This article is part of a group of articles regarding Defender for Endpoint and disconnected environments. The first two articles can be found here and here.
The objective of this article, along with the two previous articles, is to provide you with a better understanding of Defender for Endpoint and how it works in a disconnected environment. This requires a mental shift in our understanding of what “risk” means with a cloud-first product.
Looking at how Defender for Endpoint is designed we can make a few observations:
As you’re planning your Defender for Endpoint deployment, consider the following points as a lose guideline to help you avoid common pitfalls.
The aim here is not to intimidate you, but rather to ensure that you grasp the "mental shift" and comprehend how various Microsoft 365 products work together to secure your disconnected devices. Let's begin by focusing on the essential aspect: the "mental shift."
Historically, specific server workloads are likely to have been protected behind a firewall within a physical datacenter location. These were generally not allowed to have any external connectivity unless there was a specific application or business case that required this (The traditional model).
Fast forward a few years. Now most companies take a security first approach and need to introduce modern security services to mitigate both internal and external threats (Today’s model). These modern security services are likely to be cloud services that will require some level of connectivity to ensure that protection is implemented.
Organizations are often concerned about configuring external connectivity for these servers as there may be regulations or existing security controls in place that need to be reviewed as part of this change. Although organizations are aware of the necessity to assess their current controls, the intricacies of modern networks demand stronger and more comprehensive security solutions.
It is essential for an organization to have a comprehensive understanding of its network configuration, including how devices access internet services and the overall flow of traffic in and out of the environment. Here are some questions to consider when deploying Defender for Endpoint in any environment, with a particular focus on semi-disconnected or fully disconnected environments:
Below is an example of a complex networking schema featuring Defender for Endpoint. Although this deployment resembles a typical customer setup, it was conducted in a lab environment and served as a basis for simulating traffic in the two previous articles.
The diagrams below illustrate various proxy configurations that can be used with Defender for Endpoint, along with their implications for other products necessary for the proper operation of a Windows endpoint. The diagrams are intended to highlight the differences between system-level (WinHTTP), user-level (WinINET), and static-level (Registry/Group policy-based static) proxy configurations. More information on these configurations can be found in the following articles:
The above diagram assumes that all traffic through the proxy is approved for various endpoint requirements, such as Windows Update, Intune, Azure AD, and Defender for Endpoint traffic. However, this may not be the case for all organizations.
The diagram above highlights that the user-level (WinINET) proxy configuration only permits certain Defender for Endpoint traffic, while blocking all other services on the endpoint. This approach may suffice if you do not intend to use Live Response on your endpoints, or if the endpoints handle Windows Update differently and do not require Intune or Hybrid Azure AD. However, keep in mind that this configuration will require the endpoint to cache Defender for Endpoint signals until a user connects. It is recommended to review the plan deployment section of the Defender for Endpoint documentation to gain a deeper understanding of the implications of this decision.
The diagram above illustrates the impact of a static proxy configuration using either group policy or a registry edit. As shown, only Defender for Endpoint traffic is allowed to cross the proxy. This option is beneficial in cases where you have an existing infrastructure configuration that already handles Windows Updates, endpoint configuration policies, and compliance policies, and you are not planning to move to a hybrid Azure AD joined state. However, please note that this configuration assumes that the other services required for the proper functioning of the endpoint are managed through an alternate mechanism, such as Microsoft Endpoint Configuration Manager.
In the subsequent sections, we have highlighted key considerations when deploying Defender for Endpoint. These sections specifically address related products and how they may be adversely affected in a disconnected environment. Keep in mind that Defender for Endpoint is a cloud-first product, and it is part of a larger suite of products within Microsoft 365. Therefore, it is important to consider these products, as well as standard services like Windows Update and certificate updates, when planning your deployment.
Allow the following hostnames through your firewall to support Security Management for Defender for Endpoint. For communication between clients and the cloud service:
If you’re planning on using Microsoft Intune to manage policies on these disconnected devices, then there are other considerations that need to be made. As a Hybrid Azure AD Joined Device there are some networking requirements living behind a proxy. The following URLs must be accessible for the devices inside your organization.
The above URLs require access via SYSTEM account using the machine context. Make sure your proxy server supports machine context authentication, otherwise allow unauthenticated traffic just as you would with Defender for Endpoint. WinHTTP proxy will also be required for this scenario. If, however, you are managing your endpoints with Microsoft Endpoint Configuration Manager (SCCM) then policies will be handled on-premises, and this won’t be necessary, and you’ll be able to onboard the devices to Defender for Endpoint. Ultimately it depends entirely on your end management objective and how cloud-centric your organization will be.
Use the Test Device Registration Connectivity script to validate if your devices can access the required Microsoft resources under the system account.
Microsoft Defender for Endpoint, being a cloud-centric security product, necessitates that your devices remain up to date. Many customers typically have a robust maintenance solution in place for their isolated environments. Implementing Defender for Endpoint presents an opportune moment to review and assess the efficiency of your update process, ensuring its smooth operation or identifying the need for adjustments or supplementary configurations. Key considerations for Windows Update when operating behind a proxy include:
The above is referenced in the following documentation: Windows Update issues troubleshooting - Windows Client | Microsoft Learn
This article provides guidance on understanding the functionality of Defender for Endpoint, a cloud-first product, and the need for a mental shift towards modern security services. The article outlines planning and deployment recommendations, such as involving stakeholders, understanding networking requirements, and reviewing the documentation. Additionally, the article covers considerations for other Microsoft products like Intune, Azure Active Directory, and Windows Updates in relation to Defender for Endpoint. Overall, this article offers an approach to deploying Defender for Endpoint and discusses the requirements of other Microsoft products in a disconnected environment.
Disconnected environments, proxies, and Microsoft Defender for Endpoint
Defender for Endpoint and disconnected environments. Which proxy configuration wins?
RFC 7233: Hypertext Transfer Protocol (HTTP/1.1): Range Requests (rfc-editor.org)
Windows Update issues troubleshooting - Windows Client | Microsoft Learn
Network endpoints for Microsoft Intune | Microsoft Learn
Test Device Registration Connectivity - Code Samples | Microsoft Learn
Configure hybrid Azure Active Directory join - Microsoft Entra | Microsoft Learn
Microsoft Defender for Endpoint - Proxy Service URLs (Commercial) (live.com)
Microsoft FastTrack for Microsoft 365
Prepare Microsoft Defender for Endpoint deployment
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.