Microsoft Defender. Those words are usually associated with Microsoft’s free antivirus software built into the Windows operating system. But did you know the antivirus tool is just the tip of the Microsoft Defender iceberg? Microsoft has many tools, that when combined, provide a comprehensive security protection solution. This post will highlight some of the features of Defender in Windows and Defender for Endpoint that can be used to secure Windows workstations and servers.

Microsoft Defender Antivirus

The Defender Antivirus technology is built into modern Windows workstation and server operating systems. It is a major pillar of the Defender security solution for protecting endpoints. The modern version of Defender Antivirus utilizes behavior analysis, heuristics, and cloud-based intelligence to detect and remediate ever evolving threats.

Windows Firewall

The Windows Firewall is included in all modern versions of Windows workstation and server operating systems. It is enabled by default and can be configured to monitor and protect all incoming and outgoing network traffic on a Windows device.

Windows Defender Application Control

Defender Application Control is a tool that is used to restrict the execution of untrusted applications, drivers, and processes on endpoints. A Defender Application Control policy can allow applications to run on an endpoint if they meet certain criteria. Some examples include:

• File and Folder locations
• File reputation (Microsoft Intelligent Security Graph)
• Managed Installer (Configuration Manager, Intune)
• Codesigning Certificates
• File attributes / hash information
• And more…

If an application meets the defined criteria, it is allowed to run on the device, otherwise it is blocked.

Device Control

Device Control policies are a component of Microsoft Defender for Endpoint. These policies provide control over the installation and use of the following types of devices:

• Removable Storage (USB drives, SD cards, DVDs, etc.)
• Printers
• Bluetooth Connections

Device Control could be used to block all access to removable devices on endpoints or be used to allow only specific pre-approved devices.

Microsoft Defender SmartScreen

Defender SmartScreen is a tool that is used to protect endpoints against untrustworthy and unsafe websites and files. If a user attempts to navigate to an unsafe website or download an unsafe file, SmartScreen will warn the user about the potential risk. SmartScreen can be configured to allow users to acknowledge the risk and continue, or to fully block the action. SmartScreen on Windows 11 also includes extra protection against phishing by warning users of unsafe password practices.

Microsoft Network Protection

Network Protection expands upon the protection of Defender SmartScreen. Network Protection works at the operating system level, which allows it to protect users from untrustworthy web connections even in third-party browsers such as Google Chrome. In fact, Network Protection can scan and block any outbound HTTP(S) traffic from an endpoint to an untrustworthy source.

Attack Surface Reduction Rules

Microsoft’s Attack Surface Reduction Rules are intended to protect against unusual or risky behaviors that attackers may use to compromise an endpoint. Examples of some of these protections include:

• Blocking suspicious and obfuscated scripts from running
• Blocking Office applications from creating child processes
• Blocking process creation from WMI commands and PSExec
• Blocking untrusted processes from removable storage
• Enabling advanced protection against ransomware
• And more…

Enabling all the rules in block mode greatly hardens the security posture of an endpoint by protecting against many common attack vectors.

Controlled Folder Access

Controlled Folder Access is a tool that only allows trusted applications to access protected folders. This greatly increases the protection against ransomware on endpoints. With Controlled Folder Access enabled, only applications that have been deemed trustworthy, or applications that have been specifically allowed, are able to access protected folders. (Users files, operating system files, etc.). An untrustworthy application, like a ransomware executable, would be blocked from accessing or modifying any of the protected folders.

Credential Guard

Credential Guard works to protect credentials (password hashes, Kerberos tickets, etc.) from attackers using techniques such as pass the hash. Credentials are isolated using virtualization-based security so only trusted system processes and applications can access them. Starting with Windows 11 version 22H2, Credential Guard is enabled by default on supported devices.