Categories
mdatp security web windows 10

Free Web Content Filtering With Microsoft Defender ATP

Well free as in you need an MDATP licence first, but as this used to be an add on feature on top of MDATP with an additional cost, this is now effectively free once you are licensed for MDATP. The feature enables your organisation to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.

So how do you set it up from scratch.

Visit the MDATP admin portal at https://securitycenter.microsoft.com/ and click the cog icon to change to the settings view.

Under General, Advanced Features enable Preview Features (whilst this feature is in preview, once it stops being a preview feature this step is no longer required).

On the same list of Advanced Features toggle the option for Web Content Filtering to enable the feature and click Save Preferences.

Enabling Web Content Filtering in MDATP Settings

In the option where you enable Web Content Filtering click the link to create a web content filtering policy to take you to the settings for this feature.

This opens a second tab but all it does it takes you to the Web Content Filtering node of the Settings page! Click + Add Item to start adding content filtering categories.

First, give the policy a name and click Next. Then choose a category or parent category. For example you could select the parent category Adult Content which will turn on seven categories, or you could select just a category such as Nudity. The parent categories are, in addition to Adult Content, High Bandwidth (with peer to peer, and streaming media sites included), Legal Liability (with categories such as child abuse, hacking, and criminal activity included), Leisure (including chat, games, and social networking as categories) and the blanket Uncategorized.

Blocked Categories page in MDATP Web Content Filtering policy creation

Click Next and then enable for all devices in your admin scope (so if you are Global Admin, that’s all devices!) or pick one or more device groups.

Roll Out Web Content Filtering To A Device Group

You need to have made the device groups in advance of setting up the policy, and this is available from the Settings page as well. In the above screenshot I have selected the UK device group which is a MDATP Tag set by the registry on all our UK machines. Create a pilot group tag and roll out this feature to a limited number of devices to test.

Click Next to get to the Summary page and then finish the policy creation.

Web Content Filtering Policies in MDATP

The policy you created and others if you have more than one are then shown.

There are no client agents to install for this feature to work – the MDATP sensor built into Windows 10 (1609 and later) does all the work. The website categories that are blocked are blocked in the browser with a warning. Blocks are performed by SmartScreen (Edge) and Network Protection (Chrome and Firefox). Network Protection is not a message in the browser though – it is a popup at the Operating System level. The Web Content Filter interrupts network traffic to the blocked sites, so Chrome and Firefox will show a network level error, and the OS popup will give the reason. Edge Browser integrates with the OS to show a proper error message (unless SmartScreen is disabled, in which case Network Protection will be the experience here in Edge as well).

Edge SmartScreen Block

In addition to the browser “requirement” for a nice error message, you also need to have the latest updates for Windows Defender signatures and platform, known as MoCAMP. An Advanced Hunting query on GitHub allows you to check the versions across your MDATP estate.

All viewed categories, blocked or not blocked, are reported back to MDATP via the telemetry – so you can create reports on the visited site categories even without blocking users. These reports are available from the MDATP portal and Reports > Web Protection:

Web Protection Report in MDATP

The above screenshot shows the only activity at the moment was Custom Indicators (see Blocking Apps With A Low Reputation) but as categories of web content and browsed they will appear on this report.

Web Categories As Shown On Day Web Content Filtering Was Turned On!

You can access the Report details for each card by selecting a table row or coloured bar from the chart in the card. The report details page for each card contains data about web content categories, website domains, and device groups.

If you create a Web Content Filtering Policy that has no blocked items in it, but apply this to all devices, you will get a report within a few days of the scope of all your users across all your devices (in MDATP that is) and the categories of URL they are visiting. Therefore, if you need to know what to block before you block it – create a policy that does not include any categories to block.

Categories
2007 certificates exchange iis microsoft pkcs powershell web

Creating Subject Alternative Name Certificates with Microsoft Certificate Server

A new feature in digital certificates is the Subject Alternative Name property. This allows you to have a certificate for more than one URI (i.e. www.c7solutions.com and www.c7solutions.co.uk) in the same certificate. It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IP address.

A number of commercial companies now sell certificates with the Subject Alternative Name field set, but this article describes how to use the Exchange Server 2007 command line to create certificate requests for other web sites that can be uploaded to Microsoft Certificate Server (which does not support this property in its own web pages) to create certificates for web servers such as IIS (which also do not support this property in the requests that they make).

The command that you need to run is via PowerShell, and specifically via the Microsoft Exchange Server 2007 extensions to PowerShell. So start up the Microsoft Management Shell and enter the following (replacing your domain names as indicated:

New-ExchangeCertificate -GenerateRequest:$true -Path c:\newCert.req -DomainName www.domain.com,sales.domain.com,support.domain.com -PrivateKeyExportable:$true -FriendlyName “My New Certificate” -IncludeAcceptedDomains:$false -Force:$true

The DomainName property is set to each URL that you want the certificate to be valid for, with the first value in the string being the value for the Subject field and all the values each being used in the Subject Alternative Name field.

Once you have executed the command above you will have a file with the name set in the Path property. This file can be opened in Notepad and used in Microsoft Certificate Services:

  1. Browse to your Microsoft Certificate Services URL and click Request a certificate
  2. Click advanced certificate request
  3. Click submit a certificate…
  4. Copy and paste the entire text of the certificate request from notepad into the Saved Request field on this page and select Web Server as the Certificate Template. Click Submit.
  • With a default installation the Web Server template value will not be present and that needs to be enabled by your Certificate Services administrator for your user account
  • With the default installation of Certificate Services, the certificate will now be ready to download. Click Download certificate (or Download Certificate Chain if the end server does not trust your issuer) to save your certificate to the computer.
  • Install the certificate on to the same computer that you issued the request from (this is a very important step), and then you can export the certificate and import it on your web server or firewalls.

To install the certificate, run the Import-ExchangeCertificate powershell command on the same computer as the request was issued from (this is a very important, it must be on the same computer). This is a simpler command to run that the creation of the request above.

The syntax of this command is (where the filename is the name of the file downloaded above):

Import-ExchangeCertificate c:\newCert.cer

To export the certificate to your web server or firewall you need to open the local computer certificate store in the Microsoft Management Console – run mmc, add a snap-in and choose Certificates, Computer account. You will find your certificates under the Personal store. You can right-click these certificates and export them (with the private key) to a .pfx file. This file can then be imported using the MMC tool on the web server or firewall ready for importing using an mmc with the certificates/computer account snap-in load into it.