Controlling clients at the network level has been a use case for many companies for the last decades. In most cases, local network infrastructure like proxies or firewalls are used to control which resources can be accessed by a client. What if devices are on the road? In the cloud, this concept has been adapted by third-party solutions like ZScaler (and many others) using a cloud endpoint as a gateway to enforce policies. Both solutions create a significant overhead.
Luckily, Microsoft Defender ATP now offers functionality to satisfy those use cases at the client level:
- Blocking unsanctioned apps as defined in Microsoft Cloud App Security
- Defining custom Indicators (IP addresses, URLs, domains)
- Using web content filtering to block access to websites containing unwanted content and track web activity across all domains.
Requirements
All functions are based on Windows Defender Network Protection: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection
By default, network protection blocks HTTP(S) access attempts to resources with low reputation as defined by Microsoft. Moreover, it is the technological basis for all following features.
It can be enabled via either Group Policy or an Intune configuration policy. For all scenarios it must be set to block mode.
Group Policy:
Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection > “Block”
Intune:
Blocking unsanctioned apps via MCAS
As a Cloud Access Security Broker (CASB), Microsoft Cloud App Security provides visibility and insights about usage of cloud resources by using data from either log uploads of network infrastructure (firewalls and proxies, e.g.) or signals from all Microsoft Defender ATP endpoints.
The latter can now also be used to enforce blocking of cloud apps that have been marked as unsanctioned (= unwanted) in MCAS.
All we have to do is enable the connector in MDATP…:
… MCAS …:
… and mark one or more cloud apps in MCAS as unsanctioned to test functionality:
After a short period of time MDATP will sync that information …
… and block those apps (thanks to Network Protection) independent from the browser that is used. In Microsoft Edge, users get a quite useful error message.
Other browsers just show a generic HTTPS error:
Blocking custom resources in MDATP
MCAS is not the only data source that allows blocking. You can also use custom network indicators to enter specific custom IPs, URLs, or domains. This comes in handy if MCAS does not list a certain cloud app or website.
Again, Network Protection must be active on endpoints as described previously. You also need to enable custom network indicators in the MDATP portal as shown in the MCAS scenario.
We may then go ahead and enter indicators:
As always: the examples I use for my blog posts are completely random. YouTube is great. 😉
After a short delay (maximum of 2 hours), MDATP will now also enforce those settings:
Blocking unwanted content
Now let’s talk about the newest addition to MDATP: web content filtering. The concept is not new: like many third-party tools MDATP can now also block web resources from certain categories like sexual content or gambling.
Microsoft is using data from Cyren to define those categories. That’s why you’ll also need a subscription for their service. To check it out, there’s a 60 day trial:
This will trigger an app registration that must be completed with an account with the appropriate permissions. After that you have to enter some contact details:
Important!
The number of users is no sales related figure but directly impacts the number of licenses you get for the trial! The MDATP portal will match that number with the number of endpoints you have in MDATP, not with your user count. Of course, I missed that on the first try and had to contact Cyren for an update. So be smarter than me. 😉
Again, we need to head over to the settings to enable web content filtering:
We will then proceed to select the categories that should be blocked:
Of course, the policy will appear in the list after creation:
I then went ahead and tried to visit an online casino:
Browsers without SmartScreen also block it via Network Protection:
Mission accomplished!
Summing things up
Personally, I think it is really incredible to watch the progress the MDATP team achieves in such a short time. Defender ATP has been a great EDR tool right from the start, with enhancements like Threat & Vulnerability Management and now full network control its usefulness only increased. I’m looking forward to what’s yet to come.
Thanks for reading!
Chris