For SMBs, Microsoft offers a new layer of server protection
Credit to Author: Susan Bradley| Date: Mon, 25 Jul 2022 09:00:00 -0700
Do you run a small business with on-premises servers?
Chances are, you rely on technology that includes servers, whether they’re Windows- or Linux-based. With that in mind, Microsoft recently announced it’s previewing “server protection for small business” — bundling the offering with Microsoft Defender for Business.
This is noteworthy because until now, most Endpoint Detection and Response (EDR) solutions have been expensive and typically only deployed by larger enterprises. (EDR is an integrated, layered approach to endpoint protection that combines real-time continuous monitoring and endpoint data analytics with rule-based automated response.)
As Microsoft notes in the blog post announcing the move:
“The Microsoft Defender for Business servers experience delivers the same level of protection for both clients and servers within a single admin experience inside of Defender for Business, helping you to protect all your endpoints in one location.”
Currently users can activate a trial for each server through the Microsoft 365 Defender security portal (which also recommends security settings to make your servers more secure). When Microsoft officially releases the product, it will cost $3 per server, per month. If you are a Microsoft 365 for Business customer, you can begin a trial and see what impact deploying it to your servers will have.
There are several ways to onboard servers; you can use local scripts, group policy, or Configuration manager. One of the easiest ways to try out the new offering is to use the script process. First, turn on preview offerings by going to https://security.microsoft.com, go to Settings > Endpoints > General > Advanced features > Preview features. (Here’s a more direct link.)
In the navigation pane, choose Settings > Endpoints, and then under Device management, choose Onboarding. Now select an operating system, such as Windows Server 1803, 2019, and 2022, and in the Deployment method section, choose Local script. Note: for these newer systems, you only need run this script; no other installation steps are required. Simply run the command line as an elevated command. (If you don’t provide the onboarding script with the correct permissions, it will alert you to do so.
For older software such as Windows Server 2012 R2 and 2016, you’ll have two packages to download and run: an installation package and an onboarding package. The installation package specifically contains a file that installs the Defender for Business agent. Once you run the installation file, you run the script as if on one of the newer server platforms. Newer servers (and workstation operating systems) include the code for onboarding defender automatically.
The specific command file to onboard servers is named WindowsDefenderATPLocalOnboardingScript.cmd. Your server should show up in the Defender console, though it’s not instantaneous. It might take a little while to show up.
Now, it’s time to review the recommendations and alerts.
First off, Defender gives you a timeline view of your systems — think of this as a cloud forensic system. You will soon find out that your servers (and for that matter your workstations) are very active objects, constantly sending commands and activity.
Defender’s view of your systems.
For example, in the screen above, “MpCmdRun.exe” is the Microsoft Malware Protection Command Line Utility and it’s performing activities on the server. In the column on the right, it flags the potential security technique being used. Note that in this instance, the activity is not malicious, the console is only keeping track of normal server actions. In this case, it’s identified as a MITRE “credentials from password stores” activity.
Next, in the security recommendations section, you’ll see suggested adjustments you can use to better secure your small-business servers.
In the security recommendations section, you’ll see suggestions to better secure your servers.
Many of these recommendations have to do with Attack Surface Reduction rules that we often forget to enable on server installations.
Linux servers can also be onboarded to the Defender for Servers console, though it’s unclear to me whether Linux-based Network attached storage units would be fully supported. Reach out to your NAS vendors to determine whether they will support the use of Defender for Servers on your Linux devices. To onboard a Linux device to your console, you’ll follow similar installation procedures. You can use a manual deployment script or Puppet, Ansible, or Chef configuration management tools.
Supported Linux server distributions include:
Be aware that that list does not include specific Linux distributions I often see in small business. For example, I routinely see NAS devices such as Synology in small businesses, and I’m not sure whether these will be supported by Defender for Servers. (I’ll be giving Microsoft feedback that it needs to add these style of NAS devices to the support matrix.)
Also unclear at this time is the exact licensing structure required to use Defender for Servers. Currently, Defender for Endpoint for Server licensing mandates a certain minimum number of users (50). It’s unclear what number of Microsoft Defender for Business licenses can be owned to qualify for Defender for Servers or whether a minimum number of licenses is needed. We’ll have to wait until the product is officially released to know how the licensing works.
Bottom line: if you run a small business, I urge you to take a look at Defender for Servers. It will bring additional protection to your small-business network.