Windows Server 2019 – Windows Defender Advanced Threat Protection

Installing Apache On CentOS 8

Windows Defender has been a thing for a number of years, but its terminology and capabilities have really developed over the last couple of OS releases. Originally, it started in the Windows 8 days as a free, built-in antivirus product, and it wasn’t taken too seriously at the time. Fast forward to today, however, and I rarely run across a Windows 10 computer that has the Defender Antivirus (AV) or firewall capabilities disabled. These tools exist in the OS and are enabled by default, and as a result have a level of integration and responsiveness that is hard for third-party vendors to match. I can’t tell you how many times I have tracked memory leaks and random server reboots back to a poorly functioning third-party antivirus software, which is unacceptable in today’s server world. Some still consider the antivirus capabilities provided by Defender to be lackluster, probably only because they are free, but I find it to be robust and well integrated with Windows itself. I have yet to see a Windows Defender product tank a client or server.

Even the newer, more specific-sounding Windows Defender Advanced Threat Protection (ATP) is really a family of products and systems that work together in order to protect your Windows machines. Antivirus/anti-malware is only one of those capabilities, and built-in antivirus is actually still quite a new idea when talking about the Windows Server family of OSes. The first server OS that we found with built-in Defender for antivirus was Server 2016. I suspect that the majority of servers running in production for companies around the world are still Server 2012 R2 at this point, and so the improved existence of the Defender toolset in Server 2019 is yet another reason to start planning your migration today.

We simply do not have enough page space to dive into every aspect of Windows Defender ATP, and it is being continually improved upon. What we will do is explore some of the interfaces, make sure you know how to use the most common components that don’t require policy-level manipulation, and to expand your knowledge on some of the more advanced features that are available for further learning and digging.

Installing Windows Defender AV

You’re done! Windows Defender is installed by default in Windows Server 2019. In fact, unless you have somehow changed it, not only is Defender AV installed, it is automatically protecting your system as soon as the OS is installed. But don’t take my word for it, if you open up Server Manager and choose Add roles and features, click ahead to the Select features page and you should find a checkbox next to Windows Defender Antivirus:

If it’s not already checked for some reason, then this is exactly the place to visit in order to get it installed and working.

Exploring the user interface

The interface for the Windows Defender toolset is the same as within the latest versions of Windows 10, but if you haven’t explored that yet, we will take a quick look at it here. Go ahead and launch Settings from inside the Start menu, then click on Update & Security. Once inside that section, you will see Windows Security listed on the left. Here you get an overhead view of the different Defender components that are working together in order to protect your system.

Remember, you have done nothing to enable any of this functionality; these are all out-of-the-box capabilities:

Clicking further into any of these Protection areas will bring you more detailed descriptions of each capability, as well as many options for enabling or disabling particular protections that exist. For example, if you were to click on Virus & threat protection, you would see summary information about Defender AV, when its definition files were updated, what it’s scanning, and so on. Then clicking further into a link called Manage settings will give you options for disabling Defender AV if you ever have the need, as well as numerous other options that can be selected or deselected. Here is a screenshot of just a few of the settings available inside Defender AV. I chose to display these three because they are important to another topic we will cover shortly, when we discuss the ATP portion of Defender ATP:

Disabling Windows Defender

You already know that Defender AV is enabled by default, as are many other components that make up the Windows Defender family of products. By flipping the radio option shown in the previous screenshot, you are able to temporarily disable AV. Taking it a step further, if you are absolutely sure that you do not want to use Defender AV because you have your own AV software that you have already paid for, you have two different avenues that could be taken.

First, Defender AV is designed to automatically step down in the event that another AV is installed. More than likely, all you need to do is install your other third-party antivirus tool, and after the server finishes restarting, Defender AV will stand down and allow the third-party product to run, so that they don’t conflict with each other. This is important, because a fact that even many computer technicians don’t realize is that multiple AV programs running on a single system is generally a terrible idea. They often cause conflicts with each other, have memory allocation errors, and cause otherwise slow and strange behavior on the system.

If you are planning to utilize your own AV and want to make sure Defender is completely removed, it is possible to uninstall the Defender feature completely from your server. This is most easily done via PowerShell, with the following command:

Uninstall-WindowsFeature -Name Windows-Defender 

What is ATP, anyway?

