Microsoft Defender for Endpoint Settings Checklist

Consider boosting security posture by enabling and tuning a wide variety of Microsoft Defender for Endpoint settings for Windows workstations and servers. Additionally, a set of more advanced security controls and policies should be enabled for privileged users like the information security team (and, possibly, IT operations teams) as soon as possible, and then later for most systems after extensive testing.

Recommended Core Baseline Settings

• Enable attack surface reduction (ASR) rules in the following locations:
• Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
• Endpoint security > Attack surface reduction policy > Attack surface reduction rules
• Set the following ASR rules as a starting policy:
• Block Office communication apps from creating child processes (set to Enable)
• Block Adobe Reader from creating child processes (set to Enable)
• Block Office applications from injecting code into other processes (set to Block)
• Block Office applications creating executable content (set to Block)
• Block JavaScript or VBScript from launching downloaded executable content (set to Block)
• Enable network protection (set to Enable)
• Block untrusted and unsigned processes that run from USB (set to Block)
• Block credential stealing from the Windows local security authority subsystem (lsass.exe) (set to Enable)
• Block executable content downloads from email and webmail clients (set to Block)
• Block Win32 API calls from Office macro (set to Block)
• Block execution of potentially obfuscated scripts (js/vbs/ps) (set to Block)
• Block all Office applications from creating child processes (set to Block)

• Turn on the Bitlocker system drive policy, if possible:
• Enable full disk encryption for OS and fixed data drives
• Block write access to fixed data drives not protected by BitLocker
• Configure all encryption methods to 128-bit AES

• Turn on the device guard credential guard, if possible:
• Turn on credential guard (set to Enable with UEFI Lock)

• Turn on protection of direct memory access (DMA), if possible:
• Enumeration of external devices incompatible with Kernel DMA Protection (set to Block all)

• Windows Firewall: Enabling a variety of settings for the Windows firewall in Defender for Endpoint. The following arerecommended starting policies, but this is somewhat subjective depending on the types of systems and where they’re located (also, some differences between clients and servers is to be expected).
• Stateful File Transfer Protocol (set to Disabled)
• Number of seconds a security association can be idle before it’s deleted (set to 300)
• Firewall profile: set to Private
• Inbound connections blocked (set to Yes)
• Unicast responses to multicast broadcasts required (set to Yes)
• Outbound connections required (set to Yes)
• Inbound notifications blocked (set to Yes)
• Global port rules from group policy merged (set to Yes)
• Firewall enabled (set to Allowed)
• Authorized application rules from group policy not merged (set to Yes)
• Connection security rules from group policy not merged (set to Yes)
• Incoming traffic required (set to Yes)
• Policy rules from group policy not merged (set to Yes)
• Firewall profile: set to Public
• Inbound connections blocked (set to Yes)
• Unicast responses to multicast broadcasts required (set to Yes)
• Outbound connections required (set to Yes)
• Inbound notifications blocked (set to Yes)
• Global port rules from group policy merged (set to Yes)
• Firewall enabled (set to Allowed)
• Authorized application rules from group policy not merged (set to Yes)
• Connection security rules from group policy not merged (set to Yes)
• Incoming traffic required (set to Yes)
• Policy rules from group policy not merged (set to Yes)
• Firewall profile: Domain
• Inbound connections blocked (set to Yes)
• Unicast responses to multicast broadcasts required (set to Yes)
• Outbound connections required (set to Yes)
• Inbound notifications blocked (set to Yes)
• Global port rules from group policy merged (set to Yes)
• Firewall enabled (set to Allowed)
• Authorized application rules from group policy not merged (set to Yes)
• Connection security rules from group policy not merged (set to Yes)
• Incoming traffic required (set to Yes)
• Policy rules from group policy not merged (set to Yes)

• Turn on the following core Defender for Endpoint policies:
• Enable turn on real-time protection (set to Yes)
• Enable on access protection (set to Yes)
• Monitor for incoming and outgoing files (set to Yes)
• Additional amount of time (0–50 seconds) to extend cloud protection timeout (set to 0)
• Scan all downloaded files and attachments (set to Yes)
• Scan type (set to Quick scan)
• Defender schedule scan day (set to Every day)
• Defender sample submission consent (set to Send safe samples automatically)
• Cloud-delivered protection level (set to High)
• Scan removable drives during full scan (set to Yes)
• Defender potentially unwanted app action (set to Block)
• Turn on cloud-delivered protection (set to Yes)

• Set the following settings for SmartScreen within windows defender for endpoint:
• Enable Block users from ignoring SmartScreen warnings (set to Yes)
• Turn on Windows SmartScreen (set to Yes)
• Require SmartScreen for Microsoft Edge (set to Yes)
• Block malicious site access (set to Yes)
• Block unverified file download (set to Yes)
• Configure Microsoft Defender SmartScreen (set to Yes)
• Prevent bypassing Microsoft Defender SmartScreen prompts for sites (set to Enabled)
• Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (set to Enabled)
• Configure Microsoft Defender SmartScreen to block potentially unwanted apps (set to Enabled)

Recommended Additional Settings

• Turn on the following core Defender for Endpoint policies:
• Turn on behavior monitoring (set to Yes)
• Turn on intrusion prevention (set to Yes)
• Enable network protection (set to Enable)
• Scan scripts used in browsers (set to Yes)
• Scan network files (set to Yes)
• Scan emails (set to Yes)

• Enable the following additional ASR policy elements:
• Block process creations originating from PSExec and WMI command

 

DOWNLOAD: Harden M365 Identities and Exchange Online

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.