1
00:00:01,240 --> 00:00:04,530
Now, what about Microsoft Defender protection products?

2
00:00:04,530 --> 00:00:06,960
You notice I put a strikethrough through Windows,

3
00:00:06,960 --> 00:00:09,400
and I did that kind of tongue in cheek.

4
00:00:09,400 --> 00:00:13,620
Here's the situation. If you've been a Microsoft specialist for a while,

5
00:00:13,620 --> 00:00:16,810
then you already know that Microsoft is known for branding and

6
00:00:16,810 --> 00:00:19,310
rebranding and re‑rebranding their products.

7
00:00:19,310 --> 00:00:21,440
It can be difficult to keep track.

8
00:00:21,440 --> 00:00:21,940
Well,

9
00:00:21,940 --> 00:00:24,670
some of these products have gone from being Windows

10
00:00:24,670 --> 00:00:28,240
Defender to Microsoft Defender, and this is one of them.

11
00:00:28,240 --> 00:00:30,400
Let's take a look at the product family.

12
00:00:30,400 --> 00:00:33,510
I'm just going to say Defender here, but for the most part,

13
00:00:33,510 --> 00:00:37,450
these products are branded as Microsoft Defender to reflect

14
00:00:37,450 --> 00:00:39,850
the fact that a lot of these products,

15
00:00:39,850 --> 00:00:42,830
because their cloud services can protect both Windows

16
00:00:42,830 --> 00:00:48,080
and non‑Windows operating systems, both Microsoft and non‑Microsoft software,

17
00:00:48,080 --> 00:00:53,030
you see. Defender for Endpoint is a host level antivirus,

18
00:00:53,030 --> 00:00:58,870
anti‑malware solution client application. Defender for Identity, cloud‑based

19
00:00:58,870 --> 00:01:04,180
solution that monitors your local Active Directory domains. Defender for Cloud

20
00:01:04,180 --> 00:01:08,700
is built into Microsoft Azure that gives you hybrid cloud security hygiene.

21
00:01:08,700 --> 00:01:13,400
Defender for Servers is a subset of Defender for Cloud that's geared

22
00:01:13,400 --> 00:01:18,140
specifically for Windows Server and Linux machines both running in Azure, as

23
00:01:18,140 --> 00:01:19,870
well as outside of Azure.

24
00:01:19,870 --> 00:01:22,340
Those are all cloud‑based services.

25
00:01:22,340 --> 00:01:25,540
Then we have system services like Defender Exploit Guard,

26
00:01:25,540 --> 00:01:28,870
which we just discussed, and then yet to be discussed today

27
00:01:28,870 --> 00:01:32,340
are Application Control and SmartScreen.

28
00:01:32,340 --> 00:01:35,890
So the good news here is that under the Defender umbrella,

29
00:01:35,890 --> 00:01:39,840
you have a lot of security tools at your disposal.

30
00:01:39,840 --> 00:01:43,540
The bad news is that you may or may not see a reference to

31
00:01:43,540 --> 00:01:46,720
Microsoft Defender or Windows Defender on your exam,

32
00:01:46,720 --> 00:01:51,000
depending upon how current the exam is by the time you take it,

33
00:01:51,000 --> 00:01:51,970
but don't sweat it.

34
00:01:51,970 --> 00:01:54,210
Defender is Defender.

35
00:01:54,210 --> 00:01:59,540
And if there's any dramatic name changes, I will call those out in the training.

36
00:01:59,540 --> 00:01:59,860
All right,

37
00:01:59,860 --> 00:02:02,470
so let's take a look next at Windows Defender

38
00:02:02,470 --> 00:02:06,140
Application Control, or WDAC. What's this?

39
00:02:06,140 --> 00:02:10,940
Well, this is taking the notion of trusted code to an extreme.

40
00:02:10,940 --> 00:02:12,520
And I'm not saying that's a bad thing.

41
00:02:12,520 --> 00:02:15,520
I'm saying that it can be a difficult thing,

42
00:02:15,520 --> 00:02:19,180
particularly for businesses who have a server infrastructure

43
00:02:19,180 --> 00:02:21,480
that's not really current or up to date.

