Defender for Endpoint device execution restrictions

This is a video run through of the recent articles I wrote:

Microsoft Defender for Endpoint device isolation

Microsoft Defender for Endpoint restrict app execution

This video will show you how to both isolate a device and restrict app execution on a device. Both of these are great ways to respond to a suspected device security threat and limit security breeches while still allowing remote troubleshooting.

Microsoft Defender for Endpoint Restrict app execution

In a recent blog I looked at how Microsoft Defender for Endpoint can allow an administrator to restrict a device from communicating with everything except the Defender for Endpoint admin console. You’ll find that post here:

Microsoft Defender for Endpoint device isolation

Isolating a device is a pretty drastic measure, however Defender for Endpoint does have another device restriction option that is probably less intrusive known as Restrict app execution.

What Restrict app execution does is that it present applications that are not signed by Microsoft from running.

image

To Restrict app execution on a device firstly navigate to:

https://security.microsoft.com

and select the Device inventory from the options on the left. This will display a list of all the devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list. In the top right hand side should appear an option Restrict app execution as shown above.

image

Once you select this option you’ll need to provide a reason for this restriction and press the Confirm button. This action will be logged in the admin console for later reference.

image

You will see the action item display as shown above. You can also cancel if required here.

On the device, in a matter of moments, a message will now appear:

Screenshot 2022-07-12 141355

and if a non Microsoft application is run you’ll see:

image

putty.exe

image

Brave browser

This process is using Windows Defender Application Control (WDAC) that I have spoken about before:

Windows Defender Application Control (WDAC) basics

which you can apply yourself via a policy, but in this case, it is being applied on the fly, which is impressive!

To remove this device restriction, all you need to do is select

image

the Remove app restriction which can be again found in the top right of the device page.

image

You’ll again be prompted to enter a reason for removing the restriction and then you’ll need to select the Confirm button.

image

The Action center confirmation will then appear as shown above and in a very short period of time the restriction will be removed from the device.

image

These confirmation can be found in the Action center option on the left hand side menu under the Actions & submissions item as shown above.

This is handy option in Defender for Endpoint for isolating a possible security issue on a device while minimising the impact to the user. Of course, smart attackers will use Microsoft tools located on the device, such as PowerShell to compromise machines to avoid this restriction. However, typically, they will also need to run a non-Microsoft application somewhere along the line which this technique will block.

For more information about Microsoft Defender Restrict app execution see the Microsoft documentation here:

Take response on a device

and remember that Restrict app execution is another feature that can be used with Defender for Endpoint when responding to security threats on devices.

Microsoft Defender for Endpoint device isolation

Let’s say that you have device that you believe has a security threat serious enough that it should be ‘unplugged’ from the network. Doing so physically makes it hard to troubleshoot any incident unless you are in front of that machine. However, Defender for Endpoint allows you to isolate the machine from the network while still remaining connected to the Defender for Endpoint console.

image

To initiate the device isolation navigate to:

https://security.microsoft.com

and select the Device inventory option from the menu on the left hand side. That should show you a list of all devices that Defender for Endpoint knows about. Select the device you wish to isolate from the list that appears.

In the top right side of the device page you will find the option to Isolate a device. If you can’t see that option check the ellipse (three dots). Select the ellipse to display the menu shown above. In that menu should be an option Isolate device, which you should select.

image

You’ll now see a dialog appear as shown above asking you to confirm that you wish to isolate the selected device. You also have the option here to allow Outlook, Teams and Skype for Business while device is isolated if desired. You’ll also need to enter a reason for isolating the device. When all that is done, select the Confirm button.

image

You should now see the action confirmed in the security console as shown above. You also have the ability to cancel this if needed here.

clip_image002

Almost immediately, the device being isolated will warn the current use that isolation is taking place and the network is disabled as shown above. At that point the user will no longer be able to navigate beyond their current machine (i.e. no browsing Internet or local LAN, no printing and no emails). More importantly, any other covert sessions will also be blocked preventing a security threat from spreading.

image

As an administrator you will however be able to launch a Live response session in the Defender console, as shown above, to triage the device and run PowerShell scripts if needed.

image

If you now look in the menu in the top right of this device when you have completed your work, you will see an option Release from isolation as shown above, for that device.

image

You will once again need to provide a reason why this device is being released from insolation and then select the Confirm button to complete the process.

image

The Action center will appear again as the isolation is removed. You again, have the option to cancel this if you wish.

image

The history of the actions taken to isolate and release the device can be found in the Action center menu option under the Actions & submissions heading on the left in the Microsoft Security center.

