Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Connecting servers without Internet access to Windows Defender ATP
Published Nov 27 2017 12:12 AM 14.8K Views
Microsoft

In the Windows 10 Fall Creators Update, Windows Defender ATP has extended its advanced attack detection and investigation capabilities by adding platform support to include Windows Server operating systems.

 

A new Windows Defender  ATP sensor for server monitors activities on the server endpoint and reports them to the Windows Defender ATP cloud service to detect attacker activities and enable incident response.

 

In some cases though, security policies may prevent servers from connecting to the internet and communicating with the service.

 

If your IT security policy does not allow servers on your network to connect to the Internet, they can be configured to communicate to the Windows Defender ATP cloud service without requiring internet connectivity using the OMS gateway while retaining compliance with IT security policy:

 

  • The OMS Gateway is an HTTP forward proxy that will collect data and send it to the Windows Defender ATP service on behalf of the server
  • Windows Defender ATP data is sent through a server that has the OMS Gateway installed on it and can access the Internet
  • OMS gateway efficiently transfers data from the Windows Defender ATP  without analyzing any of the transferred data

 

 WDATP-OMSGW.png

 

See the product guides to get more information on how monitored servers can be on boarded and send data to the Windows Defender ATP service when they do not have Internet access:

 

We'd love to hear your feedback and questions!

 

Alon Rosental

 

Principal Program Manager, Windows Defender ATP

24 Comments
Copper Contributor

what license is required to add ATP to Windows Server 2016 Datacenter, or is it included. I cannot find that information anywhere. I know the windows 10 needs enterprise E5 which we have, just can't find anything on the server license.

Deleted
Not applicable

Chet,

You don't need any additional server licenses, just the user licenses (EDIT: Just to be clear, Defender ATP licenses. WS2016 Activations/licenses are handled separately and aren't included with Win10 Enterprise E5). For reference, see here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-con...

 

You can also see instructions in your Windows Defender Security Center portal -> Settings -> Onboarding. That should help you out - it gives you the exact onboarding steps.

Thanks!

Copper Contributor

We just had this conversation with our account team after purchasing Windows E5 to get ATP for our endpoints and it wasn't clear about how to license servers.  It has been explained to us that currently Windows Server ATP is in Azure Security Center and as you see from the link below -- that stuff isn't cheap.

 

https://azure.microsoft.com/en-us/pricing/details/security-center/

Deleted
Not applicable

Hey Shannon,

Yes, Azure Security Center is one option, and includes Defender ATP; however, it looks like there are lighter protection methods using Defender ATP alone with servers, without Security Center. See here.

 

Is that what you're referring to or looking for?

 

 

Copper Contributor
I’ve seen that doc. That is the on boarding doc, but I don’t see where it talks about how to license the product.
Deleted
Not applicable

@Shannon - As long as you are paying for user ATP licenses with Defender ATP for anyone in your org (Microsoft 365 E5, or Windows 10 Enterprise E5), you can onboard as many servers as you want onto Defender ATP (EDIT: Note that I mean ATP onboarding, not Windows Server 2016 activation/licensing. Licenses/activations for WS2016 are handled separately). Defender ATP onboarding for existing WS2016 servers is a complementary service included with Defender ATP in Win10 Enterprise E5. There is no node-per-month license for putting Defender ATP on servers, it is included with Win10 Enterprise E5.


Since this post, I have begun onboarding our on-prem servers with Defender ATP and everything is going smoothly. No additional server licenses needed.


I hope that helps!

Copper Contributor
Another related but important point worth exploring is operating the product on a closed secure network where the only way to update definition and related files is by manually approving and loading these onto a secure server within the closed network. Does ATP support this?
Microsoft

Windows Servers are not covered under a Microsoft 365 or Windows 10 E5 license for use of Windows Defender ATP.  Please contact your Microsoft representative for more details on licensing for servers.

 

Jason Leznek

Principal Program Manager Lead

Windows Customer Experience Engineering

Microsoft Corporation.

