Microsoft Azure AZ-801 — Section 3: Secure Windows Server operating system Part 2
24. Activating a free trial for Windows Defender for Endpoint
Let’s talk about setting up Defender for Endpoint. If I go here to Google and I just do a search for Microsoft Defender for Endpoint, Microsoft has information about their Defender for Endpoint. Here is the learn article about that. And they basically tell you that Defender for Endpoint is going to allow you in the cloud to control your endpoints, your Windows-based machines, and from there your Windows-based machines can act as behavioral sensors detecting things that are threats on your network. They can report to cloud security analytics to your Windows Defender Dashboard in Microsoft 365 services. They also provide threat NTLMligence where they can download the latest and greatest threat information and report that back to you on the Windows Defender Dashboard, or Microsoft Defender Dashboard.
So, you get a lot of capabilities and features with this. However, you don’t just get the Defender for Endpoint capability with Microsoft 365 and Azure services right out of the gates. You have to activate it. So, I want to show you how to do that. I’m going to go to portal.microsoft.com. We’ll just kind of start there. All right. And we’ll click Show All and we’ll drop down right here where it says Billing. And we’re going to go here where it says Your products. All right. So, if we click on Your products, you can see the licenses that you have available in your environment. Right now, I’ve got Enterprise Mobility + Security E5; I’ve got Microsoft 365 E5. Those are the current subscriptions that I have.
Now, if I go back over here, if I go to Purchase services. All right. It shows all the different products. And I’m just going to do a search for the word endpoint. All right. And if I scroll down here, you’ll see Security and identity. And here it is, Microsoft Defender for Endpoint. And I’m going to go with this P2 trial here, click Details on it, and I can Start a free trial. So, I’m going to go ahead and click on that and start a free trial right now. Okay. It’s going to bring me to another portal. How does it try now? And it’s going to activate a free trial currently for 3 months.
Now, keep in mind, they do change this periodically. So, the time amount that they give you could be different depending upon when you are doing this. All right. So, this is your confirmation number, right. Use your license. Make sure you assign them to your user. So, I’ll just hit Continue. All right. And if I click on my Users, Active users, scroll down, and John Christopher. It doesn’t matter if you don’t have the same users as me, by the way. Licenses and apps. There is it’s there it is. Microsoft Defender for Endpoint. So, we’re going to go ahead and hit save changes. Now, you might have to give this a little bit of time before it is going to be fully functional. All right.
Now, just to confirm, I did pause the recording after I did that. And I want you to know that it took about 3 hours before this finally took effect for me. I’m not really used to it taking that long. So, I don’t know if today was just an off day for the services. Sometimes when you have trial tenants and things, things take longer, but it did take about 3 hours.
So, how do I know that this is officially ready to go and turned on? I should be able to go to portal.microsoft.com. Actually, I’m sorry, just click Show all and then click on Security. And that’ll bring you into the Defender Dashboard. All right. And you can look right here and you should have an area called Endpoints that will not show up until this is installed. And again, it took about 3 hours. So, just be advised, that’s how long it took me. I don’t think it normally takes that long, but it did for me today. So, you might just have to be patient and come back and do this a little bit later. But now play around with this a little bit later. But as you can see, it is officially turned on. And this is how I know it’s turned on, because I have an area here called Endpoints, located in the security.microsoft.com, which is the Microsoft 365 Defender Dashboard.
25. Configure and manage Windows Defender for Endpoint
All right, now if I want to onboard a server into Microsoft Defender for Endpoint, the first thing I need to do is open up my web browser and I’m going to go to security.microsoft.com. That brings me into the Microsoft 365 Defender Dashboard. I’m going to scroll down here and go to the Settings blade. All right. Once I get to the Settings blade, I’m going to click on Endpoints. All right. And the next thing I’m going to do is… Basically, what we have to do is we have to download a script that is going to import this to the Defender for Endpoint.
So, we’re scroll down and go to Onboarding. All right. And we’re going to choose the operating system. In my case, I’m running server 2022, so I’m going to choose this one. And then I’m going to scroll down and I have an option for downloading the onboarding package here. All right. So, we’re just going to click on that and just waiting on that to officially get downloaded.
