Defender for Business makes EDR and threat monitoring features included in more expensive Windows licenses accessible to smaller businesses. […]
At its recent Ignite conference, Microsoft announced a new product aimed at companies with fewer than 300 users or workstations: Microsoft Defender for Business. All small businesses that do not have an automated method to investigate intruders and other security issues or any type of endpoint Detection and Response (EDR) technology should evaluate this product. This also applies to managed service providers that support small businesses or have connections to a small business that supplies your company.
Defender for Business ensures that you can monitor and control native virus protection and include cloud protection and detections because Microsoft gets the security information from its cloud properties. For small businesses that have not invested in EDR, the console shows anomalies and identifies when unusual events have occurred. The timeline feature allows you to review the processes on the systems to determine what happened on the systems and keep a forensic cloud version of the workstation processes so that you can review them later.
Microsoft is also working on overview platforms for managed service providers that will allow them to monitor and proactively manage many customers at the same time. Microsoft 365 Lighthouse gives you an overview of security incidents and alerts for all customers that are integrated into Lighthouse. An upcoming Microsoft seminar will provide more information about Microsoft Defender for Business.
If your company has access to Microsoft 365 E5 licenses and the Microsoft Defender Security Center, you are already familiar with the technologies that are included in this new offer. Any company that has a license for Microsoft 365 Business Premium will be able to use this new offer. If not, it can be added for a fee of $3 per user.
Microsoft Defender for Business includes the Threat and Vulnerability Management console, which identifies vulnerabilities in the network so that companies can prioritize the actions to be taken. This dashboard provides an overall assessment of the vulnerabilities in your network. It also provides an assessment of the risks to your devices, showing the risks to your applications, operating system, network, accounts, and security controls. This provides actionable information to ensure that small businesses are not gateways for larger businesses.
Security recommendations from Microsoft Defender for Business
Defender for Business consoles offer actionable security decisions that can be made on a network to make it less vulnerable to attacks. Security recommendations for applications include:
- Disable the execution or installation of downloaded software with an invalid signature
- Blocking outdated ActiveX controls for Internet Explorer
- Disable the password manager.
Among the recommendations for protecting operating systems is the activation of Local Security Authority (LSA) protection. It is recommended to set a policy that forces LSA to run as a protected process light (PPL). According to MITRE ATT&CK, this mitigation “protects processes with high privileges that can be used to interact with critical system components by using Protected process Light, anti-process injection defenses, or other measures to enforce process integrity.“
Network recommendations include:
- Set the LAN Manager authentication level to “Send NTLMv2 response only”. LM &NTLM Refuse
- Disable SMBv1 client drivers
Moving away from SMBv1 can significantly secure your network against ransomware attacks.
Recommendations for accounts include:
- Disable local storage of passwords and credentials
- Set the account suspension threshold to 1-10 invalid login attempts.
Recommendations for security controls include rules for reducing the attack surface (ASR), such as.:
- Locking all Office applications for the creation of child processes
- Blocking the execution of executable files, unless they meet a criterion of prevalence, age or a trusted list
Monitor rules for reducing the attack surface
Defender for Business allows you to easily monitor ASR rules. On Windows 10 Professional machines, this is possible via Group Policy, but will only be monitored and reported if you have an enterprise license.
Attackers often use Office as an entry point into networks, and checking the ASR rules can better protect you from Office entry points. ASR rules are also an important method of protection against ransomware attacks. For example, one rule that you should use as soon as possible is “Block all Office applications when creating child processes”. This Palantir blog introduces many of these settings that can be used to better protect networks, and shows which of them are easier to implement.
You usually need a Windows Enterprise license to activate and track all ASR rules. Using Microsoft Defender for Business allows full tracking even without an enterprise license. ASR rules include:
- Blocking the abuse of exploited vulnerable signed drivers
- Blocking executable content from email clients and webmail
- Blocking all Office applications when creating child processes
- Blocking Office applications from creating executable content
- Block Office applications from injecting code into other processes
- Blocking the execution of potentially obfuscated scripts
- Blocking Win32 API calls from Office macros
- Using advanced protection against ransomware
- Blocking the theft of credentials from the Windows subsystem for local security points (lsass.exe)
- Blocking the creation of processes from PsExec and WMI commandsblocking untrusted and unsigned processes running over USB
- Blocking the execution of executable files if they do not meet the criteria for prevalence, age or trusted lists
- Block Office communication applications from creating child processes
- Blocking the creation of child processes by Adobe Reader
- Blocking Persistence by WMI Event Subscription
Test these rules before using them widely.
Microsoft Defender for Business as the primary antivirus protection
I recommend using Defender as your primary antivirus, especially if you are learning about the latest versions of the features. I’ve tracked the side effects of service packs and feature versions, as well as interaction with third-party antivirus software over the years. If you are planning to use Windows 11 or release Windows 10 faster in the future, I recommend that you use Windows Defender as the default.
Microsoft tests Defender when it tests functional versions, so that side effects are either absent or quickly detected and unobtrusively fixed. For some important features and protections, you need to use Defender as the default antivirus. For example, Defender must be your default antivirus to use ASR rules.