Microsoft Windows Defender ATP Protection Step by Step implementation and Configuration - Part 1

Posted by Ahmed Nabil | 2 comments»
Before the close of year 2016 i would like to share with you a very cool new security service offered recently by Microsoft to detect and respond to advanced targeted attacks. Information security attacks are getting more complex and needs several layers of protection and more importantly different way of analyzing and detecting such threats.

Windows Defender Advanced threat protection is based on Windows 10 clients and serves as a post breach protection for investigating and responding to threats while the Windows 10 client itself is already fully packed with Pre-Breach protection as credential guard, Device guard, information protection........etc.

For some reason Microsoft is using the term Advanced Threat Protection widely in several products which is causing confusion for the users. Basically there are three services/tools sharing the same name as follows:

  1. Office365 Advanced Threat Protection (ATP). This service is mainly concerned about protecting your email from advanced threats in real time. For example inspecting all Internet links coming in your email. You need to have Office365 E5 license to work.                                                                                                                                                                       
  2. Microsoft Advanced Threat Analytics (ATA). This tool is based on user behavior and machine learning to detect attacks with main focus on credentials as Pass the Hash, Pass the Ticket.......etc as well as common and know threats to your network. Please check my earlier blog series on ATA                                                                                                                                              
  3. Windows Defender Advanced Threat Protection. This is our blog target service and its mainly concerned with your end point device (Windows 10 device). You need to have Windows E5 License to run it.

So what is the requirement to get enrolled and run Windows Defender ATP

  1. This will run only on Windows 10 Update 1 and later (Windows 10 RTM won't work). Also not all Windows 10 clients are approved (Home Edition won't work)                                                                       
  2. This service is on the cloud so the Windows 10 client need to have access to the Internet to contact this service.                                                                                                                                                              
  3. Windows Defender ATP is not the same as the local Windows Defender AV installed by default on Windows 10 however it needs some components from it as the ELAM driver (Early Launch Anti Malware). So the ideal situation is that you have the default Windows Defender as your main real time protection against viruses, in this case you don't have to worry about anything. However if you are using other AV protection as Symantec or McAfee acting as the main real time protection then ATP needs the ELAM driver to be running. By default when you install a 3rd party AV as Symantec or Kaspersky, the Windows defender local AV will enter passive mode where the ELAM will be running and engine updated however not acting as your real time protection. So if you have 3rd part AV don't block or Disable the Windows defender on your local machine as this will cause the ATP to stop functioning.                                                                                                                                                                                                           For more details on Windows Defender ATP requirements, please check below            

So the normal process is that you will contact your Microsoft Account Manager and ask for the Windows Volume License E5 and after getting/purchasing the needed licenses you will get notification that its activated. The Process of configuring and implementing the ATP once its purchased is as follows:

  1. Open the Windows Defender ATP Portal and login using your corporate credentials and on the Welcome screen click Next as shown below.                                                                                                
  2. The next step is very crucial decision because it cannot be reverted back later after your are up and running. This is mainly dealing with the storage location of your data and whether you prefer to store it in US or Europe (Some Organizations have policies to store their data in Europe for example). If you wana change it later you will need to off board all your clients and reset the whole subscription (Need Microsoft Support) and create everything from scratch again.   
  3. Choose the period of time you wana keep your data in the cloud (you can change this later if needed)
  4. Pick your organization size and anticipate any planned growth (This preference cannot be changed later on)         
  5. Choose your industry and your organization main scope of work. This setting can be changed later and will provide insights on any alerts or threats that are targeted to a specific industry.                                                                                                                                                                                         
  6. You will get a warning that some changes cannot be reverted as we mentioned earlier as the storage and organization size. Click Continue to create your cloud instance.                                                                                                                                                                                                                                                                                                                                        
  7. The final step after the ATP cloud instance is created is to on board your clients (Point them to the ATP instance) and activate this protection on their machines. To do so you need to install a very simple package on your client machines, in this step you are offered all kind of distribution types as SCCM for your domain machines with SCCM client or intune package for your BYOD devices or via group policy......etc. In our test case i used the local script which is just installing the need files and getting it manually on the client.  You need to run this script file using elevated Command Prompt.                                                                                                                                                                                                                                                                                                                                      

  8. In our case i installed the ATP on 3 machines and the ATP portal dashboard is shown below.                                                                                                                                                                                                                                
This concludes Part 1 which was mainly dealing with the installation and configuration. In Part 2 I will start simulating an attack and how to analyze it in ATP. Happy new year everyone and see you on Year 2017 :)