Why small businesses should consider Microsoft Defender for Business

At its recent Ignite conference, Microsoft announced a new product targeted to businesses with less than 300 users or seats called Microsoft Defender for Business. Any small businesses that does not have an automated way to investigate intrusions and other security issues, or any sort of endpoint detection and response (EDR) technology in place should evaluate it. So should managed service providers that support small business or have connections to a small business that supplies to your firm.

Defender for Business ensures that you can monitor and control the native antivirus protection and pull in cloud protections and detections as Microsoft receives the security information from across its cloud properties. For small businesses that have not invested in EDR, the console will point out anomalies and identify when unusual events have occurred. The timeline functionality allows you to review processes on systems to determine what has occurred on systems and keeps a cloud forensic version of the workstation processes so that you can review it later.

Microsoft is also working on overview platforms for managed service providers that will allow them to monitor and proactively manage many customers at the same time. Called Microsoft 365 Lighthouse, it gives you a view of security incidents and alerts across customers onboarded into Lighthouse. An upcoming Microsoft seminar will provide more information for Microsoft Defender for Business.

If your business has access to Microsoft 365 E5 licenses and the Microsoft Defender Security Center, you are already familiar with the technologies bundled with this new offering. Any firm that has a license to Microsoft 365 Business Premium, this new offering will be included. If they do not, it can be added on with a $3 per user fee.

Microsoft Defender for Business includes the Threat and Vulnerability Management console that showcases weaknesses in the network so that firms can prioritize actions to take. This dashboard provides an overall exposure score of the issues in your network. It also provides a score of the risks for your devices that provides the risks to your applications, the operating system, network, accounts and security controls. This provides actionable information to ensure that small businesses are not entry points into larger enterprises.

Microsoft Defender for Business security recommendations

Defender for Business’s consoles provide actionable security choices to make in a network to make it less susceptible to attacks. Security recommendations for applications include:

• Disable running or installing downloaded software with invalid signature
• Block outdated ActiveX controls for Internet Explorer
• Disable ‘Password Manager.

Recommendations for operating system protections include Enable Local Security Authority (LSA) protection. This recommends setting a policy that forces LSA to run as protected process light (PPL). According to MITRE ATT&CK this mitigation “protects processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.”

Network recommendations include:

• Set LAN Manager authentication level to ‘Send NTLMv2 response only. Refuse LM & NTLM
• Disable SMBv1 client driver

Moving away from SMBv1 can greatly harden your network to ransomware attacks.

Recommendations for accounts include:

• Disable the local storage of passwords and credentials
• Set ‘Account lockout threshold’ to 1-10 invalid login attempts.

Recommendations for security controls include attack surface reduction (ASR) rules such as:

• Block all Office applications from creating child processes
• Block JavaScript or VBScript from launching downloaded executable content
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion

Monitor attack surface reduction rules

Defender for Business will allow you to easily monitor ASR rules. While Windows 10 Professional machines can do this through Group Policy, it’s not monitored and reported on unless you have an Enterprise license.

Attackers often use Office as an entry point into networks and reviewing the ASR rules can better protect you from Office entry points. ASR rules are also a key method to protect against ransomware attacks. For example, one rule that you should deploy as soon as possible is “Block all Office applications from creating child processes”. This Palantir Blog showcased many of these settings that can easily be deployed to better protect networks and which ones are easier to deploy.

Normally you need a Windows Enterprise license to enable and track all ASR rules. Using Microsoft Defender for Business will enable full tracking even without an Enterprise license. ASR rules include:

• Block abuse of exploited vulnerable signed drivers
• Block executable content from email client and webmail
• Block all Office applications from creating child processes
• Block Office applications from creating executable content
• Block Office applications from injecting code into other processes
• Block JavaScript or VBScript from launching downloaded executable content
• Block execution of potentially obfuscated scripts
• Block Win32 API calls from Office macro
• Use advanced protection against ransomware
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Block process creations originating from PSExec and WMI commandsBlock untrusted and unsigned processes that run from USB
• Block executable files from running unless they meet a prevalence, age, or trusted list criteria
• Block Office communication applications from creating child processes
• Block Adobe Reader from creating child processes
• Block persistence through WMI event subscription

Test these rules before deploying widely.

Microsoft Defender for Business for primary antivirus protection

I recommend using Defender as your primary antivirus protection especially if you stay current with feature releases. I’ve tracked side effects with service packs and feature releases and interaction with third-party antivirus software over the years. If you plan to deploy Windows 11 or roll out Windows 10 feature releases faster in the future, I recommend standardizing on Windows Defender. 

Microsoft tests Defender when it tests feature releases, so side effects are either non-existent or identified quickly and silently fixed. For some key features and protections, you must have Defender as your default antivirus. For example, Defender must be your default antivirus to use ASR rules.