Once it’s done downloading, I’m going to open up this little ZIP file. All right. And then I am just going to extract this little script and I’ll just save this to my C drive. Okay, I’m going to say Microsoft Defender for Endpoint, mdfe. We’ll just paste it in there. All right, so, the script is officially available, and if we right click start, we’re going to go to Windows PowerShell Admin. Actually, you know what? I’m going to just open it up through command prompt as an admin.
So, right click. Run as administrator. And then we will C:\ and then we’ll go into the mdfe folder, dir, and there is the script file right there. All right. I’m going to go ahead and run this script. So, I just type W and hit Tab. All right. And it says, all right, you’re going to run the script to onboard the Defender for Endpoint; it tells you it can take 5 to 30 minutes. Are you sure you want to do this? Yes. So, I’m going to go ahead and hit Yes on that. It’s starting the service now.
Also, while this is running, something else that to keep in mind, you do have to have the Defender Antivirus installed on this machine. So, if you do get an error. It may be because you don’t have the Defender Antivirus and you should have that automatically. So, it would be a situation where, maybe, your company has disabled it for some reason or something like that. But if I go into Server Manager, we’ll load up. I just hit Start on to Server Manager and I’m just loading up Server Manager here. We’re just going to verify that we do have that Defender Antivirus. So, here we are just letting this little blue bar quit spinning. And once that’s done spinning, we can go up here to Manage. And then we’re going to go to Add Roles and Features. We’re just waiting on that to get done. All right. So, here it is. Add Roles and Features. Next, next, next. And we’re going to move past the server screen onto the feature screen. We’re going to scroll down. I passed. There it is. Microsoft Defender for Antivirus. We got to make sure that is installed. And that’s not installed. You got to make sure that’s installed because that will cause this to quit being onboarded. All right. Looks like it went through successfully, says Press any key. So, everything’s good to go. We now officially have Microsoft Defender for Endpoint on board. I should say, we now have this server, which is NYC-SVR1 on board it into Microsoft Defender for Endpoint.
Now, I shouldn’t take long, but I should now be able to open up my web browser here and come back over here and go to Devices. And it should show under Assets, Devices I should say, should show the server is now officially onboarded, which it is. And it may take a little bit of time to show the correct domain and stuff like that on there. I do notice that sometimes it’s it can be a little bit out of date on some of the stuff that it shows. But now that we’ve done that, we now have the ability to do things like vulnerability management. We can we can look at vulnerabilities on the machine, look at weaknesses and all that, maybe, shows up. We can do remediations. Not going to get into all the details on that right now, but now that we’ve got it onboarded, we have all these capabilities available to us as far as managing that machine.
26. Configure and manage Windows Defender Credential Guard
Let’s talk about Defender Credential Guard now. Defender Credential Guard is a feature that is available to be deployed out to our services so that it can protect our credentials from being compromised in a situation where a hacker was to get physical access to a machine. Imagine if a hacker gets physical access to a machine, they could potentially reboot that computer into something like Kali Linux, and then from there they could reset, say, an admin password or something and log on as that admin. Right.
So, that’s a little scary when you think about it. And I’ve done this before. I’ve actually done that. I’ve had to do that, reset an admin password on a machine. And there are two main ways you could solve the problem. One would be to use BitLocker to encrypt the hard drive. But the other, of course, would be Credential Guard. It virtualizes user’s hypervisor-based type system to create what’s called a little virtual sandbox for where all the credentials are stored on the machine. And then what it does is it encrypts that little virtual sandbox, and it will prevent anybody from being able to go in and mess with it. All right.
