Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Microsoft Defender ATP – network control made easy

Posted on 1. February 20208. July 2020

Controlling clients at the network level has been a use case for many companies for the last decades. In most cases, local network infrastructure like proxies or firewalls are used to control which resources can be accessed by a client. What if devices are on the road? In the cloud, this concept has been adapted by third-party solutions like ZScaler (and many others) using a cloud endpoint as a gateway to enforce policies. Both solutions create a significant overhead.

Luckily, Microsoft Defender ATP now offers functionality to satisfy those use cases at the client level:

  • Blocking unsanctioned apps as defined in Microsoft Cloud App Security
  • Defining custom Indicators (IP addresses, URLs, domains)
  • Using web content filtering to block access to websites containing unwanted content and track web activity across all domains.

Requirements

All functions are based on Windows Defender Network Protection: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-protection

By default, network protection blocks HTTP(S) access attempts to resources with low reputation as defined by Microsoft. Moreover, it is the technological basis for all following features.

It can be enabled via either Group Policy or an Intune configuration policy. For all scenarios it must be set to block mode.

Group Policy:

Computer configuration > Administrative templates > Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection > “Block”

Intune:

Blocking unsanctioned apps via MCAS

As a Cloud Access Security Broker (CASB), Microsoft Cloud App Security provides visibility and insights about usage of cloud resources by using data from either log uploads of network infrastructure (firewalls and proxies, e.g.) or signals from all Microsoft Defender ATP endpoints.

The latter can now also be used to enforce blocking of cloud apps that have been marked as unsanctioned (= unwanted) in MCAS.

All we have to do is enable the connector in MDATP…:

… MCAS …:

… and mark one or more cloud apps in MCAS as unsanctioned to test functionality:

After a short period of time MDATP will sync that information …

… and block those apps (thanks to Network Protection) independent from the browser that is used. In Microsoft Edge, users get a quite useful error message.

Other browsers just show a generic HTTPS error:

Blocking custom resources in MDATP

MCAS is not the only data source that allows blocking. You can also use custom network indicators to enter specific custom IPs, URLs, or domains. This comes in handy if MCAS does not list a certain cloud app or website.

Again, Network Protection must be active on endpoints as described previously. You also need to enable custom network indicators in the MDATP portal as shown in the MCAS scenario.

We may then go ahead and enter indicators:

As always: the examples I use for my blog posts are completely random. YouTube is great. 😉

After a short delay (maximum of 2 hours), MDATP will now also enforce those settings:

Blocking unwanted content

Now let’s talk about the newest addition to MDATP: web content filtering. The concept is not new: like many third-party tools MDATP can now also block web resources from certain categories like sexual content or gambling.

Note

I previously described that a third-party Cyren license was needed for web content filtering to work. Luckily, in July 2020 Microsoft just announced that this functionality will be built right into Defender ATP without any further cost.

I therefore removed the part about Cyren onboarding from the post.

Again, we need to head over to the settings to enable web content filtering:

We will then proceed to select the categories that should be blocked under the “Web content filtering” menu:

Of course, the policy will appear in the list after creation:

I then went ahead and tried to visit an online casino:

Browsers without SmartScreen also block it via Network Protection:

Mission accomplished!

Summing things up

Personally, I think it is really incredible to watch the progress the MDATP team achieves in such a short time. Defender ATP has been a great EDR tool right from the start, with enhancements like Threat & Vulnerability Management and now full network control its usefulness only increased. I’m looking forward to what’s yet to come.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT