In the modern IT landscape, malicious actors who attack environments and devices use methods that are becoming more and more sophisticated, and unfortunately, the average time before a threat is detected is believed to be approximately 200 days. While traditional anti-virus and anti-malware software can still play an important role in defending against these threats, they are sadly not enough to effectively defend against modern attackers that are determined to cause disruption and implement malicious activities.
This is where Microsoft Defender Advanced Threat Protection (ATP) comes in. Microsoft Defender ATP is a cloud-based online service that provides prevention, detection, and investigation methods that you can use to respond to advanced threats within your organization. In this chapter, you'll learn how to configure and manage the Microsoft Defender ATP features to provide the best protection for your organization, as well as how to enable and configure always-on protection and monitoring.
In addition, we will examine how Microsoft Defender Application Guard can be used to protect your environment. You will also learn how Microsoft Defender Application Control can help administrators plan and implement control of specific applications, how BitLocker can be configured to manage Windows 10 device encryption, and how app protection policies for non-Windows device encryption can be applied. Finally, we will examine how the protection of enterprise data can be accomplished with Windows Information Protection (WIP).
We will cover these topics in the following order:
Microsoft Defender ATP has a number of minimum requirements that must be met in order to use the service.
You will need one of the following licenses in order to use Microsoft Defender ATP:
The following operating systems are capable of supporting Microsoft Defender ATP:
Microsoft Defender ATP enables organizations to investigate and respond to advanced threats that target their enterprise networks by providing information about advanced attack detections based on behavioral patterns. The threats detected by Microsoft Defender ATP are interpreted into a forensic timeline that is then used to build and maintain a threat intelligence knowledge base.
This is achieved by using endpoint behavioral sensors, which collect signals from the Windows 10 operating system and send that data to Microsoft Defender ATP.
Cloud security analytics then uses machine learning techniques to translate the collected data into insights and provide recommendations on how to resolve advanced threats.
Finally, threat intelligence activities are carried out by Microsoft hunters and security experts, which allows Microsoft Defender ATP to recognize the tools and methods employed by malicious actors and to alert administrators when this behavior is detected.
Microsoft Defender ATP provides both preventative and post-breach detection; it comprises the following features and components:
The Microsoft Defender ATP service can be installed and configured via a dedicated Windows Security Center cloud portal. Next, we will look at how we can configure Microsoft Defender ATP.
Important note
In many of the following screenshots, you will see references to Windows Defender ATP as opposed to Microsoft Defender ATP. The product was renamed when other platforms, such as macOS X, also became compatible. However, some of the installation experiences have not yet caught up with the name change.
Once you have acquired the required licenses to run Microsoft Defender ATP, you can start to configure the service by using the cloud portal:
So, to recap what we have learned, we have now set up the Microsoft Defender ATP cloud service with our preferred settings and deployed Microsoft Defender ATP to a single Windows 10 Azure Active Directory (AD)-joined workstation.
We can see a vast amount of information and activities for the device. We also learned that there are a number of ways in which Microsoft Defender ATP can be deployed to both Windows and other devices in your organization.
Next, we will look at how you can use Microsoft Defender ATP to monitor and manage the protection and detection of threats in your environment.
Now that we have the Microsoft Defender ATP instance set up and deployed to one or more workstations, there are a number of capabilities that can be fine-tuned in Microsoft Defender Security Center.
It is hugely important to regularly and diligently monitor and manage your Microsoft Defender ATP instance in order to maximize security protection in your environment. Let's look at how you can make the most of some of the available options.
From Security Center, selecting Configuration Management will show you the following options, where you can configure your Microsoft Defender ATP instance to connect to Intune:
By clicking on Go to settings on either of the preceding options, you will be taken to Advanced features, where you can connect Microsoft Defender ATP to Microsoft Intune, as follows:
Once you have enabled the connection, the Machine configuration management options for Intune will change, as follows:
You can also select the Machine attack surface management option from the configuration management settings, as follows:
By clicking on Go to attack surface management, you will be taken to the following page, where you will be able to view reports on attack surface reduction rules:
You can use the reports to identify and fix devices that may have limited protection due to missing prerequisites or misconfigured rules.
Now that you understand the attack surface reduction capabilities, let's look at the Secure score dashboard.
The Secure score dashboard can be used to view and filter a list of security recommendations, as follows:
By selecting an individual item from the list, you can see detailed information on risk and remediation options, as follows:
You should diligently review the Secure score section regularly and act on the recommendations to improve your score.