So, let me show you where this is at first off. So, we’re going to do this to a group policy. Here we are on NYC-DC1. I’m going to open up Server Manager, go Tools and then go to Group Policy Management. From there, we would go here and we could just create a GPO. I’ll just call it credential_guard. All right. For lack of a better name. And then I’m just going to edit that GPO that I created. I’m going to go under Computer Config Policies, Administrative Templates, and then I’m going to go under System. All right? And from there, we’re going to go here to Device Guard. And then from there you’ll see you have turn on virtualization based security. So, we’ll double click on that and we’re going to click to turn that on. All right. And so from there, you’re going to have few different options here. Select the Platform Security Level. It’s going to support secure boot and DMA protection if your computer also supports the direct memory access protection, okay. If you just wanted secure boot because, maybe, there was going to be a conflict with the DMA or something, you could just do secure boot virtualization based protection of code integrity. So, that’s currently not configured. So, it wouldn’t turn it on. You can enable it with UEFI lock. You need to actually look at the type of firmware you’ve got, the Unified Extensible Firmware Interface you have. And remember, that’s what’s replaced by us over the years is BIOS has been replaced by UEFI. Of course, if you don’t support, if you’re dealing with an old computer that just has BIOS and it doesn’t support UEFI, you’re not going to be able to support this feature anyway, okay. But you can enable that virtualization based protection of code integrity. So, Enable with UEFI lock, okay. And they tell you this right here, the setting enables virtualization based protection of the Kernel Mode Integrity when Enable Kernel Mode Memory Protections are enforced and kernel validation path is protected. So, everything is going to be encrypted.
Now, what we really care about here, what we’re talking about is this right here. So, even if you don’t quite understand all of that right now, this is what we care about. So, when to say Yes, we want to turn this on. All right. And if our operating system, if our computer does support UEFI lock, we can do that. It tells you right here, if you do that, this option is going to ensure that virtualization based protection of code integrity cannot be disabled remotely. So, there’s no way somebody could send some kind of command or something to your firmware to disable it. In order to disable the feature, you must set the group policy disabled as well as remove the security function from each computer with a physical present user, okay. So, that means you physically would have to be there. Right? So that’s the idea there.
The main thing that you need to know right now in going through this and learning this is that this policy right here, Turn On Virtualization Based Security. The thing that you could try that people could be fooled by is the fact that there’s not necessarily a GA policy. That’s just called Credential Guard. You actually have to go to Computer Config Policies, Administrative Templates, System Device Guard, double click this. This is the policy and this is where the magic happens. That’s where you got to be turned on. Okay. Just keep that in mind. You know, in order for that to work. You got to select that. All right.
And you also have this last option, Secure Launch Configurations. So, this setting sets the configuration of secure launch to secure a boot chain that’s protecting the sequence of booting that’s happening on a computer. So, you could turn that on as well. Again, your firmware of your computer has to support this and a lot of computers nowadays do, but that’s how you would turn it on. So, at that point, I would click Okay and then I could just attach this GPO to wherever I want. I’m just applying this at whichever level I want to apply it to. And that’s how you can implement Credential Guard.
27. Configure SmartScreen
One of the nice little features that we’ve had in our operating systems for quite a while now is the SmartScreen filtering capabilities that Microsoft has introduced. They introduced this back when Internet Explorer was the main web browser. But, of course, we have Edge now and SmartScreen filtering is a great feature because it communicates with the Microsoft Threat NTLMligence database to find out if a website has been reported as being like a phishing website. So, this is a feature we can turn on not only on our client machines, but we can also turn it on our servers. And the way we’re going to do that is through a GPO, through a Group Policy Object.
So, let’s take a look at real quick how we could do that. Here we are on our NYC-DC1 machine and Server Manager, going to that, go Tools and then open up Group Policy Management. Once you’re in Group Policy Management and create a GPO, it’s going to call it Enable SmartScreen. And again, obviously you can name it anything you want. And then I’m just going to edit that. And we’re going to go underneath Computer Configuration Policies, Administrative Templates, and then Windows Components. And then from there, we’ll scroll down and, let’s see, we will open up. Here it is right here. Windows Defender SmartScreen. Of course, they have it for Internet Explorer, but we’re going to turn it on Edge. So, we’ll go right here, Configure Windows Defender SmartScreen and we’ll enable that. It tells you that this policy is going to let you configure whether to turn this on or off. Windows Defender SmartScreen provides warning messages to help people protect employees from potentially phishing scams and all that. So, it tells you a little bit about it. And then if we want to prevent the bypassing of it, so users cannot bypass it, we’ll turn that on as well. And then at that point, all we have to do is just attach it to the domain if we want it to go out to everybody in the domain or if we wanted it to just be a certain group of people, we could do this based on an organizational unit. Like, for example, I have workstations, but in my case I want it to go out my servers as well. That’s where I would want to put it.