Defender for Endpoint allow you to quickly and easily isolate a suspected device from all network connections but allow it to remain connected to the Defender console for remote troubleshooting. If you want to read more about this process then consult the Microsoft documentation here:

Isolate devices from the network

Microsoft Defender for Business post setup wizard recommendations

image

Let’s say that you have kicked off the Microsoft Defender for Business setup wizard as shown above. For the purposes of this article I’ll also assume that this is part of a Microsoft 365 Business Premium tenant.

image

Let’s assume that you have now completed that process, which you can read about here:

Use the setup wizard in Microsoft Defender for Business

image

After the wizard has completed I suggest you head to the Settings options in https://security.microsoft.com and then select Endpoints and finally, select Advanced features, where you should see the above screen full of options on the right.

At this point I’d suggest you go and enable all the options listed. Now, not all of them will be relevant but I’d still recommend they be turned on none the less. Do it once and you won’t need to come back is my philosophy.

Leave that location open as we’ll be coming back here.

image

Next, head over to your Microsoft Endpoint Manager and select Endpoint security on the left, then Microsoft Defender for Endpoint, which should result in the above screen.

Here you want to ensure the Connection status is Enabled (i.e. green check mark) as shown.

If it isn’t for some reason, then head back to https://security.microsoft.com, Settings, Endpoint, Advanced features.

image

Scroll through the list of items until you find the Microsoft Intune connection as shown above. Ensure that it is turned On. If it isn’t, turn it On, wait at least 15 minutes and check back in Endpoint Manager for the Connection status to be Enabled (i.e. you see the green check mark). If it is already On and the green check mark doesn’t appear, turn the setting Off for at least 15 minutes and then turn it back On. You know, kinda reboot it. The connection status should go green after that in my experience.

image

When the Connection status is Enabled go and turn all the options on the page to On as shown above.

image

Return to https://security.microsoft.com and select the Onboarding option as shown above.

My recommendation is that you manually onboard the first Windows 10 device in your environment using a local script. That will ensure everything is working quickly and easily.

Simply download the script provided and run it on one of the Endpoint Manager enrolled devices in your environment.

image

Once the script has run successfully return to the console and select Device inventory from the menu on the left as shown. Within 15 minutes or so, you should see the machine that you ran the script on appear here.

Congratulations, you have successfully onboarded your first device to Defender for Business in your tenant. You are now free to continue to configure additional devices using the policies provided. I always like to do the very first device in the environment manually so I know everything is working as expected. If I then get issues, I know to troubleshoot my deployment policies.

Need to Know podcast–Episode 283

I’m once again joined by Jeff Alexander from Microsoft to talk about the latest security developments in the Microsoft Defender platform. I’ll also share the latest news and updates from the Microsoft Cloud.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-283-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2021.

Brought to you by www.ciaopspatron.com

Resources

Jeff Alexander

Microsoft 365 Defender

Become a Microsoft 365 Defender Ninja

Microsoft 365 Defender short and sweet videos

Microsoft Digital Defense Report 2021

Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users

Streamlining the submissions experience in Microsoft Defender for Office 365

Cyber Signals: Defending against cyber threats with the latest research, insights, and trends

Helping users stay safe: Blocking internet macros by default in Office

New settings available to configure local user group membership in endpoint security

Announcing general availability of vulnerability management support for Android and iOS

Windows 365 Enterprise: February 2022 updates

Sending From Email Aliases – Public Preview

Defender for Endpoint remediation levels

If you read the Microsoft documentation:

Automation levels in automated investigation and remediation capabilities

you find that there are 5 different levels of remediation automation you can set:

– No automated response

– Semi – require approval for all folders

– Semi – require approval for non-temp folders

– Semi – require approval for core folders

– Full – remediate threats automatically

which are all detailed here:

Levels of Automation

Note:

Full automation is recommended and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.

