Defender for Endpoint - Blocking Unsanctioned VPN Connections

%3CLINGO-SUB%20id%3D%22lingo-sub-2119923%22%20slang%3D%22en-US%22%3EDefender%20for%20Endpoint%20-%20Blocking%20Unsanctioned%20VPN%20Connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119923%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%20community%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20prevent%20users%20from%20connecting%20to%20unsanctioned%20VPN%20services%20using%20Defender%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20Palo%20Alto%20solution%20that%20needs%20to%20be%20used%2C%20but%20we%20are%20seeing%20a%20heck%20of%20a%20lot%20of%20Impossible%20Travel%20activities%20in%20Cloud%20App%20Security%20suggesting%20that%20VPN%20services%20are%20used.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20adding%20these%20connections%20to%20a%20custom%20indicator%2Fdetection%20list%20do%20the%20trick%3F%20Or%20is%20there%20a%20better%2Fmore%20preferred%20way%20to%20achieve%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133360%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20-%20Blocking%20Unsanctioned%20VPN%20Connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133360%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EAn%20indicator%20or%20custom%20detection%20would%20be%20able%20to%20block%20these%20programs%20yes.%3CBR%20%2F%3E%3CBR%20%2F%3EIMO%2C%20taking%20away%20local%20admin%20from%20these%20users%20would%20be%20a%20lot%20easier%20and%20a%20better%20solution%20in%20the%20long%20run%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2134283%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Endpoint%20-%20Blocking%20Unsanctioned%20VPN%20Connections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2134283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F513150%22%20target%3D%22_blank%22%3E%40SebastiaanR%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInteresting%20question%2C%20would%20be%20great%20to%20know%20how%20you%20get%20on%20mitigating%20that%20risk.%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Good day community,

 

Is there a way to prevent users from connecting to unsanctioned VPN services using Defender?

 

We have a Palo Alto solution that needs to be used, but we are seeing a heck of a lot of Impossible Travel activities in Cloud App Security suggesting that VPN services are used.

 

Would adding these connections to a custom indicator/detection list do the trick? Or is there a better/more preferred way to achieve this?

 

Thanks

3 Replies
Hi

An indicator or custom detection would be able to block these programs yes.

IMO, taking away local admin from these users would be a lot easier and a better solution in the long run

@SebastiaanR 

Interesting question, would be great to know how you get on mitigating that risk. thanks

@Thijs Lecomte 

Thanks. I agree, the long-term solution would be to actually limit the installation of these programs to begin with.

 

I think we will end up creating the indicator to do the initial detection of these connections, and then transitions the devices across to be managed through policy.

 

It's definitely a pain in the backside!