And, of course, again, don’t forget, always remember that policies take effect every 90 to 120 minutes unless it’s a domain controller; it’s 5 minutes. Of course, you can also run gpupdate/force to force that to happen immediately.
28. Implement operating system security by using group policies
Now, when it comes to operating system security in regards to group policy objects, there are hundreds of policies that can help lock down your operating system. And you obviously will have to become familiar with certain things you’re wanting to do and look up specific policies that will do what it is you’re wanting to do. So, again, if I want to, let’s say, disable certain types of encryptions or certain types of authentications, there’s going to be policies for that. I’ve got to look up exactly how to do that. Now, I’m going to show you kind of where in the vicinity all of that stuff is going or a lot of that stuff is going to be found inside of a GPO, okay.
You should already be familiar with GPOs by now based on previous material that you hopefully have looked at. But I want to show you where this is going to be located. So, here we are on our NYC-DC1 server. If we open up Server Manager, which we can get to by hitting Start and going to Server Manager, we can go Tools and then open up Group Policy Management. That’s right here. And then at that point I could go under my Domain. Here’s Group Policy Objects. I could create a new GPO, just call it operating system. I would say OS Security. And again, don’t worry, if you don’t have the same GPOs as me. I’m just going to right click the OS Security GPO. I’m going to click Edit. All right. And then what you’re going to find is the majority of the security settings for locking things down on your server would be under Computer Configuration Policies, Windows Settings and then Security Settings. All right. And then from there, the first place I kind of recommend starting would be under Local Policy and then go to Security Options.
There are a lot of policies here that can lock down an operating system from things like, you know, blocking certain Microsoft accounts, allowing or denying guest renaming the administrator account so you don’t have an admin account called administrator. Lots and lots of stuff here though. Restricting CD-ROM, you can alter LDAP settings here. You can stop people from looking at the time and there are managing the clock settings or time settings on a machine. So many different things you could restrict in the old network new technology LAN manager protocol from being used. You can manage user account control settings, which is the pop up thing that people get on their machines that require escalation to admin rights. So, there’re lots and lots of stuff here. All you got to do is double click on these and you can also look at the explain Tab and they’ll give you information about this.
So, the big thing you’ve got to do as an admin is to decide, “Well, what are the things I want to do, what am I needing to lock down?” And you might have to do a little searching, little Google searching, but you might be able to find, probably, a policy that will do what you want to do. The problem is there’s over 4000 something policies here. So, that’s why I say you kind of need to figure out what it is you’re trying to accomplish, do a little searching, and there’s probably a policy that will do what it is you want to do. For example, another thing would be like, if I wanted to do restricted groups, I could restrict exactly what groups a user can be a member of. This way, if you’ve got other admins that keep adding people to groups or removing people out of groups, you can restrict it to where certain people have to be part of certain groups or certain people can’t be part of a certain group. You can also control what settings or services are starting up on people’s machines or on your server. Registry settings. You can add registry settings here, so there’s loads and loads of things that you can do. You can enable auditing to monitor your server. And then what you would probably want to do when you configured all that, you might have an organizational unit called servers or something. You would drag this over and put it over the servers OU.
Again, I can do that very easily just by going into Active Directory Users and Computers. And then I could create myself an OU, right? So, I could say New, and I’ll just create an organizational unit called Servers. And right now my NYC-SRV1 I drag and drop it into that. My domain controller, I’m just going to keep my domain controller. NYC-DC1 is just going to stay in that view, but my servers will stay in the server OU here. And so from there, if I wanted to me just refresh here and see if it appears. It doesn’t look like it’s going to. There it goes. It did appear. So, if I came over here and I had implemented my policy, I could just drag and drop it over that. At that point you have 90 to 220 minutes for it to take effect. Or you could always jump over to the server and run the gpupdate/force command to have it forced immediately. Right.
So, that’s the thing. You know, there are thousands of policies. You kind of have to decide, well, what is it I want to do, look up how to do it and you can implement it in GPO; and that would be how we could apply that GPO to restrict operating system settings.