Microsoft Advanced Security on Windows Server

Windows Defender is the built-in AV (Anti-Virus) solution from Microsoft for Windows Server 2016 and above (automatic exclusions are applied based on the defined role). Windows Server 2012 R2 (latest supported version) requires the SCEP (System Center Endpoint Protection) client on-premises or Microsoft Antimalware extension for Azure IaaS (Infrastructure as a Service).

Microsoft Defender ATP is one of the best EDR (Endpoint Detection & Respond) solutions (source Gartner).

Onboarding is automatically for Azure IaaS servers 2012 R2 and above (except Windows Server 2019, this is ‘still’ a manual task). On-premises servers can be onboarded via the Microsoft Defender Security Center or Azure Security Center (Microsoft Monitoring Agent Installation).

Microsoft Server Advanced Security

Microsoft can protect Windows servers via different solutions.

Azure Security Center as IaaS/PaaS security solution, Microsoft Defender ATP as EDR solution and Azure Sentinel as Cloud native SIEM solution.

Azure Security Center

Azure Security Center is the Microsoft solution for Azure cloud Security, from IaaS & PaaS to IoT (Internet of Things). Security data is written in an Azure Log Analytics workspace, a default Log Analytics workspace is created but the advise is to create a new Log Analytics workspace (see Azure Sentinel for more details) for Azure Security Center.

Azure VMs (IaaS) are protected (e.g. Security recommendations) in the free license, but advanced Security requires the Azure Security Center Standard Tier license, this provides advanced security features like

- Just-in Time (JIT) access to protect remote access protocols (e.g. RDP & SSH)

- File Integrity Monitoring to protect sensitive files on servers (monitor file hash)

- Adaptive Application Controls to protect sensitive applications (application whitelist)

- Adaptive Network Hardening to protect (harden) the network infrastructure in Azure (e.g. NSG)

Microsoft Defender ATP is also part of the license and is automatically ‘installed’ on Azure VMs when the Standard Tier license is enabled (except Windows Server 2019 which requires manual task).

Microsoft Defender Security Center (Microsoft Defender ATP) writes the raw data and alerts in the Microsoft Defender Security Center workspace (the region is set when the product is initially enabled). Microsoft Defender ATP data can be written in the Microsoft Defender Security Center, which combines all Microsoft Defender ATP clients (Windows 10, Android, iOS, Windows Server and Linux) by enabling integration in Azure Security Center (Threat detection settings).

If a server is not part of Azure Security Center, Microsoft Defender can be installed (add-on license) and the workspace of Microsoft Defender Security Center can be set via the ‘Workspace ID’ and ‘Workspace key’ as part of the installation.

If the Microsoft Monitoring Agent is already installed (verify via Control Panel), a second workspace can be added in the Azure Log Analytics (OMS) tab of the Microsoft Monitoring Agent settings in the Control Panel.

Azure Sentinel

Azure Sentinel is the cloud native SIEM (Security Information and Event Management) solution from Microsoft.

Azure Sentinel can connect different data sources (Security solutions, Microsoft and non-Microsoft) and writes the data in a Log Analytics workspace. If you want to use the same workspace as Azure Security Center, it is supported with a new workspace only, the default workspace cannot be used by Azure Sentinel

Pro-tip: Recommendation to use a dedicated workspace for Azure Sentinel (more cost effective)

The Data Connectors in Azure Sentinel for Windows Server protection are:

To use the Security Events data from the Windows Server Operating System, events have to be written in the Azure Sentinel workspace. If the server is installed in another Log Analytics workspace, this can be set by adding a second workspace in the Microsoft Monitoring Agent (see Microsoft Defender Security Center last paragraph).

Security event data can be used for example to detect ‘brute force RDP’ attack on the server (EventID 4625) or if a honeytoken account is used (EventID 4624).

Summary

Microsoft provides different Security solution to protect servers, the solutions can be integrated as one holistic Security solution.

If you got any question about Azure Security Center, Microsoft Defender ATP or Azure Sentinel, please contact me or the InSpark Cybersecurity team.