Forum Discussion
How to harden MDATP against ransomware (Good, Better and Best Configurations)
Just wanted to share some information on how to fine tune Defender to block ransomware.
We used an open source Ransomware simulator from Github against three configurations of Defender:
- Windows Defender (FREE)
- MDATP (Defaults)
- MDATP (Hardened Config)
RESULTS
Defender (Free) blocked 39% of ransomware activities
MDATP with defaults blocked 50% of ransomware activities
MDATP with Hardened Configuration blocked the ransomware executable at first site.
The MDATP hardened configuration consisted of 7 components:
- Attack Surface Reduction Rules
- Block at First Site
- Tamper Protection
- Automatic Sample Sharing
- SmartScreen
- Network Protection
- Automatic Investigation and Remediation
To help the community, I documented the exact steps to enable these configurations on my blog site here:
https://www.thecloudtechnologist.com/mdatp-best-practices/
Stay safe!
-Joe
- David CaddickIron Contributor
Joe Stocker just checking as at the bottom of your article it's stated that
(ASR is not available in the free edition of Defender)
So while that is true - my understanding is that you can run ASR on any Windows 10 Enterprise - it's just that you don't get the advanced tools until you have the E5 license:
To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in Microsoft Defender Advanced Threat Protection, as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
- Joe StockerBronze ContributorThe main point of the post above is to distinguish the efficacy of Windows Defender that ships inside *all versions of Windows 10* not just Enterprise, and then compare that to a hardened Windows 10 E5 edition of Microsoft Defender ATP (good, better, best).
There were already other blog articles written on how to harden the Windows 10 native/free edition, but at the time I wrote the article, there were no clear articles offering step-by-step guidance on a hardened Windows 10 E5 MDATP configuration. So that was my gift to the community to help out.- David CaddickIron Contributor
Joe Stocker Thanks for the gift as it's sometimes difficult to navigate on our own
I was just calling out that for some who might not be able to stretch to E5 that they can still use some parts of this protection if they are prepared to do some of the manual/scripting, etc...