Next, let's look at how we can integrate Microsoft Defender ATP with Azure ATP.
It is also possible to integrate your Microsoft Defender ATP instance with your Azure ATP instance (which we discussed in Chapter 6, Configuring an Advanced Threat Protection Solution). This can be achieved from the Settings menu, as follows:
When you activate the integration, you will be directed to activate the feature from the Azure ATP portal as well, if it has not already been enabled. Log in to the Azure ATP portal at https://portal.atp.azure.com and activate the feature, as follows:
Click to save your changes, then return to the Settings section of Microsoft Defender Security Center, and then click to enable integration with Azure ATP once again. It should now activate without any problems, as in the following screenshot:
Enabling integration with Azure ATP retrieves user and machine data from Azure ATP and sends information from Microsoft Defender ATP in the other direction. This results in increased visibility and detections across both of these services.
There are a vast number of settings that you can review and leverage within the security center to effectively manage and monitor your Microsoft Defender ATP instance. The available options are as follows:
The available options are described in greater detail in the following table:
Important note
Further details on all the settings described in the preceding table can be found in many of the links included in the References section at the end of this chapter.
So, to recap what we have learned so far in this chapter, we showed you how to install, configure, and monitor the Microsoft Defender ATP service within your Microsoft 365 environment. Next, we will show you how to further refine the service by implementing additional features, which include Windows Defender Application Guard, Application Control, Exploit Guard, and Secure Boot.
Now that we know how to manage and monitor Microsoft Defender ATP, let's look at some of its associated features, which are designed to complement Microsoft Defender ATP
Microsoft Defender Application Guard is a system designed to isolate devices in such a way that malicious actors are unable to use their attack methodologies against them. It protects your company's users on Windows 10, specifically on the Microsoft Edge browser, by providing isolation of untrusted sites when users browse the internet.
Microsoft Defender Application Guard empowers Microsoft 365 security administrators to explicitly define the following categories:
A zero-trust methodology is employed to ensure that anything that is not defined in the preceding categories is considered untrusted and is blocked. So, how does this work? Essentially, when a user who is protected by Microsoft Defender Application Guard attempts to access a website that is not trusted via Microsoft Edge or Internet Explorer, the site is opened in an isolated container.
The result of this is that if the website contains malicious code or content, then the user's PC is not affected in any way. Subsequently, a potential attack is prevented and malicious actors cannot carry out any reconnaissance that could lead to the elevation of privileges and domain dominance.
Microsoft Defender Application Guard can be deployed to domain-joined computers on your organization's network by using either System Center Configuration Manager or Microsoft Intune.
It is also possible to deploy Microsoft Defender Application Guard to Bring Your Own Device (BYOD) or personal Windows devices. While these devices are not domain-joined, it is possible to protect them with Application Guard if they are managed by Intune.
When you configure Microsoft Defender Application Guard to be deployed to your Windows devices, it enables the following features, which can be found under Control Panel | Programs and Features | Install Windows Features:
Once enabled, clicking on the menu bar within Microsoft Edge will show the following options:
When a user selects the New Application Guard window option, they can browse safely and any malicious code or content lurking on a website will not be able to harm the workstation as the browser session will be completely isolated.
Microsoft Defender Application Control can restrict the applications on your network from accessing the system kernel. Microsoft Defender Application Control can also block scripts that are unsigned, as well as MSIs.
You can create Application Control policies directly on Windows 10 Enterprise computers or Windows Server 2016. It is also possible to deploy Microsoft Defender Application Control to any Windows 10 edition or Windows Server 2016 via a Mobile Device Management (MDM) solution, such as Microsoft Intune. It is also possible to use Group Policy to deploy Application Control policies to Windows 10 Enterprise computers or Windows Server 2016.
To create a Microsoft Defender Application Control policy using Intune, follow these steps:
You can monitor your Microsoft Defender Application Control profile from the Monitor section on the left-hand side of the profile.
Microsoft Defender Exploit Guard provides intrusion detection capabilities in Windows 10. You can use Microsoft Defender Exploit Guard to protect your apps and to reduce the attack surface of your apps by using rules that are designed to prevent malware attacks.
You can also use Microsoft Defender Exploit Guard to protect your users against social engineering attacks by using Windows Defender SmartScreen within the Microsoft Edge browser. Additionally, you can use Controlled folder access to protect files within your system folders to prevent them from being changed by malicious actors.
