Working on some security stuff over the next few weeks and decided to write up a blog post on all the Microsoft Security features. Aka, what they are and what uses them and how you actually find them! You will also realize that the same name is used a couple of times (“Advanced Threat Protection”) and some things aren’t really products but a marketing term for a “set of products”. In some cases, the names have changed so Google/Bing search results are crazy!
Someone needs to manage product names with SEO in mind at Microsoft!
- Azure Key Vault
- What is it and what does it do?
- Allows you store keys used for encryption activities across various systems and platforms
- What uses it?
- Virtual Machines, Resource Manage template deployments, and Azure Disk Encryption
- Used to store your Office 365 bring your own encryption key
- How do you get to it?
- What is it and what does it do?
- Advanced Threat Analytics (ATA)
- What is it and what does it do?
- A proprietary network parsing engine that captures authentication and authorization data.
- ATA will discover a well known set of attack types such as Pass-the-ticket, Pass-the-hash, Overpass-the-hash, and many more!
- What uses it?
- It uses other systems (like a span port on a switch).
- How do you get to it?
- ATA is an on-premises software solution (download it here – amazingly not in the MSDN download center). You must install it and configure it to monitor the traffic on your network.
- ATA has to be configured to received data from your SIEM, Windows Event Forwarding and Windows Event Collectors
- What is it and what does it do?
- Office 365 Advanced Threat Protection
- What is it and what does it do?
- Protects your email from various different attack vectors including “possible” zero-day protection. Provides the following:
- Safe LInks, Safe attachments, spoof intelligence, quarantine, anit-phishing
- Protects your email from various different attack vectors including “possible” zero-day protection. Provides the following:
- What uses it?
- Exchange Online and if enabled, your Hybrid setup of your on-premises Exchange
- How do you get to it?
- You have to add a subscription that contains this feature, once enabled you will have reports in your Exchange Online portal to view all security events
- What is it and what does it do?
- Windows Defender Advanced Threat Protection (aka Windows Defender Security Center)
- What is it and what does it do?
- An agent-less built in feature of Windows 10 OS that utilizes “sensors” to analyze user and app behavior to detect anomalies.
- What uses it?
- Windows 10 (v1703+)
- How do you get to it?
- Do a search for “Windows Defender Security Center” on your windows 10 device.
- What is it and what does it do?
- Compliance Manager
- What is it and what does it do?
- A new tool that will be release later this year that will score your environment on its compliance abilities to common laws and regulations.
- What uses it?
- Office 365 services
- How do you get to it?
- TBD
- What is it and what does it do?
- Azure Conditional Access
- What is it and what does it do?
- Allows you to prevent a user or app to login based on policies and threat analytics
- What uses it?
- Azure Active Directory
- How do you get to it?
- Open your Azure Portal
- Find the Azure Active Directory you want to configure, select it
- Click “Conditional Access”
- What is it and what does it do?
- Office 365 Conditional Access
- What is it and what does it do?
- Allows you to drill down into the sites in SharePoint Online that you’d like to lock down based on limited policy (Modern Auth, IP)
- What uses it?
- SharePoint Online
- How do you get to it?
- Open your Office 365 Portal
- Click “SharePoint”
- Click “Access Control”
- What is it and what does it do?
- Windows Hello
- What is it and what does it do?
- Allows you to use Biometric based factors for authentication
- What uses it?
- Windows 10+
- How do you get to it?
- It is a part of the Windows 10 Operating System. You can enable it with these steps:
- Open “Settings”
- Click “Accounts”
- Click “Sign in options”
- It is a part of the Windows 10 Operating System. You can enable it with these steps:
- What is it and what does it do?
- Multi-Factor Authentication
- What is it and what does it do?
- Only using a password has become bad practice. Enabling both a password and a token are common place (even though many people have not protected their Azure Admin account with MFA!)
- What uses it?
- Anything and everything that utilize authentication via Azure AD or even Hotmail\Passport
- How do you get to it?
- What is it and what does it do?
- Cloud App Security (used to be called “Office 365 Advanced Security Management”)
- What is it and what does it do?
