Need to Know podcast–Episode 283

I’m once again joined by Jeff Alexander from Microsoft to talk about the latest security developments in the Microsoft Defender platform. I’ll also share the latest news and updates from the Microsoft Cloud.

Take a listen and let us know what you think – feedback@needtoknow.cloud

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-283-jeff-alexander/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2021.

Brought to you by www.ciaopspatron.com

Resources

Jeff Alexander

Microsoft 365 Defender

Become a Microsoft 365 Defender Ninja

Microsoft 365 Defender short and sweet videos

Microsoft Digital Defense Report 2021

Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users

Streamlining the submissions experience in Microsoft Defender for Office 365

Cyber Signals: Defending against cyber threats with the latest research, insights, and trends

Helping users stay safe: Blocking internet macros by default in Office

New settings available to configure local user group membership in endpoint security

Announcing general availability of vulnerability management support for Android and iOS

Windows 365 Enterprise: February 2022 updates

Sending From Email Aliases – Public Preview

Defender for Endpoint remediation levels

If you read the Microsoft documentation:

Automation levels in automated investigation and remediation capabilities

you find that there are 5 different levels of remediation automation you can set:

– No automated response

– Semi – require approval for all folders

– Semi – require approval for non-temp folders

– Semi – require approval for core folders

– Full – remediate threats automatically

which are all detailed here:

Levels of Automation

Note:

Full automation is recommended and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.

Thus, Automation levels rely on Device Groups in Defender for Endpoint.

You see this when you create a Device Group as shown above.

With Defender for Endpoint P2 you find Device Groups via https://security.microsoft.com | Settings | Endpoints | Device groups as shown above.

However, with Defender for Business (above), you’ll see that there are no options currently for Device Groups. This basically means that the all remediation will be performed automatically.

I don’t that it is really a problem, but is another difference between Defender for Endpoint P2 and Defender for Business. I have not tested Defender for Endpoint P1 but I assume that it have the same lack of Device Groups as Defender for Business has, but I would to check to be 100% sure.

Defender for Endpoint server licensing

I will preface this with the ‘standard’ disclosure here that:

1. I am not a licensing expert

2. You should speak with a licensing expert to obtain clarification and verification of anything here

3. I have done my best in regards the information presented here but it may change over time, so again see point 2.

With that out of the way, a very common question I receive is around the licensing of servers with Defender for Endpoint. The summary I have found, taken from a reply from Microsoft licensing I found is the following:

In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following, Windows E5/A5, Microsoft 365 E5/A5 or Microsoft 365 E5 Security subscription licenses. Microsoft Defender for Endpoint Server is an add-on for customers with a combined minimum of 50 licenses of eligible Microsoft Defender for Endpoint SKUs.

Microsoft Defender for Endpoint (Server)

When you have acquired a separate Microsoft Defender for Endpoint (Server) license, you cannot assign them to a specific server or whatsoever. You need to make sure you own the number of licenses with the amount of Windows Servers you want to provision with Microsoft Defender for Endpoint (Server). If you don’t have the right amount of licenses in your Microsoft 365 tenant, then you can still roll out MDE for Server because there is no technical limitation to it, you are just not compliant at that moment in an audit.

Microsoft Defender for Cloud

If you do have not enough licenses of the products from above, you cannot license your Windows Serves with a separate MDE for Server license. Then you have to use Microsoft Defender for Cloud.

When your Windows Servers are already running within Azure, it’s just enabling the Defender Standard license and enabling your server protection. When your Windows Servers are running On-Premise (e.x. VMware ESXi/Hyper-V) you have to install the Arc Agent on your servers and then they are visible as Virtual Machines in your Microsoft Azure Portal.

Conclusion

You got two ways of licensing your Windows Servers with MDE for Servers. Through Microsoft Defender for Cloud, then you do not have to acquire at minimum 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses. Or acquire a separate MDE for Server license when you have at least 50 Windows E5/A5, Microsoft 365 E5/A5, and Microsoft 365 E5 Security User SLs licenses.

More info:

For most, this boils down to the fact that if you don’t have at least 50 x Microsoft 365 E5 (and I also assume, or Defender for Endpoint P2), then you need to purchase Microsoft Defender for Cloud using the Azure portal to cover any servers for Defender for Endpoint.

This would seem to imply that if you implement Defender for Business, when it becomes fully available, you’ll need to use Defender for Cloud even if you have 50 or more licenses. That may of course change when Defender for Business goes GA but my guess at this stage would be it won’t.

Now, even if you have 50 or more licenses of Microsoft E5 (or again I assume, or Defender for Endpoint P2), then you’ll need to purchase the Defender for Endpoint (Server) license for each server you wish to cover. That license is available in 2 versions, monthly and annually:

Monthly Billing

MS SKU = 350158A2-F253-4EA3-988E-EEF9D1B828CF
MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR MTH SUB – AU$7.10 ex

Annual Billing

MICROSOFT CSP MICROSOFT DEFENDER FOR ENDPOINT SVR ANL SUB – AU$85.20 ex

As I also understand it, this Defender for Endpoint (Server) SKU can also only be purchased via CSP not direct. That means, it has to be purchased through a reseller not via the Microsoft 365 administration portal using just a credit card.

