Running a small business with on-premises servers?
Chances are you’re relying on technology that includes servers, whether Windows or Linux-based. With that in mind, Microsoft recently announced that it was previewing “server protection for small businesses” – bundling the offering with Microsoft Defender for Business.
This is notable because until now, most endpoint detection and response (EDR) solutions have been expensive and typically only deployed by large enterprises. (EDR is an integrated, multi-layered approach to endpoint protection that combines continuous, real-time monitoring and analysis of endpoint data with automated policy-based response.)
As Microsoft notes in the blog post announcing the move:
“The Microsoft Defender for Business server experience provides the same level of protection for clients and servers in a single management experience inside Defender for Business, helping you protect all your endpoints in one go. one place.”
Currently, users can enable a trial for each server through the Microsoft 365 Defender Security Portal (which also recommends security settings to make your servers more secure). When Microsoft officially releases the product, it will cost you $3 per server per month. If you’re a Microsoft 365 Enterprise customer, you can start a trial and see what impact it will have when deployed to your servers.
There are several ways to integrate servers; you can use local scripts, group policy or configuration manager. One of the easiest ways to try out the new offering is to use the scripting process. First, enable preview offers by going to https://security.microsoft.com, go to Settings > Endpoints > General > Advanced Features > Preview Features. (Here’s a more direct link.)
In the navigation pane, choose Settings > Endpoints, then under Device Management, choose Onboarding. Now select an operating system, such as Windows Server 1803, 2019, and 2022, and in the Deployment Method section, choose Local Script. Note: For these newer systems, you only need to run this script; no other installation steps are required. Just run the command line as an elevated command. (If you don’t provide the embed script with the proper permissions, it will warn you to do so.
For older software such as Windows Server 2012 R2 and 2016, you will have two packages to download and run: an installation package and an integration package. The installation package specifically contains a file that installs the Defender for Business agent. Once you run the setup file, you run the script just like on any of the newer server platforms. Newer servers (and workstation operating systems) automatically include the defender embed code.
The command file specific to onboarding servers is named WindowsDefenderATPLocalOnboardingScript.cmd. Your server should appear in the Defender Console, although it’s not instantaneous. It may take a while to appear.
Now is the time to review the recommendations and alerts.
First, Defender gives you a timeline view of your systems – think of it as a cloud forensic system. You will soon discover that your servers (and for that matter your workstations) are very active objects, constantly sending commands and activity.
For example, in the screen above, “MpCmdRun.exe” is the Microsoft Malware Protection command line utility and it performs activities on the server. In the right column, it indicates the potential security technique used. Note that in this case the activity is not malicious, the console is just following normal server actions. In this case, it is a MITER “credentials from password stores” activity.
Next, in the security recommendations section, you’ll see suggested tweaks you can use to better secure your small business servers.
Many of these recommendations relate to attack surface reduction rules that we often forget to enable on server installations.
Linux servers can also be integrated with the Defender for Servers console, although I’m not sure if Linux-based network attached storage units would be fully supported. Contact your NAS vendors to determine if they will support using Defender for Servers on your Linux devices. To integrate a Linux device into your console, you will follow similar installation procedures. You can use a manual deployment script or Puppet, Ansible, or Chef configuration management tools.
Supported Linux server distributions include:
- Red Hat Enterprise Linux 6.7 or higher (preview).
- Red Hat Enterprise Linux 7.2 or higher.
- Red Hat Enterprise Linux 8.x.
- CentOS 6.7 or higher (Preview).
- CentOS 7.2 or higher.
- Ubuntu 16.04 LTS or higher LTS.
- Debian 9 or higher.
- SUSE Linux Enterprise Server 12 or higher.
- Oracle Linux 7.2 or higher.
- OracleLinux 8.x.
- AmazonLinux 2.
- Fedora 33 or higher.
Be aware that this list does not include specific Linux distros that I often see in small businesses. For example, I regularly see NAS devices such as Synology in small businesses, and I don’t know if they will be supported by Defender for Servers. (I’ll give Microsoft any feedback it needs to add these types of NAS devices to the support matrix.)
The exact licensing structure required to use Defender for Servers is also unclear at this time. Currently, the Defender for Endpoint for Server license imposes a certain minimum number of users (50). It is unclear how many Microsoft Defender for Business licenses can be held to qualify for Defender for Servers or if a minimum number of licenses is required. We will have to wait for the official release of the product to find out how the license works.
Bottom line: If you’re running a small business, I urge you to take a look at Defender for Servers. It will provide additional protection for your small business network.
Copyright © 2022 IDG Communications, Inc.