Microsoft Defender for Servers: Much-Needed Upgrade

Source:

Barnaby Noble Microsoft Security Consultant, Satisnet

Recently, Microsoft released a much-needed update to their endpoint detection and response (EDR) functionality on Windows Server 2012 R2 and 2016 editions (from this point forwards, referred to as 'servers in scope').

Prior to the release of the new preview editions, the only functionality available for the servers in scope was logging. This was achieved through the Microsoft Monitoring Agent (MMA) which provided the following functionality:

1. Software inventory

2. Timeline (used in conjunction with threat hunting)

3. Rudimentary alerting capabilities

4. Security recommendations

The installation process for the MMA is comparatively simple – all you need to do is deploy it via SCCM/GPO/manually and provide it with the workspace ID and key for your Defender Security workspace.

There are no remediation functions available through the MMA, so for the servers in scope you have no capability to isolate hosts, run virus scans or perform live response capabilities.

With the new EDR functionality on Windows Server, Microsoft have massively enhanced the response capabilities that Defender for Servers has. You no longer need System Centre Endpoint Protection (SCEP) to provide the AV functionality as this is incorporated into the Microsoft Defender for Windows Server update (available from the Security Centre portal).

You are also required to onboard the 2012 R2 and 2016 servers to Defender Security Centre via the onboarding script (available from the Security Centre portal), this can be done via group policy, SCCM, or manually. This functionality also requires the host to be fully updated to the latest Windows patch level.

Once updated, Defender is upgraded and the appliance is onboarded, your Windows Server 2012 R2 and 2016 now have the functionality to:

1. Run AV scans

2. Isolate devices

3. Software inventory

4. Timeline (used in conjunction with threat hunting)

5. Advanced alerting capabilities

6. Security recommendations

7. Discover vulnerabilities

8. Missing KBs

All of this provided in one unified dashboard, allowing you to run threat hunting queries across both your server and endpoint estate and leverage the vulnerability management suite Microsoft has to help your patching strategy...amongst much more!

Before rolling this to any production servers, remember at the time of writing, this functionality is in preview (which means this isn’t officially supported functionality) and the known issues and limitations list can be found here. It's worth noting that this functionality is not extended to Linux as of yet.

Happy Defending!

Reference

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide#known-issues-and-limitations