The more common option I suspect, given the limitations, is going to be Microsoft Defender for Cloud, which is purchased via Azure.

Which means you fire up the Azure pricing calculator and plug in the details to obtain a price. That should result in the above result of around A$21 per month, per server.

Hopefully, all this answers most questions and I’ve done my best to ensure it is correct but as always, please check for yourself. For most, the solution to licensing servers for Defender for Endpoint will mean obtaining Microsoft Defender for Cloud and the cost for that will be about A$21 per server per month.

Web filtering overview for Defender for Endpoint

I have written two articles on the web filtering options you have with Defender for Endpoint:

Custom web filtering

General web filtering

I’ve combined both of these into a video:

https://www.youtube.com/watch?v=M8sQEZDG2cA

which hopefully summarises things and let’s you see how to configure both of these.

Using Defender for Endpoint to protect your network devices

An added benefit of Defender for Endpoint is it’s ability to scan and report vulnerabilities with your network devices (routers, switches, etc). It does this by using SNMP, so the starting point is to set that up in your environment on your network devices.

Once you have onboarded Windows 10 devices to Defender for Endpoint you can use one of these to ‘scan’ your network devices via SNMP.

To do this follow the step by step process to download and install the scanner in this article:

Network device discovery and vulnerability assessments – Microsoft Tech Community

you can also refer to this documentation

Network device discovery and vulnerability management | Microsoft Docs

In short, you need to install and agent from the Defender for Endpoint console, then configure it to scan your SNMP environment and IP range. The results from this will be reported back into the Device inventory.

Interestingly, the documentation states:

The following operating systems are currently supported:

Cisco IOS, IOS-XE, NX-OS
Juniper JUNOS
HPE ArubaOS, Procurve Switch Software
Palo Alto Networks PAN-OS

but when I set this up in my environment

the Ubiquiti equipment I use was also reporting as shown above (excellent!).

I can drill into any network device and see alerts, security recommendations, etc. None to see here as my gear is up to date but this is a super handy feature when you are facing challenges like Log4j vulnerability, even in small environments.

The main thing is to get the SNMP environment set up for your network devices and then configure a Defender for Endpoint scanner in that environment. Within no time you’ll have additional network device information flowing into your Defender for Endpoint console. This is really going to help you keep your whole environment secure and make it easy to monitor from a single location.

Custom web filtering for Microsoft Defender for Endpoint

In a recent post I showed how you can enable web filtering with Defender for Endpoint using the built in blocked categories method.

Enabling web filtering with Microsoft Defender for Endpoint

The limits of this approach are that you can only use the categories that have been provided (i.e. Adult content, High bandwidth, Legal liability, Leisure and Uncategorized). An interesting omission, in my opinion, is the ability to block social networking (i.e. Twitter, Facebook, etc).

You can achieve custom web filtering with Microsoft Defender for Endpoint if you wish using the custom indicator approach.

You’ll first need to ensure that custom network indicators have been enabled in your environment. You do this by navigating to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Endpoints.

From the menu that now appears, select Advanced features. Ensure that the Custom network indicators option is turned on as shown. Don’t forget to save any changes with the Save preferences button at the bottom of the page.

To enable a custom indicator, navigate to https://security.microsoft.com, scroll down the list on.the left hand side until you locate Settings, then select Indicators. On the right you can create an indicator as File hash, IP address, URL or Certificate. In this case, select URLs/Domains. Then select the option to Add item.

Enter the URL you wish to block and select whether you wish an expiry date for this indicator. Unfortunately, you can’t use wildcard characters here, it must be the direct URL. Press the Next button to continue.

Select the action you wish to take (Allow, Audit, Warn, Block execution). It is also recommended that you select the Generate Alert option so that information can be shared with other applications such as Azure Sentinel, which I’ll cover in an upcoming article. Also, give the alert a descriptive title (I suggest you mention the particular web site you are blocking here). Scroll down the page to continue.

Enter the Alert severity, Category as well as the Recommended actions and a Description as shown above. Press the Next button at the bottom of the page when complete.

View the summary that is now displayed and press the Save button at the bottom of the screen.

You should see your entry listed as shown above. You can edit this by simply clicking on it. You also delete the indicator once you edit it.

Also note the Import menu option that allows you to import a list of items from a CSV file.

Now according to the Microsoft documentation:

Create indicators for IPs and URLs/domains

– Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

– URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode.

– Supported on machines on Windows 10, version 1709 or later, Windows 11, Windows Server 2016, Windows Server 2012 R2, Windows Server 2019, and Windows Server 2022

– Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.