It’s hard to define what exactly ATP means, because it is a culmination of Windows Defender parts, pieces, and security mechanisms working together in order to protect clients and servers from bad stuff: AV, firewalling capabilities, hardware protections, and even specific resistance against ransomware. The combination of capabilities inside the Windows Security section of Server 2019 work together to become ATP.

Something that should be incredibly intriguing to all of us is the smart way that Microsoft is now utilizing cloud connectivity and computing in order to improve Defender AV on a daily basis. Whether we realize it or not, most of the internet-connected Windows machines in the world are now continuously helping each other out by reporting newly discovered vulnerabilities and malicious activity up to Microsoft. This information is then parsed and investigated via machine learning, and the resulting information is able to be immediately used by the rest of the Windows machines around the globe.

While this sounds a little Big Brother and full of privacy concerns, I believe we as a community will soon get over that fear and realize that the benefits outweigh the potential fears. Millions of users now flow their email through Office 365; you may not even realize it, but Office 365 does this kind of data handling as well in order to identify and block exploits. For example, if an email address within a company is suddenly sending emails to a large group of people, and that email contains a macro-enabled Word document, which is something that user does not typically do, Office 365 can very quickly take that document offline into a secure zone, open it (or launch it if the attachment happened to be an executable), and discover whether or not this file is actually malware of some kind. If it is, Office 365 will immediately start blocking that file, thereby stopping the spread of this potentially disastrous behavior. All of this happens without input of the user or of the company’s IT staff. This is not even inner company-specific. If one of my users’ emails is the first to receive a new virus and it is identified by Microsoft, that discovery will help to block the new virus for any other customers who also host their email in Microsoft’s cloud. This is pretty incredible stuff!

This same idea holds true for Defender AV, when you choose to allow it to communicate with and submit information to Microsoft’s cloud resources. Earlier, I pasted in a screenshot of some Defender AV capabilities called cloud-delivered protection and automatic sample submission—it is these pieces of Defender AV that allow this cloud-based magic to happen and benefit the entire computer population.

Windows Defender ATP Exploit Guard

Once again, we are taking a look at what seems to be a long title for a technology that must have a very specific purpose, right? Nope. The new Exploit Guard is not a new capability, but rather a whole set of new capabilities baked into the Windows Defender family. Specifically, these new protections are designed to help detect and prevent some of the common behaviors that are used in current malware attacks. Here are the four primary components of the Defender ATP Exploit Guard:

  • Attack Surface Reduction (ASR): ASR is a series of controls that can be enabled that block certain types of files from being run. This can help mitigate malware installed by users clicking on email attachments, or from opening certain kinds of Office files. We are quickly learning as a computer society that we should never click on files in an email that appear to be executables, but oftentimes a traditional computer user won’t know the difference between an executable and a legitimate file. ASR can help to block the running of any executable or scripting file from inside an email.
  • Network protection: This enables Windows Defender SmartScreen, which can block potential malware from phoning home, communicating back to the attacker’s servers in order to siphon or transfer company data outside of your company. Websites on the internet have reputation ratings, deeming those sites or IP addresses to be trusted, or not trusted, depending on the types of traffic that have headed to that IP address in the past. SmartScreen taps into those reputation databases in order to block outbound traffic from reaching bad destinations.
  • Controlled folder access: Ransomware protection! This one is intriguing because ransomware is a top concern for any IT security professional. If you’re not familiar with the concept, ransomware is a type of malware that installs an application onto your computer, which then encrypts files on your computer. Once encrypted, you have no capability of opening or repairing those files without the encryption key, which the attackers will (most of the time) happily hand over to you for lots of money. Every year, many companies end up paying that ransom (and therefore engaging in passive criminal behavior themselves) because they do not have good protections or good backups from which to restore their information. Controlled folder access helps to protect against ransomware by blocking untrusted processes from grabbing onto areas of your hard drive that have been deemed as protected.
  • Exploit protection: Generalized protection against many kinds of exploits that might take place on a computer. The exploit protection function of Defender ATP is a rollup of capabilities from something called the Enhanced Mitigation Experience Toolkit (EMET) that was previously available, but reached end of life in mid-2018. Exploit protection watches and protects system processes as well as application executables.

Comments are closed.