Defender for Endpoint - Blocking Unsanctioned VPN Connections

Contributor

Good day community,

 

Is there a way to prevent users from connecting to unsanctioned VPN services using Defender?

 

We have a Palo Alto solution that needs to be used, but we are seeing a heck of a lot of Impossible Travel activities in Cloud App Security suggesting that VPN services are used.

 

Would adding these connections to a custom indicator/detection list do the trick? Or is there a better/more preferred way to achieve this?

 

Thanks

3 Replies
Hi

An indicator or custom detection would be able to block these programs yes.

IMO, taking away local admin from these users would be a lot easier and a better solution in the long run

@SebastiaanR 

Interesting question, would be great to know how you get on mitigating that risk. thanks

@Thijs Lecomte 

Thanks. I agree, the long-term solution would be to actually limit the installation of these programs to begin with.

 

I think we will end up creating the indicator to do the initial detection of these connections, and then transitions the devices across to be managed through policy.

 

It's definitely a pain in the backside!