Jeffrey Appel | Microsoft MVP Profile picture
Nov 1, 2022 9 tweets 4 min read Read on X
MDE thread: Part 4A of the MDE series is online. Focussing on; AV baselines and policies.

Policy configuration is important. A small thread of 8 Defender Antivirus config tips that are often not applied or underrated.

Blog; jeffreyappel.nl/microsoft-defe…

#MDE
Tip 1: Enable Cloud Protection, Sample Submission, and cloud block timeout period for getting all MDE features enabled. Always use one of the options for sending samples to Microsoft. Never use "Do not send" which is disabling the complete feature. Image
Tip 2: Enable Network Protection in block mode for block custom indicators and block C2 infrastructure attacks. Did you know Windows Servers require additional configuration for getting NP enabled? Image
Tip 3: - Configure the correct signature updating settings. Use a quick update interval (1 hour) and avoid WSUS/ MECM. Don't use slow frequencies for “skipping” bad updates. Microsoft is really quick in deploying fixes; how quicker the signature frequency how better it is.
Tip 4: - Disable Local Admin Merge for preventing local admins to manage exclusions locally. Always manage exclusion from centralized systems (Intune/ GPO/ MECM), and yes it is not completely blocking the local admin exclusions permissions. Image
Tip 5: - Only a quick scan is fine in combination with all cloud protection and AIR features. Use only the full scan in case of incidents or the first scan on the machine after onboarding.
Tip 6: - Enable always Tamper Protection. There are no excuses anymore; we need to do some troubleshooting. The new troubleshooting mode is available which disables Tamper Protection for a short time. More information: jeffreyappel.nl/microsoft-defe…
Tip 7: - Enable Windows Firewall for all zones and enable additional auditing events for more in-depth network details in MDE.

Audit events:

Audit Filtering Platform Packet Drop
Audit Filtering Platform Connection

More in part 4B of the series. Image
Tip 8: - New to Defender for Endpoint and Defender AV? Really recommended watching the Virtual Ninja Episodes by @HeikeRitter. Episode 2 starts tomorrow with some brand-new content.

adoption.microsoft.com/en-us/ninja-sh… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeffrey Appel | Microsoft MVP

Jeffrey Appel | Microsoft MVP Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @JeffreyAppel7

Jan 19, 2023
Tip 3 - Network Protection is important for Defender for Endpoint. With the use of Network Protection malicious sites and added indicators can be blocked. There are some important points which are commonly forgotten/ misconfigured for Windows.

👇

1/6

#30daysofm365d #MDE
Network Protection in itself is independent of MDE. The relationship between NP and MDE is the Custom Indicators features,C2-detection capability, WCF reporting, and some additional events. For Network Protection it is required to have Defender AV in active mode.

2/6
Configuration is possible with the use of Intune, GPO, PowerShell and other supported methods. Accepted configurations; Audit/ Block/ Disabled. Only block mode blocks the connection. For NP AV must be enabled with CP/RTP.

Some important info for the configuration.

3/6
Read 6 tweets
Nov 17, 2022
New Tenant Creation setting in AzureAD User Settings?

Yes, allows default users to create Azure AD tenants. No, allows only users with global administrator or tenant creator roles to create Azure AD tenants.

The default seems configured on Yes in all tenants. (1/2)

#AzureAD Image
'Yes' allows default users to create new AAD tenants in the environment. Based on my opinion; is it not better to force the 'No' as default.

Don't see any reason why normal users need to create AAD tenants. Though I could be wrong. Curious about the opinion of others

(2/2)
Update: Feature is not visible anymore. All still available via the preview portal. preview.portal.azure.com/#view/Microsof…
Read 5 tweets
Aug 23, 2022
7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD #MicrosoftSecurity

Links included for more information to earlier posted blogs.

A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:

- Azure MFA number matching (preview)
- Show additional context in notifications (preview)

Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
Tip 2: 1/2: Adversary-in-the-middle/ AiTM attacks are growing/ detected more in the wild. Prevention using:

- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ

jeffreyappel.nl/protect-agains…
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(