44
00:02:21,480 --> 00:02:26,820
Bottom line is that WDAC allows you to configure your Windows servers such that

45
00:02:26,820 --> 00:02:31,350
only trusted or allowed device drivers and software can run.

46
00:02:31,350 --> 00:02:35,160
There's two enforcement modes here, Audit Only and Enforcement Enabled.

47
00:02:35,160 --> 00:02:38,570
You typically want to start with Audit Only just to iron out any

48
00:02:38,570 --> 00:02:41,660
potential problems where you might get a false positive, an app

49
00:02:41,660 --> 00:02:43,440
that should be allowed to run as blocked,

50
00:02:43,440 --> 00:02:48,190
etc, or the inverse, and then once everything has been sufficiently tested,

51
00:02:48,190 --> 00:02:50,540
you do Enforcement Enabled.

52
00:02:50,540 --> 00:02:54,130
Now, a benefit of Defender Application Control is that

53
00:02:54,130 --> 00:02:55,910
there are no system requirements.

54
00:02:55,910 --> 00:02:57,890
By contrast, Credential Guard,

55
00:02:57,890 --> 00:03:01,290
which we'll look at in a moment, uses hardware‑based

56
00:03:01,290 --> 00:03:03,950
virtualization container infrastructure,

57
00:03:03,950 --> 00:03:08,610
I think that's what HVCI means, but bottom line is, it requires compatible

58
00:03:08,610 --> 00:03:13,290
hardware. Application Control you'd configure in software, but still you can

59
00:03:13,290 --> 00:03:16,970
expect quite a bit of testing and refactoring because, you know, when you

60
00:03:16,970 --> 00:03:19,340
think about a typical production server,

61
00:03:19,340 --> 00:03:24,030
some are really single use and maybe they're not as difficult to have just a

62
00:03:24,030 --> 00:03:28,880
strict allow list and then all other code is denied, but in smaller businesses

63
00:03:28,880 --> 00:03:32,530
they may have a single server performing multiple roles and running different

64
00:03:32,530 --> 00:03:36,820
line of business applications. So, you can expect to invest some work in

65
00:03:36,820 --> 00:03:38,260
getting this to run, but again,

66
00:03:38,260 --> 00:03:43,430
the benefit is if a server is breached and a malicious user

67
00:03:43,430 --> 00:03:46,760
or process attempts to run code that's not allowed by your

68
00:03:46,760 --> 00:03:51,540
Application Control policy, it won't be allowed to run, and that's what we want.

69
00:03:51,540 --> 00:03:53,890
Now you might be thinking, Tim, well, this Application

70
00:03:53,890 --> 00:03:56,010
Control sounds a bit like AppLocker.

71
00:03:56,010 --> 00:03:59,840
AppLocker has been a Windows server feature for a number of years.

72
00:03:59,840 --> 00:04:00,320
However,

73
00:04:00,320 --> 00:04:04,800
it's basically deprecated. It's no longer receiving feature improvements.

74
00:04:04,800 --> 00:04:04,940
So,

75
00:04:04,940 --> 00:04:08,590
Microsoft really is steering customers that if you're looking for a way to

76
00:04:08,590 --> 00:04:12,710
control systems such that they can only run authorized code,

77
00:04:12,710 --> 00:04:15,440
you want to go for Defender Application Control,

78
00:04:15,440 --> 00:04:16,780
which, like I said,

79
00:04:16,780 --> 00:04:21,140
is a cloud service, so it has its own separate licensing scheme.

80
00:04:21,140 --> 00:04:21,390
Now,

81
00:04:21,390 --> 00:04:26,980
AppLocker, because it's not out of support totally, you could consider using it.

82
00:04:26,980 --> 00:04:31,180
Microsoft recommends that AppLocker might be useful to support down level

83
00:04:31,180 --> 00:04:35,700
Windows version, so if you have old Windows versions like 2012 R2,

84
00:04:35,700 --> 00:04:40,310
let's say, or maybe even 2016, in other cases that you may not

85
00:04:40,310 --> 00:04:46,030
need or want DLL or driver enforcement, AppLocker only allows you

86
00:04:46,030 --> 00:04:50,820
to do scripts and binaries. WDAC allows you to manage DLL

87
00:04:50,820 --> 00:04:57,000
libraries, as well as device drivers, so it's much richer in terms of its control surface.