cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to harden MDATP against ransomware (Good, Better and Best Configurations)

Joe Stocker
Bronze Contributor

‎May 22 2020 11:51 AM

‎May 22 2020 11:51 AM

How to harden MDATP against ransomware (Good, Better and Best Configurations)

Just wanted to share some information on how to fine tune Defender to block ransomware. 

 

We used an open source Ransomware simulator from Github against three configurations of Defender:

  • Windows Defender (FREE)
  • MDATP (Defaults)
  • MDATP (Hardened Config)

RESULTS

Defender (Free) blocked 39% of ransomware activities

MDATP with defaults blocked 50% of ransomware activities 

MDATP with Hardened Configuration blocked the ransomware executable at first site.

 

The MDATP hardened configuration consisted of 7 components:

- Attack Surface Reduction Rules

- Block at First Site

- Tamper Protection

- Automatic Sample Sharing

- SmartScreen

- Network Protection

- Automatic Investigation and Remediation

 

To help the community, I documented the exact steps to enable these configurations on my blog site here: 

https://www.thecloudtechnologist.com/mdatp-best-practices/

 

Stay safe!

-Joe

3,587 Views
4 Likes
3 Replies
Reply
3 Replies
David Caddick

‎Jun 02 2020 08:40 PM

‎Jun 02 2020 08:40 PM

Re: How to harden MDATP against ransomware (Good, Better and Best Configurations)

@Joe Stocker just checking as at the bottom of your article it's stated that

(ASR is not available in the free edition of Defender)

 

So while that is true - my understanding is that you can run ASR on any Windows 10 Enterprise - it's just that you don't get the advanced tools until you have the E5 license:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-su...

 

To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in Microsoft Defender Advanced Threat Protection, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.




 

0 Likes
Reply
Joe Stocker

‎Jun 03 2020 04:05 PM

‎Jun 03 2020 04:05 PM

Re: How to harden MDATP against ransomware (Good, Better and Best Configurations)

The main point of the post above is to distinguish the efficacy of Windows Defender that ships inside *all versions of Windows 10* not just Enterprise, and then compare that to a hardened Windows 10 E5 edition of Microsoft Defender ATP (good, better, best).

There were already other blog articles written on how to harden the Windows 10 native/free edition, but at the time I wrote the article, there were no clear articles offering step-by-step guidance on a hardened Windows 10 E5 MDATP configuration. So that was my gift to the community to help out.
0 Likes
Reply
David Caddick

‎Jun 07 2020 09:11 PM

‎Jun 07 2020 09:11 PM

Re: How to harden MDATP against ransomware (Good, Better and Best Configurations)

@Joe Stocker Thanks for the gift as it's sometimes difficult to navigate on our own :hearteyes:

 

I was just calling out that for some who might not be able to stretch to E5 that they can still use some parts of this protection if they are prepared to do some of the manual/scripting, etc...

0 Likes
Reply