- This tool will monitor your employee application usage (including cloud based apps) and give you an idea of what rouge IT solutions may be lingering on your network.
- A Cloud App catalog can be constructed that would allow you to trust or untrust applications. Example, If you have chosen OneDrive as your personal file solution, then all instances of Box and DropBox should be disallowed (after migration of course).
- What uses it?
- It runs behind the scenes gathering data and information on the apps that are running on your users computers. The data that is gathered is anonymous so that you abide by various new laws (such as our friends in the EU have enacted).
- How do you get to it?
- What is it and what does it do?
- Data Loss Prevention
- What is it and what does it do?
- Allows you to control the type of data that is being sent from your Office 365 environments
- What uses it?
- Exchange, SharePoint, Skype
- How do you get to it?
- Login to the Security and Compliance center
- Click “Data Loss Prevention”
- What is it and what does it do?
- Customer Lockbox
- What is it and what does it do?
- It prevents Microsoft engineers from accessing your content in Office 365.
- What uses it?
- Office 365 systems
- How do you get to it?
- Open your O365 admin portal
- Expand the “SERVICE SETTINGS” node
- Click “Customer Lockbox”
- Toggle the switch to “On”
- NOTE: When a Microsoft Engineer needs to access your environment to fix an issue, be aware that the Customer Lockbox requests have a default lifetime of 12 hours, after which they expire.
- What is it and what does it do?
- Windows Information Protection
- What is it and what does it do?
- An extension to the Information Rights Management (IRM) conversation. WIP is designed to be seemless. The idea is that data that starts on your network should stay on your network. If it needs to go somewhere else, then policy should define the rules. WIP does this.
- What uses it?
- Windows 10 (v1607+) with all Microsoft Office products and Microsoft Edge. Universal Windows Apps support WIP but have to be enabled to do so (Microsoft is working with 3rd parties).
- Azure Rights Management (cloud based IRM) will kick in if your have to share data outside your network (such as with Business Partners).
- How do you get to it?
- You can enable WIP by configuring a policy in your Intune portal or utilize System Center Configuration Manager (SCCM) – steps here.
- What is it and what does it do?
- Azure Storage Service Encryption
- What is it and what does it do?
- Encrypts all the blobs in your storage account using an encryption key
- What uses it?
- Azure Storage Accounts
- How do you get to it?
- Go to your Azure Portal and select “Storage Accounts”
- Select a Storage Account
- In the properties window, select “Encryption”, click “Enabled”
- NOTE: If you are missing the “Encryption” node, then is could be:
- The storage account is “classic”
- The storage account is not “Blob Storage”
- NOTE: You cannot utilize your own key with this services (aka, no BYOK)
- NOTE: If you enable after you have created an account, only new blobs are encrypted!
- NOTE: It is also possible that the Azure Security Center may “recommend” you enable encryption for your older storage accounts
- NOTE: If you are missing the “Encryption” node, then is could be:
- What is it and what does it do?
- Device Guard
- What is it and what does it do?
- A group of features. Combined they lock down a system such that only trusted applications are allowed to execute, thereby preventing malware from ever running on your computer.
- What uses it?
- Windows 10 and Windows Server 2016 operating systems
- How do you get to it?
- You have to have UEFI running in Native Mode on Windows 64bit, Second Layer Address Translation (SLAT) and Virtualziation Extensions (Intel VT or AMD v) and preferably with a Trusted Platform Module (TPM)
- Install the “Hyper-V Hypervisor” feature
- You have to create a Code Integrity Policy and then deploy it to the targeted systems. This file is called SIPolicy.p7b and lives in the C:\Windows\System32\CodeIntegrity or <EFI System Partition>\Microsoft\Boot for UEFI computers
- NOTE: These policies can get very complex very fast, check out all the stuff you can do here
- What is it and what does it do?
- Windows Defender Credential Guard
- What is it and what does it do?
- Prevents credential theft attacks such as Pass-the-Hash or Pass-the-Ticket.
- Sets up a virtualization like approach to allow only access to the system software that should be able to get to them
- Uses the new Virtual Secure Mode (VSM) to secure data in memory, also called Virtualization Based Security (VBS)
- What uses it?
