Connection security rules are used to configure how and when authentication occurs. These rules do not specifically allow connections; that’s the job of inbound and outbound rules.
You can configure the following connection security rules:
Isolation To restrict a connection based on authentication criteria
Authentication Exemption To specify computers that are exempt from authentication requirements
Server- to- Server To authenticate connections between computers
Tunnel To authenticate connections between gateway computers
Custom Use custom to create a customized connection security rule
Monitoring
The Monitoring section shows detailed information about the firewall configurations for the Domain Profile, Private Profile, and Public Profile settings. These network location profiles determine what settings are enforced for private networks, public networks, and networks connected to a domain.
Use More Than Just Windows Defender Firewall |
When doing consulting, it always concerns me when I see small to midsized companies using Windows Defender Firewall and no other protection. Windows Defender Firewall should be your last line of defense. You need to make sure that you have good hardware firewalls that separate your network from the world. Also watch Windows Defender Firewall when it comes to printing. I have run into many situations where a printer that needs to communicate with the operating system has issues when Windows Defender Firewall is enabled. If this happens, make sure that the printer is allowed in the Allowed Programs section. |
Datacenter Firewall
Firewalls allow you to set up policies on who or what can be allowed past the firewall. For example, if you want to allow DNS traffic to pass through the firewall, you would enable port 53. If you want the traffic to leave the firewall, you would configure port 53 outbound.
If you want to have the traffic enter into the company, you would configure inbound.
Datacenter Firewalls were introduced with Windows Server 2022 network layer, stateful, multitenant firewalls. Network administrators that work with virtual network tenants can install and then configure firewall policies. These firewall policies can help protect their virtual networks from unwanted traffic from Internet and intranet networks.
The Datacenter Firewall allows you to set up granular access control lists (ACLs). This way, you can apply firewall policies at the VM interface level or at the subnet level. To create ACLs on the Datacenter Firewall, use Windows PowerShell. The following is an example of the PowerShell command that is used to assign the ACL to the AccessControlList property of the network interface.
$nic.properties.ipconfigurations[0].properties.AccessControlList = $acl
Windows Server 2022 Datacenter Firewalls give you the following tenant benefits:
■ You have the ability to define firewall rules that help protect Internet- facing workloads on virtual networks.
■ You can define firewall rules to protect data between virtual machines on the same layer 2 or different layer 2 virtual subnets.
■ You can define firewall rules to protect and isolate network traffic between tenants on a virtual network from a service provider.
So now that we have taken a look at Windows Defender Firewall, let’s now look at protecting your Windows devices by using Microsoft Defender.
Managing Security
Another way that you can help defend your corporate devices is by using Microsoft Defender. Microsoft Defender has many different tools that allow you to control and protect your company’s Windows devices.
Earlier in the chapter, I talked about using Windows Security. Now we are going to look at using Microsoft Defender for Endpoint.
Implementing Microsoft Defender for Endpoint
When talking about Microsoft Defender, it can be a little confusing to people. The reason for this is that Windows 10/11 comes with Microsoft Defender and Azure also now comes with Microsoft Defender. So, when IT people are discussing Defender, it’s important that they specify which version they are talking about. We’ll discuss Azure’s version of Microsoft Defender and the benefits that it provides to organizations.
Microsoft Defender for Identity (previously called Azure Advanced Threat Protection) allows organizations to monitor domain controller traffic whereas Microsoft Defender for Endpoint (previously called Microsoft Defender Advanced Threat Protection) allows organizations to monitor endpoints (for example, users’ devices). Organizations can use both of these defenses together for the best possible protection, and both can be managed by using a single Azure interface.
When deciding to integrate Microsoft Defender for Identity and Microsoft Defender for Endpoint together, you get the benefits of both systems working together. Some of these benefits are as follows:
Endpoint Behavioral Sensors Endpoint behavioral sensors are sensors that are built into the Windows 10/11 operating system, and these sensors gather and process behavioral data for things like the Registry, files, processors, and communications. This data is then sent to the Microsoft Defender for Endpoint.
