Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft Defender ATP – network control made easy

Posted on 1. February 20208. July 2020

Controlling clients at the network level has been a use case for many companies for the last decades. In most cases, local network infrastructure like proxies or firewalls are used to control which resources can be accessed by a client. What if devices are on the road? In the cloud, this concept has been adapted by third-party solutions like ZScaler (and many others) using a cloud endpoint as a gateway to enforce policies. Both solutions create a significant overhead.

Luckily, Microsoft Defender ATP now offers functionality to satisfy those use cases at the client level:

  • Blocking unsanctioned apps as defined in Microsoft Cloud App Security
  • Defining custom Indicators (IP addresses, URLs, domains)
  • Using web content filtering to block access to websites containing unwanted content and track web activity across all domains.

Requirements

All functions are based on Windows Defender Network Protection: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection

By default, network protection blocks HTTP(S) access attempts to resources with low reputation as defined by Microsoft. Moreover, it is the technological basis for all following features.

It can be enabled via either Group Policy or an Intune configuration policy. For all scenarios it must be set to block mode.

Group Policy:

Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection > “Block”

Intune:

Blocking unsanctioned apps via MCAS

As a Cloud Access Security Broker (CASB), Microsoft Cloud App Security provides visibility and insights about usage of cloud resources by using data from either log uploads of network infrastructure (firewalls and proxies, e.g.) or signals from all Microsoft Defender ATP endpoints.

The latter can now also be used to enforce blocking of cloud apps that have been marked as unsanctioned (= unwanted) in MCAS.

All we have to do is enable the connector in MDATP…:

… MCAS …:

… and mark one or more cloud apps in MCAS as unsanctioned to test functionality:

After a short period of time MDATP will sync that information …

… and block those apps (thanks to Network Protection) independent from the browser that is used. In Microsoft Edge, users get a quite useful error message.

Other browsers just show a generic HTTPS error:

Blocking custom resources in MDATP

MCAS is not the only data source that allows blocking. You can also use custom network indicators to enter specific custom IPs, URLs, or domains. This comes in handy if MCAS does not list a certain cloud app or website.

Again, Network Protection must be active on endpoints as described previously. You also need to enable custom network indicators in the MDATP portal as shown in the MCAS scenario.

We may then go ahead and enter indicators:

As always: the examples I use for my blog posts are completely random. YouTube is great. 😉

After a short delay (maximum of 2 hours), MDATP will now also enforce those settings:

Blocking unwanted content

Now let’s talk about the newest addition to MDATP: web content filtering. The concept is not new: like many third-party tools MDATP can now also block web resources from certain categories like sexual content or gambling.

Note

I previously described that a third-party Cyren license was needed for web content filtering to work. Luckily, in July 2020 Microsoft just announced that this functionality will be built right into Defender ATP without any further cost.

I therefore removed the part about Cyren onboarding from the post.

Again, we need to head over to the settings to enable web content filtering:

We will then proceed to select the categories that should be blocked under the “Web content filtering” menu:

Of course, the policy will appear in the list after creation:

I then went ahead and tried to visit an online casino:

Browsers without SmartScreen also block it via Network Protection:

Mission accomplished!

Summing things up

Personally, I think it is really incredible to watch the progress the MDATP team achieves in such a short time. Defender ATP has been a great EDR tool right from the start, with enhancements like Threat & Vulnerability Management and now full network control its usefulness only increased. I’m looking forward to what’s yet to come.

Thanks for reading!

Chris

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • Microsoft Ignite 2020 – Security News
  • Report messages with Exchange Online user submissions
  • Microsoft Defender ATP for Android
  • Build a strong cloud perimeter with Conditional Access
  • Threat & Vulnerability Management – improve client security with MDATP

Tags

Advanced Threat Protection AppLocker Authentication Azure Active Directory Azure AD Azure Sentinel BioPass BitLocker Client Security Conditional Access Conditional Access App Control Defender Defender ATP DLP EMS Enterprise Mobility + Security FEITIAN Governance hardware encryption Identity Identity & Threat Protection Identity Protection Information Protection & Compliance Intune M365 M365 E3 MCAS MDATP MFA Microsoft Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Office 365 passwordless Security Baseline self-encrypting drives Session Control Threat & Vulnerability Management Windows 10 Windows 10 Enterprise Yubico YubiKey
©2021 ChrisOnSecurity | WordPress Theme by Superbthemes.com