– If there are conflicting URL indicator policies, the longer path is applied. That is, the more specific path.

– Only single IP addresses are supported (no CIDR blocks or IP ranges).

– Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

–
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

– Full URL path blocks can be applied on the domain level and all unencrypted URLs

– There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. My personal experience is around 45 minutes.

Enforced result on Edge. If you use third party browsers, and the site is encrypted (i.e. uses https) it will not be blocked as mentioned above.

Adding indicators using the web and even importing using a CSV is somewhat time consuming and cumbersome, especially if you have a standard set you wish to block. I’ll show you how to add indicators using a script and API calls in an upcoming post. so stay tuned for that.

Remember, that you can use these indicators to not only block but also warn and audit if you wish. You can also have a number of different indicators and types. I’d also recommend you take a look at this article from Microsoft:

Best practices for optimizing custom indicators

when you start creating these custom indicators.

All the Microsoft Defender for Endpoint options

It is important to understand that there are current 3 plans for Defender for Endpoint

1. P1

2. Defender for Business

3. P2

Note: that Defender for Business is currently in preview.

The indicated general available is late February/early March per the above Message Center item.

I have perhaps been some what cavalier in the screens I have shared with a few posts of late. This could potentially lead to confusion about what plans include when I am showing screens from plans that maybe different from what people assume it is.

The issue is not with the functionality, the issue is that what I have shown may not be identical to the specific plan I’m focusing on. In essence, if you look at your screen and what I have shown, you might see differences in the total number of options available for example.

So, let’s clear all that up with a look at the three plans and their differences.

This is probably the best place to start:

Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2

The following provides a more current granular break down:

Some other helpful links:

Microsoft Defender for Endpoint

Overview of Microsoft Defender for Endpoint Plan 1

Microsoft Defender for Endpoint Plan 1 and Plan 2

Microsoft Defender for Business

Overview of Microsoft Defender for Business (preview)

Compare security features in Microsoft Defender for Business to Microsoft 365 Business Premium

There are also differences in the options available in the interface. For example with Defender for Endpoint P2 you see the following in Settings | Endpoints:

While in Defender for Business you only see:

Key items like Onboarding, Offboarding and Web content filtering etc. still appear but a significant amount of other don’t. This is where some of the confusion may lie with my previous content (sorry). Hopefully people aren’t too fazed by stuff not being there as they can still get to the stuff I do call out. However, it is on me to do a like for like if I do show screens. So, going forward I’ll do my best to do that to avoid the confusion around all these Defender for Endpoints.

Of course, this will change over time and I’ll try and update my future articles to reflect that.

Enabling web filtering with Microsoft Defender for Endpoint

One of ‘bonuses’ of Microsoft Defender for Endpoint is the inclusion of web filtering. This means that you can block a range of pre-configured sites as well as custom ones if needed. This article will cover how to set up this capability for pre-configured sites.

To get web filtering working you’ll basically need:

– Windows 10/11 devices onboarded to Defender for Endpoint

– Windows Defender Smartscreen and Network Protection enabled.

Web filtering for other platforms, like iOS and Android, is on the roadmap.

Please note that the options that appear may differ based on what version of Defender for Endpoint you are using (P2, P1 or Business)

Navigate to https://security.microsoft.com and scroll down the menu options on the left and select Settings. From the options that appear on the right select Endpoints.

Locate the Web content filtering option from the menu that now appears, and select + Add item on the right as shown above.

From the dialog that appears from the right, give the policy a name (here, Default) and select the Next button.

Select the Block categories required. You can expand the headings and select individual items insides these. Also note, that you can block both Newly registered domains and Parked domains.

Press the Next button when you have made you choices.

You can target this policy at specific Defender for Endpoint groups if you wish, depending on the version of Defender for Endpoint you use. In this case, no groups have been created, so All devices will be targeted. Note, that Device Groups does not currently appear with Defender for Business and thus all policies there will be scoped to all devices by default.

Press the Next button to continue.

Review the policy summary and select the Save button to complete the creation process.

In my experience it takes around 40 – 45 minutes for this policy to be applied to Windows 10/11 device endpoints, so be patient.

When a restricted site is visited using a Microsoft browser like Edge, you’ll very briefly see the restricted website flash up and then almost immediately be replaced with the content blocked message shown above.

If you use a non-Microsoft browser, Brave in this case, then you will see a message saying that access is denied and you’ll also receive a Windows Security message as shown in the bottom right above.

If you wish to remove or edit a web filtering policy, simply navigate back to the web filtering option in the security console. Changes, including policy deletions, again take about 40 or so minutes to become evident on endpoint devices.

What’s covered here is just the basics. Look out for future article where I cover off how to filter custom sites and locations. You’ll also find lots more details in the Microsoft documentation here:

Web content filtering

At this stage (January 2022), as I said earlier, web filtering is only available on Windows 10/11 devices but more options are coming in the very near future.