Connecting servers without Internet access to Windows Defender ATP

Microsoft

Nov 27, 2017

In the Windows 10 Fall Creators Update, Windows Defender ATP has extended its advanced attack detection and investigation capabilities by adding platform support to include Windows Server operating systems.

A new Windows Defender ATP sensor for server monitors activities on the server endpoint and reports them to the Windows Defender ATP cloud service to detect attacker activities and enable incident response.

In some cases though, security policies may prevent servers from connecting to the internet and communicating with the service.

If your IT security policy does not allow servers on your network to connect to the Internet, they can be configured to communicate to the Windows Defender ATP cloud service without requiring internet connectivity using the OMS gateway while retaining compliance with IT security policy:

The OMS Gateway is an HTTP forward proxy that will collect data and send it to the Windows Defender ATP service on behalf of the server
Windows Defender ATP data is sent through a server that has the OMS Gateway installed on it and can access the Internet
OMS gateway efficiently transfers data from the Windows Defender ATP without analyzing any of the transferred data

See the product guides to get more information on how monitored servers can be on boarded and send data to the Windows Defender ATP service when they do not have Internet access:

Installing and configuring the OMS Gateway - Connect computers without Internet access to OMS using OMS Gateway
Onboard server endpoints to Windows Defender ATP - Configure Windows Defender ATP server endpoints

We'd love to hear your feedback and questions!

Alon Rosental

Principal Program Manager, Windows Defender ATP

Updated Nov 27, 2017

Version 2.0

Alon Rosental

Microsoft

Joined November 21, 2017

View Profile

Microsoft Defender for Endpoint Blog

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement

Edwin Davidson
Copper Contributor
Sep 01, 2018
First, I am an end user trying to make sense of all of this.

Most of the comments on this post regard licensing the product. I have had this product, in some form or another, for nearly a year. The product is continually evolving. Licensing is constantly changing. Even the "free pre-release / trial" licensing information regarding what these products will cost has been changing frequently.

It is worth noting that there is Microsoft Advanced Threat Protection (Windows Defender ATP), Office 365 Advanced Threat Protection and Azure Advanced Threat Protection. While these are related, they are different products each with different licensing. These are available through many varied licensing options. There is also Microsoft Advanced Threat Analytics as well as Azure Advanced Threat Analytics. These are similar but different products with different licensing options available.

From my Office 365 portal I have the ability to license a number of these products in a number of different ways. Some of these licenses entitle me to use the Azure and Microsoft branded products as well. Some do not. When I log into my Azure portal, I am given different options for licensing these products. As I have migrated my account from OMS to Log Analytics, I have different pricing available to me than I would have had I not. As I have created different accounts for different services and then linked them together within Azure, I have more flexible pricing options. For example, I have Microsoft ATA licensed on a separate account with no payment on file, in trial mode. The cost of this product for my network would be substantial after the trial expires. This separation allows integration without any surprise licensing costs.    I have ATP in separate accounts and only installed on a small percentage of workstations. I have a pay as you go account with a pay-per-client and pay-per Azure usage license in use. Part of my trial has expired, though many products in this account remain in pre-release. I am able to put spending limits on this account so that there are no surprises when the pre-release trials begin to go paid-for. If I am satisfied with these products when they all become licensed products then I would likely add them to my existing EA E3 license.

While the licensing is very confusing, it grants us users a lot of flexibility. While historically I have not been a proponent of Microsoft security products, nor even the operating systems, times do change. The current offerings are indicative of Microsoft as a major InfoSec market disruptor. It appears that in the future, Windows will provide the antivirus (Security Center) which may be extended by 3rd party feature add-ons using a limited set of controlled APIs (versus low level 3rd party system hooks).

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
- Edwin Davidson
  Copper Contributor
  Sep 01, 2018
  Oh, I forgot, the entire reason I hit the reply button. The OMSGateway is great. I am running the latest greatest version released as of 8/2018. Which includes multi-home support. The one problem I run into which I would love it it were easier to address is this: the FQDNs that the clients connecting through the OMSGateway utilize continue to change. I must keep an eye on this and manually update each OMSGateway or communications to the FQDN fails via the OMSGateway. While some products will attempt additional connections and either connect directly or via a FQDN already allowed, some products simply quit communicating for many days.
  
  I would like for there to be some sort of aggregated feed of required FQDNs for various products and to be given the option to approve specific feeds. ATA, ATP, OMS, WER, Telematics..... Once I give the gateway the go-ahead, I'd prefer it manage itself. I understand not everyone will agree, thus this should be an optional setting.
  
  Thank you for your consideration.
Chet Filanowski
Copper Contributor
Jul 19, 2018
what license is required to add ATP to Windows Server 2016 Datacenter, or is it included. I cannot find that information anywhere. I know the windows 10 needs enterprise E5 which we have, just can't find anything on the server license.
- Deleted
  Jul 26, 2018
  Chet,
  
  You don't need any additional server licenses, just the user licenses (EDIT: Just to be clear, Defender ATP licenses. WS2016 Activations/licenses are handled separately and aren't included with Win10 Enterprise E5). For reference, see here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection
  
  You can also see instructions in your Windows Defender Security Center portal -> Settings -> Onboarding. That should help you out - it gives you the exact onboarding steps.
  
  Thanks!
  - Shannon Tuten
    Copper Contributor
    Jul 27, 2018
    We just had this conversation with our account team after purchasing Windows E5 to get ATP for our endpoints and it wasn't clear about how to license servers. It has been explained to us that currently Windows Server ATP is in Azure Security Center and as you see from the link below -- that stuff isn't cheap.
    
    https://azure.microsoft.com/en-us/pricing/details/security-center/
Andy Lockhart
Copper Contributor
Aug 14, 2018
Another related but important point worth exploring is operating the product on a closed secure network where the only way to update definition and related files is by manually approving and loading these onto a secure server within the closed network. Does ATP support this?

Blog Post

Connecting servers without Internet access to Windows Defender ATP

Share