2024-06-27: Blog updated to keep it current with latest improvements in Defender for Servers.
Introduction
This article is part of our Microsoft Defender for Cloud PoC Series which provides you with guidelines on how to perform a successful proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Defender for Cloud please read How to Effectively Perform a Microsoft Defender for Cloud PoC.
Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP), providing end-to-end security for hybrid and multi-cloud platforms with Defender for Servers being Microsoft's server protection offering under this CNAPP umbrella.
Planning
As part of your Defender for Servers PoC, you need to identify the use case scenarios you want to validate. While Defender for Servers Plan 1 mainly focuses on integration with Microsoft Defender for Endpoint, Defender for Servers Plan 2 will offer all capabilities of Plan 1 plus enhanced scenarios for multi-cloud machines. Therefore, we will focus on Defender for Servers Plan 2 use cases in this article. Please also see this documentation to learn more about differences between Defender for Servers plans
If you decide to make your on-premises servers or machines hosted on other clouds, e.g. AWS or GCP, part of the PoC, you need to choose how you are going to connect them to Azure so that Defender for Cloud can discover them and start protecting. For multi-cloud machines, you can refer to our multi-cloud onboarding guide. For onprem machines, using Azure Arc is the recommended option. Please keep in mind that certain Defender for Servers capabilities such as agentless machine scanning or Just-In-Time (JIT) VM Access are not available for onprem machines.
Remember that you have 30-day free trial to test Defender for Servers. Any usage beyond 30 days will be automatically charged as per the pricing scheme here.
Preparation and Implementation
In order to enable Defender for Servers in your environment, you need a user account that has at least the Security Admin role. For more information about roles and privileges, read this article.
Your first step is to enable Microsoft Defender for Cloud on the subscription(s) you are conducting the PoC in and make sure that Defender for Servers plan is selected.
By enabling Defender for Servers on your subscription, all relevant settings for server protection on your subscription will automatically be enabled. However, by selecting the "Settings" link, you can also disable configurations depending on your scenarios.
Validation
Since Defender for Servers has many capabilities, we are going to group them based on different use case scenarios.
Scenario 1: Attack Surface Reduction
Threat actors actively look for accessible machines with open management ports, like RDP or SSH. As a matter of fact, just by leaving your VM with such ports open to the Internet for a day or two (sometimes even a couple of hours) is enough to become a victim of a brute-force or password spray attack and receive a security alert like the one below (make sure you use strong passwords):
Note: Do not forget to configure email notifications to get a notification when Defender for Cloud detects new suspicious activities or attacks.
JIT VM access locks down the inbound traffic to your Azure VMs or AWS EC2 instances, reducing exposure to attacks while providing easy access to connect to VMs when needed. To configure and validate JIT VM access feature please follow this guidance.
Scenario 2: Integration with an EDR solution
If you have properly enabled and configured the integration with Microsoft Defender for Endpoint (MDE), all new servers connected to Defender for Cloud will automatically be onboarded to MDE.
Scenario 3: Vulnerability Assessment
Once you have deployed Microsoft Defender for Endpoint to your servers, Microsoft Defender Vulnerability Management, the VA scanner used as part of the integration, will automatically start scanning your machines every 4 hours and report findings to Defender for Cloud and Defender XDR. Learn more about how to analyze and remediate vulnerabilities.
As an alternative to using MDVM powered by MDE agent, you can also use agentless machine scanning to get vulnerability findings highlighted.
Scenario 4: Agentless Scanning
Agentless machine scanning is enabled by default when enabling Defender for Servers Plan 2 on a subscription. For all machines running on Azure, AWS, and GCP, agentless scanning will provide vulnerability, secret and malware findings once a day. Please note that deallocated machines are not scanned; the machine needs to be up and running for agentless scanning to create corresponding findings.
Malware that is detected will be shown as a security alert, similar to the ones shown below:
In order to stimulate a malware alert, you can use an Eicar test file.
You can learn more about agentless secret scanning and malware detection in our documentation.
Conclusion
By the end of this PoC, you should be able to determine the value of this solution and the importance to have this level of threat detection for your servers.
P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Microsoft Cloud Security experts.
Microsoft
