Tip 3 - Network Protection is important for Defender for Endpoint. With the use of Network Protection malicious sites and added indicators can be blocked. There are some important points which are commonly forgotten/ misconfigured for Windows.
Network Protection in itself is independent of MDE. The relationship between NP and MDE is the Custom Indicators features,C2-detection capability, WCF reporting, and some additional events. For Network Protection it is required to have Defender AV in active mode.
2/6
Configuration is possible with the use of Intune, GPO, PowerShell and other supported methods. Accepted configurations; Audit/ Block/ Disabled. Only block mode blocks the connection. For NP AV must be enabled with CP/RTP.
Some important info for the configuration.
3/6
For Windows 10/11/Server the setting "Enable Network Protection" is required.
For server there is some additional configuration required, without additional configuration NP is not working. (Currently not available in Endpoint Security profiles)
Good to know; when -EnableNetworkProtection is configured and the additional configs are not set for Windows Server 2012R2/ 2016/ 2019+. The recommendation (scid-96) in MDE shows "compliant"
Windows Server 2012R2/ 2016 required the new unified agent.
5/6
Network protection is the main blocking mechanism 3p party browsers. For Microsoft Edge it is required to configure Defender SmartScreen. Without Defender SmartScreen sites are not blocked/ prevented.
New Tenant Creation setting in AzureAD User Settings?
Yes, allows default users to create Azure AD tenants. No, allows only users with global administrator or tenant creator roles to create Azure AD tenants.
The default seems configured on Yes in all tenants. (1/2)
Tip 1: Enable Cloud Protection, Sample Submission, and cloud block timeout period for getting all MDE features enabled. Always use one of the options for sending samples to Microsoft. Never use "Do not send" which is disabling the complete feature.
Tip 2: Enable Network Protection in block mode for block custom indicators and block C2 infrastructure attacks. Did you know Windows Servers require additional configuration for getting NP enabled?
7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD#MicrosoftSecurity
Links included for more information to earlier posted blogs.
A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)