Microsoft Defender for Identity Sensors and Stand-A lone Sensors These sensors can be placed directly onto your domain controllers, or they can be set up to port mirror directly from your domain controller to Microsoft Defender for Identity. These sensors have the ability to collect and parse traffic for multiple protocols that work with authentication or authorization, or just for informational gathering.
Threat Intelligence Threat intelligence consists of multiple Microsoft tools, security groups, and third- party threat defending partners. Threat intelligence allows Microsoft Defender for Endpoint to properly recognize tools and activities that hackers use and then report alerts when those tools or activities are observed.
Cloud Security Analytics Cloud security analytics uses multiple detection signals and Microsoft insights to detect and recommend protection against advanced threats.
Microsoft Defender for Identity uses several technologies to detect suspicious behavior during all phases of a cyber- based attack. These phases include:
Investigation Phase (Reconnaissance) This is the phase where hackers gather information on a target organization. This phase can include information gathering by using Internet investigation, dumpster diving, etc.
Scanning Phase This phase is when an attacker tries to scan for vulnerabilities. These can be port scanners (looking for open ports to access), vulnerability scanning (looking for known vulnerabilities), and network scanning (looking at network components like routers and firewalls).
Access Phase This is the phase when hackers try to gain access to your network based on the investigation and scanning phases.
Maintaining Access Phase This is the phase when hackers try to put back doors or software in place so that they can continue to gain access to your network.
Clearing Their Tracks Phase Hackers who are any good will try to clear their tracks so that no one knows they were there. In this phase, hackers will try to delete logs and any evidence that the hack even took place.
Microsoft Defender for Endpoint uses Microsoft technologies and expertise to help detect and stop the different phases of a hacker. Microsoft has put in advanced methods to detect hacking before the hacks take place. Microsoft Defender for Endpoint provides several benefits, as shown in Figure 15.8.
FIGURE 15.8 Microsoft Defender for Endpoint
As of this writing, Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. A new add- on called Microsoft Defender Vulnerability Management is available for Plan 2. These plans provide you with advanced threat protection, with antivirus and antimalware protection, ransomware mitigation, and more. They also provide centralized management and reporting.
This information in Table 15.2 was taken directly from Microsoft’s website.
TABLE 15.2 Comparison of Microsoft’s endpoint security plans
Defender for Endpoint Plan 1 Next- generation protection (includes antimalware and antivirus)
Attack surface reduction
Manual response actions
Centralized management
Security reports
APIs
Support for Windows 1011, iOS, Android OS, and macOS devices
Plan | What’s included |
Defender for Endpoint Plan 2 | All of the Defender for Endpoint Plan 1 capabilities, plus: Device discovery Device inventory Core Defender Vulnerability Management capabilities Threat Analytics Automated investigation and response Advanced hunting Endpoint detection and response Microsoft Threat Experts Support for Windows (client and server) and non- Windows platforms (macOS, iOS, Android, and Linux) |
Defender Vulnerability Management add- on | More Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2: Security baselines assessment Block vulnerable applications Browser extensions Digital certificate assessment Network share analysis Support for Windows (client and server) and non- Windows platforms (macOS, iOS, Android, and Linux) |
Microsoft Defender for Endpoint Plan 1 is available as a stand- alone subscription for commercial and education customers and is also included as part of Microsoft 365 E3/A3. Microsoft Defender for Endpoint Plan 2, which was previously called Microsoft Defender for Endpoint, is available as a stand-a lone subscription. It’s also included as part of the following plans:
■ Windows 11 Enterprise E5/A5
■ Windows 10 Enterprise E5/A5
■ Microsoft 365 E5/A5/G5 (which includes Windows 10 or Windows 11 Enterprise E5)
■ Microsoft 365 E5/A5/G5/F5 Security
■ Microsoft 365 F5 Security & Compliance