In today's threat landscape protecting all your servers is critical, particularly with human-operated and sophisticated ransomware attacks becoming more prevalent. Our mission for endpoint protection is to cover all endpoints regardless of platform, clients, and servers, and inclusive of mobile, IoT and network devices.
Today, we are adding a broad set of prevention, detection and response capabilities, previously only available on Windows Server 2019 and later, to Microsoft Defender for Endpoint on Windows Server 2012R2 and 2016 using a modernized, completely revamped solution stack.
Introducing our modernized, unified solution for Windows Server 2012 R2 and 2016!
We are proud to introduce the public preview of a completely revamped Microsoft Defender for Endpoint solution stack for Windows Server 2012 R2 and Windows Server 2016. Whilst keeping up to date and upholding security hygiene is arguably still the best go-to when it comes to increasing resilience and reducing attack surface, we believe this modern, unified solution brings the best of the Microsoft Defender for Endpoint capabilities for prevention, detection, and response - in a single package.
Server onboarding steps.
This new unified solution package reduces complexity by removing dependencies and installation steps. It also standardizes capabilities and functionality as it brings a very high level of parity with Microsoft Defender for Endpoint on Windows Server 2019:
Overview of Microsoft Defender for Endpoint capabilities per operating system
Aside from havingno specific client prerequisites or dependencies, the solution is functionally equivalent to Microsoft Defender for Endpoint on Windows Server 2019; meaning, all environment requirements around connectivity are the same and you can use the same Group Policy, PowerShell commands and Microsoft Endpoint Configuration Manager* to manage configuration. The solution does not use or require the installation of the Microsoft Monitoring Agent (MMA).
Depending on the server that you're onboarding, the unified solution installs Microsoft Defender Antivirus and/or the EDR sensor. The following table indicates what component is installed and what is built in by default (Windows Server 2019 added for comparison only):
Improving resiliency against human-operated ransomware attacks
To avoid security controls, we have often seen attackers leveraging machines with older operating systems inside our client’s environments. As such, the endpoint visibility required to detect and prevent modern-day ransomware attacks was at the center of many of our design decisions for this release.
Specifically, we modeled across theMITRE tacticswhich we felt provides the best chances of early alerting and emphasized capturing actionable telemetry across these. Some areas include:
Initial Access: Servers are often the first point of entry for motivated attackers. The ability to monitor signs of entry via publicly facing, vulnerable services is critical.
Credential Access:Servers often contain sensitive credentials in memory from Administrator maintenance or other activities. Enhanced memory protections help identify potential credential theft activities.
Lateral Movement:Improved user logon activity allows better mapping of attempted movement across the network to or from Servers
Defense Evasion:Improved hardening via tampering protection provides security controls the best chance of preventing Ransomware’s most harmful effects on high value assets, such as Servers.
You can start testing today by simply visiting theMicrosoft 365 Defender portal. If you have enabled preview features, you can download the installation and onboarding packages from the new onboarding page:
A screenshot of the new onboarding page option
A screenshot of the new installer
Before installation, please ensure your machines are fully updated and continue to apply the latest component updates (including those for Defender Antivirus) containing important security improvements and bug fixes.
For the EDR sensor on Windows Server 2012 R2 & 2016, we now have a new update package available:KB5005292. This update is only applicable after initial installation. Note that the latest update may already be included in the installer package you obtain from the onboarding page, as this package gets updated continuously.
On Windows Server 2016, verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the Microsoft Update Catalogor from the Antimalware and cyber security portal.
Microsoft Endpoint Configuration Manager 2107 with the hotfix rollup or later is required to support configuration of the preview solution, including through Microsoft Endpoint Configuration Manager tenant attach. Fully automated deployment and onboarding will come in a later version*.
*If you have previously onboarded your servers using the Microsoft Monitoring Agent (MMA) either manually or though Microsoft Endpoint Configuration Manager, follow the guidance provided in Server migration for helpful steps to help you to migrate to the new solution.