As with Application Control, Microsoft Defender Exploit Guard can be enabled and deployed by using the same method shown for Application Control, and the available configuration settings are as follows:
There are a number of configuration settings that can be applied to your devices for Microsoft Defender Application Guard, Microsoft Defender Application Control, and Microsoft Defender Exploit Guard. You will find links to articles on how you can configure these features in the References section at the end of this chapter.
Next, let's look at how WIP can be used to protect data.
WIP is a feature that is designed to protect against the accidental leakage of data from both business and personal devices. WIP works alongside Azure Rights Management to control the data that leaves devices.
WIP is deployed by configuring policies in Microsoft Intune. This is shown in the following steps:
You can use WIP to protect both recommended apps and apps from the Microsoft store.
WIP is a feature that can be applied in numerous ways. To learn more about WIP and how you can configure it to protect devices in your organization, please use the links included in the References section at the end of this chapter.
So, to recap, the features of Microsoft Defender Application Guard, Microsoft Defender Application Control, and Microsoft Defender Exploit Guard are available to complement the settings you configure for your environment using Microsoft Defender ATP. Next, we will look at how you can manage device encryption.
In the modern IT landscape, it is more crucial than ever to protect your organization's devices against data theft in case a device is stolen or lost. In this section, we will examine how BitLocker can be used to encrypt Windows 10 devices.
BitLocker Drive Encryption provides integrated data protection features for your Windows 10 devices to combat the threat of stolen, lost, or poorly decommissioned Windows devices.
BitLocker is most effective when used with Trusted Platform Module (TPM) version 1.2 or later. However, it also works on computers that do not have TPM version 1.2 or later by using a USB start up key. You can also apply a form of multi-factor authentication with BitLocker with the ability to block device startup until one of the following responses has been provided:
These methods help to ensure that the device doesn't start until the appropriate challenge has been issued and answered.
So, how is BitLocker configured? It can be deployed to devices using either Group Policy or Microsoft Intune. For deployment via Intune, you need to create a profile by taking the following steps:
There are a number of options to encrypt your Windows devices available in this section, and how you choose to configure these will depend on the security requirements of your organization.
Once you have configured the required settings for your BitLocker policy, click on OK, then OK again, and finally, click on Create.
The policy is now created and you can assign the policy to the required users and devices, as follows:
BitLocker is now deployed to your targeted devices and you will be able to monitor device and user status from within Intune to ensure that all required devices have the appropriate BitLocker data encryption settings applied.
So, to recap, BitLocker protects your Windows devices against loss or theft by ensuring that the devices are encrypted by settings that can be deployed by either Group Policy or Microsoft Intune.
In this chapter, we examined how Microsoft Defender ATP can be used to protect your organization's devices.
We showed you how to plan your Microsoft Defender ATP implementation, how to create your Microsoft Defender ATP instance, and how to manage and monitor the service.
We also examined how Microsoft Defender ATP can be integrated with Azure ATP and how the additional features of Microsoft Defender Application Guard, Microsoft Defender Application Control, and Microsoft Defender Exploit Guard can complement the core features, as well as how these features can be deployed by different methods, including System Center Configuration Manager, Group Policy, and Microsoft Intune.
Finally, we looked at how BitLocker can apply data protection and encryption to your Windows devices in order to safeguard them from loss, theft, or poor decommissioning practices.
In the next chapter, we will discuss message protection in Microsoft 365. We will show you how you can protect your emails in Exchange Online and apply anti-spoofing and anti-impersonation settings and anti-spam and anti-malware policies, as well as how to configure safe attachments and safe links within the Microsoft 365 Security & Compliance Center.
a. Microsoft 365 E5
b. Microsoft 365 E3
c. Windows 10 Enterprise E5
d. Windows 10 Enterprise E3
e. Enterprise Mobility + Security E3
a. True
b. False
a. securitycenter.windows.com
b. securitycenter.microsoft.com
c. securitycenter.windows.net
d. securitycenter.microsoft.net
a. Network Boundary
b. Endpoint Protection
c. Identity Protection
d. Administrative Templates
e. Domain Join
a. Control Panel | Windows Features
b. Access work or school
c. Settings
a. True
b. False
a. Configuration Management
b. Settings
c. Advanced Hunting
d. Automated Investigations
a. 30 days
b. 60 days
c. 90 days
d. 120 days
a. True
b. False
a. Current Status
b. Archived Events
c. Status History
d. Updates
e. Alerts
Please refer to the following links for more information:
3.142.96.146