Deleted
Not applicable

Jason,

Please help me understand:

 

from https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-s...:
"Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console"


This is seeing in the WDATP portal.  I have added servers and it onboards to Defender ATP just fine. Is this because of an additional Azure feature?

wdsc.PNG

 

Thanks,

 

Nathan

Microsoft

Hi, Nathan.   Windows Defender ATP supports Windows Servers - as you are pointing out, that is where you are onboarding servers into the system.   The licensing of Windows Servers is something that is being finalized and you should speak with your Microsoft account team for more information until it is broadly announced.   

Deleted
Not applicable

Jason,

Thank you for the clarification. All of my responses are addressing "Defender ATP licensing for servers" that Chet and Shannon were asking about, not Windows Server 2016 licensing/activation. I will edit my previous responses to make this more clear.

 

Thanks,

 

Nathan Berger

Copper Contributor

Jason the problem that I have found is that the Microsoft account team does not know the answer to that question. I have receive different answers from them, or they are unable to answer the question. There is no documentation anywhere and any Microsoft rep I have talked to did not know or told me it  was included if we have the 365 e5 licenses.

Iron Contributor

Jason,

 

Lets just make sure we are talking about the same thing using a scenario:

 

Client business:

  • 249 Windows 10 Enterprise Desktops on Premise - licensed with Microsoft 365 Enterprise E5
  • 10 Windows Servers all fully licensed with Server and any needed User/Device CAL's
    •      5 Windows Server 2012 R2 Standard edition
    •      4 Windows Server 2016 Data Center edition
    •      1 Hyper-V Server 2016 (the free hypervisor server)

 

So Jason - the question to you and the WDATP team:

Beyond the correct windows server edition license and the Windows User/Device CALs, what is needed to be legal/licensed for onboarding the supported servers into Windows Defender Advanced Threat Protection (WDATP)?

 

I ask because we have no SKU that is a "Server addon license for WDATP". 

 

Microsoft

Licensing information for Windows Servers will be available soon.  You should be able to reach out to your account team for more information and they email me if they're not familiar.   We have not disclosed it publicly yet.

Copper Contributor

Can you be any more specific on when the licensing details will be made public?  I asked our VAR, and they contacted MSFT, but have been unable to get an answer so far.   We're currently evaluating ATP as our current tool's renewal date is coming up this fall, but I can't even propose switching to ATP without the licensing info / cost. 

 

Also, I'm very disappointed that people have been allowed to on-board servers for months and the docs say nothing about forthcoming licensing announcements.  Azure puts 'free while in preview, GA pricing TBD' disclaimers on their docs, and ATP should consider add a similar warning to the 'Onboard servers to the Windows Defender ATP service' page until the details are public and easily obtainable.

Deleted
Not applicable

Joe,

I could be the one with the misunderstanding here, but I think perhaps Jason is talking about something different.

As long as you are paying for Defender ATP user licenses for your organization, you can onboard servers (that are activated with a valid Windows Server 2016 activation key) without additional licensing costs. That's essentially what that docs.microsoft.com guide says.

I would be quite shocked if they added a licensing fee to a production service that people are already using for free in production environments.

Microsoft

Windows Server support is in preview, not production, hence people can try it regardless of licensing.  That does not imply that when it is released that it will be for free.  Yuri Diogenes blogged on May 9th that WDATP usage rights will be included in the Azure Security Center license once WDATP support for Windows Server is released.

 

"At RSA Security Conference this year we announced that Security Center now harnesses the power of WDATP to provide improved threat detection for Windows Servers (this integration is currently in preview)."



Copper Contributor

That blog makes it sound like the integration from Azure is in preview, not all server support for ATP.  It is also not clear of that is / will be the only way yo acquire licensing for servers to connect to ATP.

 

The ATP docs for "Onboard servers to the Windows Defender ATP service" do not include the words preview or license.  This seems very misleading if you're saying support for server connected to ATP is still in preview, and I am expected to have read a blog to find that out.

 

I think this means ATP will be out of consideration which is unfortunate as we did like the product.

Microsoft

I appreciate the feedback and will work with the documentation team to add clarity.

 

That being said, I'm happy that your organization likes Windows ATP and am concerned about its usage being at risk.   If you have paid for licenses through Windows E5 while thinking that they cover your servers appropriately, please contact me privately and I'll work with you to see if we can get the right licensing resolved for those servers.   My team is here to help you be both successful and happy.

 

 

Deleted
Not applicable

@Jason Leznek- agreed with @Joe Sanders here. It is incredibly unclear that this is in preview, as the docs.microsoft page appears as if the feature is in production.

Now that I know this, we will happily keep using the integration for Windows Server until it is taken out of preview.

Thanks.

Copper Contributor

First, I am an end user trying to make sense of all of this. 

 

Most of the comments on this post regard licensing the product.  I have had this product, in some form or another, for nearly a year.   The product is continually evolving.   Licensing is constantly changing.  Even the "free pre-release / trial" licensing information regarding what these products will cost has been changing frequently.   

 

It is worth noting that there is Microsoft Advanced Threat Protection (Windows Defender ATP), Office 365 Advanced Threat Protection and Azure Advanced Threat Protection.  While these are related, they are different products each with different licensing.   These are available through many varied licensing options.   There is also Microsoft Advanced Threat Analytics as well as Azure Advanced Threat Analytics.   These are similar but different products with different licensing options available.  

 

 

From my Office 365 portal I have the ability to license a number of these products in a number of different ways.   Some of these licenses entitle me to use the Azure and Microsoft branded products as well.   Some do not.    When I log into my Azure portal, I am given different options for licensing these products.   As I have migrated my account from OMS to Log Analytics, I have different pricing available to me than I would have had I not.   As I have created different accounts for different services and then linked them together within Azure, I have more flexible pricing options.   For example, I have Microsoft ATA licensed on a separate account with no payment on file, in trial mode.   The cost of this product for my network would be substantial after the trial expires.   This separation allows integration without any surprise licensing costs.     I have ATP in separate accounts and only installed on a small percentage of workstations.   I have a pay as you go account with a pay-per-client and pay-per Azure usage license in use.   Part of my trial has expired, though many products in this account remain in pre-release.   I am able to put spending limits on this account so that there are no surprises when the pre-release trials begin to go paid-for.    If I am satisfied with these products when they all become licensed products then I would likely add them to my existing EA E3 license.   

 

While the licensing is very confusing, it grants us users a lot of flexibility.    While historically I have not been a proponent of Microsoft security products, nor even the operating systems, times do change.   The current offerings are indicative of Microsoft as a major InfoSec market disruptor.   It appears that in the future, Windows will provide the antivirus (Security Center) which may be extended by 3rd party feature add-ons using a limited set of controlled APIs (versus low level 3rd party system hooks).      

 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp  

https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp

 

Copper Contributor

Oh, I forgot, the entire reason I hit the reply button.   The OMSGateway is great.   I am running the latest greatest version released as of 8/2018.   Which includes multi-home support.   The one problem I run into which I would love it it were easier to address is this: the FQDNs that the clients connecting through the OMSGateway utilize continue to change.  I must keep an eye on this and manually update each OMSGateway or communications to the FQDN fails via the OMSGateway.   While some products will attempt additional connections and either connect directly or via a FQDN already allowed, some products simply quit communicating for many days.   

 

I would like for there to be some sort of aggregated feed of required FQDNs for various products and to be given the option to approve specific feeds.    ATA, ATP, OMS, WER, Telematics.....    Once I give the gateway the go-ahead, I'd prefer it manage itself.   I understand not everyone will agree, thus this should be an optional setting.

 

Thank you for your consideration. 

Deleted
Not applicable

@Jason Leznekand others - it appears that the WDATP Server documentation has been updated to clarify the above conversation - Server 2019 includes WDATP onboarding just like a normal machine, and Azure Security Center can be added as an optional feature to even better improve security for the machine.  WS2016 is untouched in terms of onboarding (still able to freely onboard it now). https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-s...

 

Thanks!

Microsoft

Here's a relatively new blog (I would have put the URL into this thread earlier but I was travelling) that talks about the licensing for Server.  Hope it helps, and thank you for trying Windows Defender ATP!

 

Protecting Windows Server with Windows Defender ATP 

Version history
Last update:
‎Nov 27 2017 12:13 AM
Updated by: