenses in your Microsoft 365 tenant, then you can still roll out MDE for Server because there is no technical limitation to it, you are just not compliant at that moment in an audit.

Microsoft Defender for Cloud

If you do have not enough licenses of the products from above, you cannot license your Windows Serves with a separate MDE for Server license. Then you have to use Microsoft Defender for Cloud.

When your Windows Servers are already running within Azure, it’s just enabling the Defender Standard license and enabling your server protection. When your Windows Servers are running On-Premise (e.x. VMware ESXi/Hyper-V) you have to install the Arc Agent on your servers and then they are visible as Virtual Machines in your Microsoft Azure Portal.

Conclusion

You got two ways of licensing your Windows Servers with MDE for Servers. Through Microsoft Defender for Cloud, then you do not have to acquire at minimum 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses. Or acquire a separate MDE for Server license when you have at least 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses.

More info:

For most, this boils down to the fact that if you don’t have at least 50 x Microsoft 365 E5 (and I also assume, or Defender for Endpoint P2), then you need to purchase Microsoft Defender for Cloud using the Azure portal to cover any servers for Defender for Endpoint.

This would seem to imply that if you implement Defender for Business, when it becomes fully available, you’ll need to use Defender for Cloud even if you have 50 or more licenses. That may of course change when Defender for Business goes GA but my guess at this stage would be it won’t.

Now, even if you have 50 or more licenses of Microsoft E5 (or again I assume, or Defender for Endpoint P2), then you’ll need to purchase the Defender for Endpoint (Server) license for each server you wish to cover. That license is available in 2 versions, monthly and annually:

Monthly Billing

MS SKU = 350158A2-F253-4EA3-988E-EEF9D1B828CF
MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR MTH SUB – AU$7.10 ex


Annual Billing

MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR ANL SUB – AU$85.20 ex


As I also understand it, this Defender for Endpoint (Server) SKU can also only be purchased via CSP not direct. That means, it has to be purchased through a reseller not via the Microsoft 365 administration portal using just a credit card.

The more common option I suspect, given the limitations, is going to be Microsoft Defender for Cloud, which is purchased via Azure.

image

Which means you fire up the Azure pricing calculator and plug in the details to obtain a price. That should result in the above result of around A$21 per month, per server.

Hopefully, all this answers most questions and I’ve done my best to ensure it is correct but as always, please check for yourself. For most, the solution to licensing servers for Defender for Endpoint will mean obtaining Microsoft Defender for Cloud and the cost for that will be about A$21 per server per month.

Using Defender for Endpoint to protect your network devices

An added benefit of Defender for Endpoint is it’s ability to scan and report vulnerabilities with your network devices (routers, switches, etc). It does this by using SNMP, so the starting point is to set that up in your environment on your network devices.

image

Once you have onboarded Windows 10 devices to Defender for Endpoint you can use one of these to ‘scan’ your network devices via SNMP.

To do this follow the step by step process to download and install the scanner in this article:

Network device discovery and vulnerability assessments – Microsoft Tech Community

you can also refer to  this documentation

Network device discovery and vulnerability management | Microsoft Docs

In short, you need to install and agent from the Defender for Endpoint console, then configure it to scan your SNMP environment and IP range. The results from this will be reported back into the Device inventory.

Interestingly, the documentation states:

The following operating systems are currently supported:

  • Cisco IOS, IOS-XE, NX-OS

  • Juniper JUNOS

  • HPE ArubaOS, Procurve Switch Software

  • Palo Alto Networks PAN-OS

but when I set this up in my environment

image

the Ubiquiti equipment I use was also reporting as shown above (excellent!).

image

I can drill into any network device and see alerts, security recommendations, etc. None to see here as my gear is up to date but this is a super handy feature when you are facing challenges like Log4j vulnerability, even in small environments.

The main thing is to get the SNMP environment set up for your network devices and then configure a Defender for Endpoint scanner in that environment. Within no time you’ll have additional network device information flowing into your Defender for Endpoint console. This is really going to help you keep your whole environment secure and make it easy to monitor from a single location.

Custom web filtering for Microsoft Defender for Endpoint

In a recent post I showed how you can enable web filtering with Defender for Endpoint using the built in blocked categories method.

Enabling web filtering with Microsoft Defender for Endpoint

The limits of this approach are that you can only use the categories that have been provided (i.e. Adult content, High bandwidth, Legal liability, Leisure and Uncategorized). An interesting omission, in my opinion, is the ability to block social networking (i.e. Twitter, Facebook, etc).

You can achieve custom web filtering with Microsoft Defender for Endpoint if you wish using the custom indicator approach.

image

You’ll first need to ensure that custom network indicators have been enabled in your environment. You do this by navigating to  https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Endpoints.

image

From the menu that now appears, select Advanced features. Ensure that the Custom network indicators option is turned on as shown. Don’t forget to save any changes with the Save preferences button at the bottom of the page.

image

To enable a custom  indicator, navigate to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Indicators. On the right you can create an indicator as File hash, IP address, URL or Certificate. In this case, select URLs/Domains. Then select the option to Add item.

image

Enter the URL you wish to block and select whether you wish an expiry date for this indicator. Unfortunately, you can’t use wildcard characters here, it must be the direct URL. Press the Next button to continue.

image

Select the action you wish to take (Allow, Audit, Warn, Block execution). It is also recommended that you select the Generate Alert option so that information can be shared with other applications such as Azure Sentinel, which I’ll cover in an upcoming article. Also, give the alert a descriptive title (I suggest you mention the particular web site you are blocking here). Scroll down the page to continue.

image

Enter the Alert severity, Category as well as the Recommended actions and a Description as shown above. Press the Next button at the bottom of the page when complete.

image

View the summary that is now displayed and press the Save button at the bottom of the screen.

image

You should see your entry listed as shown above. You can edit this by simply clicking on it. You also delete the indicator once you edit it.

Also note the Import menu option that allows you to import a list of items from a CSV file.

Now according to the Microsoft documentation:

Create indicators for IPs and URLs/domains

– Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

– URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode.

– Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022

– Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

– If there are conflicting URL indicator policies, the longer path is applied. That is, the more specific path.

– Only single IP addresses are supported (no CIDR blocks or IP ranges).

– Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)


Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

– Full URL path blocks can be applied on the domain level and all unencrypted URLs

– There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. My personal experience is around 45 minutes.

image

Enforced result on Edge. If you use third party browsers, and the site is encrypted (i.e. uses https) it will not be blocked as mentioned above.

Adding indicators using the web and even importing using a CSV is somewhat time consuming and cumbersome, especially if you have a standard set you wish to block. I’ll show you how to add indicators using a script and API calls in an upcoming post. so stay tuned for that.

Remember, that you can use these indicators to not only block but also warn and audit if you wish. You can also have a number of different indicators and types. I’d also recommend you take a look at this article from Microsoft:

Best practices for optimizing custom indicators

when you start creating these custom indicators.

All the Microsoft Defender for Endpoint options

It is important to understand that there are current 3 plans for Defender for Endpoint

1. P1

2. Defender for Business

3. P2

Note: that Defender for Business is currently in preview.

image

The indicated general available is late February/early March per the above Message Center item.

I have perhaps been some what cavalier in the screens I have shared with a few posts of late. This could potentially lead to confusion about what plans include when I am showing screens from plans that maybe different from what people assume it is.

The issue is not with the functionality, the issue is that what I have shown may not be identical to the specific plan I’m focusing on. In essence, if you look at your screen and what I have shown, you might see differences in the total number of options available for example.

So, let’s clear all that up with a look at the three plans and their differences.

This is probably the best place to start:

Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2

The following provides a more current granular break down:

image

image

Some other helpful links:

Microsoft Defender for Endpoint

Overview of Microsoft Defender for Endpoint Plan 1

HadleyE_0-1636992556830.png

Microsoft Defender for Endpoint Plan 1 and Plan 2

Microsoft Defender for Business

Overview of Microsoft Defender for Business (preview)

Compare security features in Microsoft Defender for Business to Microsoft 365 Business Premium

There are also differences in the options available in the interface. For example with Defender for Endpoint P2 you see the following in Settings | Endpoints:

image

While in Defender for Business you only see:

image

Key items like Onboarding, Offboarding and Web content filtering etc. still appear but a significant amount of other don’t. This is where some of the confusion may lie with my previous content (sorry). Hopefully people aren’t too fazed by stuff not being there as they can still get to the stuff I do call out. However, it is on me to do a like for like if I do show screens. So, going forward I’ll do my best to do that to avoid the confusion around all these Defender for Endpoints.

Of course, this will change over time and I’ll try and update my future articles to reflect that.