Thus, Automation levels rely on Device Groups in Defender for Endpoint.

image

You see this when you create a Device Group as shown above.

image

With Defender for Endpoint P2 you find Device Groups via https://security.microsoft.com | Settings | Endpoints | Device groups as shown above.

image

However, with Defender for Business (above), you’ll see that there are no options currently for Device Groups. This basically means that the all remediation will be performed automatically.

I don’t that it is really a problem, but is another difference between Defender for Endpoint P2 and Defender for Business. I have not tested Defender for Endpoint P1 but I assume that it have the same lack of Device Groups as Defender for Business has, but I would to check to be 100% sure.

Defender for Endpoint server licensing

I will preface this with the ‘standard’ disclosure here that:

1. I am not a licensing expert

2. You should speak with a licensing expert to obtain clarification and verification of anything here

3. I have done my best in regards the information presented here but it may change over time, so again see point 2.

With that out of the way, a very common question I receive is around the licensing of servers with Defender for Endpoint. The summary I have found, taken from a reply from Microsoft licensing I found is the following:

In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following, Windows E5/A5, Microsoft 365 E5/A5 or Microsoft 365 E5 Security subscription licenses. Microsoft Defender for Endpoint Server is an add-on for customers with a combined minimum of 50 licenses of eligible Microsoft Defender for Endpoint SKUs.

Microsoft Defender for Endpoint (Server)

When you have acquired a separate Microsoft Defender for Endpoint (Server) license, you cannot assign them to a specific server or whatsoever. You need to make sure you own the number of licenses with the amount of Windows Servers you want to provision with Microsoft Defender for Endpoint (Server). If you don’t have the right amount of licenses in your Microsoft 365 tenant, then you can still roll out MDE for Server because there is no technical limitation to it, you are just not compliant at that moment in an audit.

Microsoft Defender for Cloud

If you do have not enough licenses of the products from above, you cannot license your Windows Serves with a separate MDE for Server license. Then you have to use Microsoft Defender for Cloud.

When your Windows Servers are already running within Azure, it’s just enabling the Defender Standard license and enabling your server protection. When your Windows Servers are running On-Premise (e.x. VMware ESXi/Hyper-V) you have to install the Arc Agent on your servers and then they are visible as Virtual Machines in your Microsoft Azure Portal.

Conclusion

You got two ways of licensing your Windows Servers with MDE for Servers. Through Microsoft Defender for Cloud, then you do not have to acquire at minimum 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses. Or acquire a separate MDE for Server license when you have at least 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses.

More info:

For most, this boils down to the fact that if you don’t have at least 50 x Microsoft 365 E5 (and I also assume, or Defender for Endpoint P2), then you need to purchase Microsoft Defender for Cloud using the Azure portal to cover any servers for Defender for Endpoint.

This would seem to imply that if you implement Defender for Business, when it becomes fully available, you’ll need to use Defender for Cloud even if you have 50 or more licenses. That may of course change when Defender for Business goes GA but my guess at this stage would be it won’t.

Now, even if you have 50 or more licenses of Microsoft E5 (or again I assume, or Defender for Endpoint P2), then you’ll need to purchase the Defender for Endpoint (Server) license for each server you wish to cover. That license is available in 2 versions, monthly and annually:

Monthly Billing

MS SKU = 350158A2-F253-4EA3-988E-EEF9D1B828CF
MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR MTH SUB – AU$7.10 ex


Annual Billing

MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR ANL SUB – AU$85.20 ex


As I also understand it, this Defender for Endpoint (Server) SKU can also only be purchased via CSP not direct. That means, it has to be purchased through a reseller not via the Microsoft 365 administration portal using just a credit card.

The more common option I suspect, given the limitations, is going to be Microsoft Defender for Cloud, which is purchased via Azure.

image

Which means you fire up the Azure pricing calculator and plug in the details to obtain a price. That should result in the above result of around A$21 per month, per server.

Hopefully, all this answers most questions and I’ve done my best to ensure it is correct but as always, please check for yourself. For most, the solution to licensing servers for Defender for Endpoint will mean obtaining Microsoft Defender for Cloud and the cost for that will be about A$21 per server per month.