- Any software that has to do NTLM or Kerberos authentication
- How do you get to it?
- This is a part of the operating system in Windows 10 and Server 2016
- What is it and what does it do?
- UEFI Secure Boot
- What is it and what does it do?
- Ensures that all software loaded at boot time is trusted. No “Bootkits” can be loaded.
- What uses it?
- Pretty much all of the latest hardware (laptops, servers) have a UEFI bios now, so you get this by default. You can turn it off, but you would only do so if your operating system was not a part of the trusted set of software
- How do you get to it?
- When you computer loads, jump into the UEFI bio settings, from there you can turn it on or off. Unless you have a really special Linux distro (or your own) you should probably leave it on!
- NOTE: Secure Boot does not require a TPM
- What is it and what does it do?
- Trusted Boot Process
- What is it and what does it do?
- It is the steps after the Secure Boot process ends. It makes sure that all the Windows OS level items are secure and trusted. No “Rootkits” can be loaded.
- These include:
- OS Loader, Kernel, System drivers, System Files, ELAM Driver
- What uses it?
- Windows 8.1+ and Server OSes
- How do you get to it?
- Nothing to “see” here
- What is it and what does it do?
- Enterprise Mobility + Security
- What is it and what does it do?
- It is a subscription in Office 365. It is not “technically” a product, but a set of services that will light up in your tenant if you purchase it
- What uses it?
- Office 365 and Azure (in terms of “lighting up” available services)
- How do you get to it?
- Open your Office 365 portal
- Click “Billing”
- Click “Subscriptions”
- Click “Add subscription”
- Search for “Enterprise Mobility + Security”
- Select it, Buy It!
- What is it and what does it do?
- MDM for Office 365
- What is it and what does it do?
- It allows you to do some really basic mobile device policy enforcement such as password requirements, data encryption, no jail broken phones.
- You can also enforce things like blocking cloud backup, screen capture, app store, and bluetooth.
- What uses it?
- Policies are enforced by the applications you download such as Outlook for iPhone, etc
- How do you get to it?
- Open the Security and Compliance page
- Expand “Data loss prevention”
- Click “Device security policies”
- What is it and what does it do?
- Microsoft Intune
- What is it and what does it do?
- Microsoft’s hard core MDM solution. It goes waaay past the basic MDM you get with Office 365.
- Intune adds many more features and functionality around device management such as windows updates and software push aka Mobile App Management (MAM).
- What uses it?
- Any registered or unregistered devices that want to access your cloud services
- How do you get to it?
- Open your Office 365 portal, in the “Admin Centers”, select “Intune” or just go to the Intune Portal
- What is it and what does it do?
- Intelligent Security Graph
- What is it and what does it do?
- Marketing term mainly…not really a product
- It is a network of security related systems and events that are continually analyzed to determine what attackers are trying to do against the Microsoft Cloud Infrastructure.
- What uses it?
- Nothing you are directly exposed too. This is a behind the scenes system of systems that uses various algorithms to find attack patterns.
- How do you get to it?
- Its abstracted away from you, nothing to see here…literally.
- What is it and what does it do?
- Azure Monitor
- What is it and what does it do?
- It is the log aggregator for all Azure services. Any future products will also send their data here.
- What uses it?
- All Azure services are monitored by Azure Monitor
- How do you get to it?
- It has many entry points to gain access to the monitoring data. Azure Portal, PowerShell, CLI, REST and a .NET SDK
- What is it and what does it do?
- Azure Advisor
- What is it and what does it do?
- Evaluates your Azure subscriptions for several categories of security. High Availability, Security, Performance, and Cost
- What uses it?
- Nothing technically uses this feature, but it does provide you will recommendations on how to best use Azure and its many features in an optimal manner
- How do you get to it?
- What is it and what does it do?
- Database Threat Protection
- What is it and what does it do?
- Protects your Azure Databases from potential internet based threats. This can be super helpful for when you want to ensure that your developers have actually followed best practices when designing the applications that make calls into your database.
- What uses it?
- Azure SQL Databases, possibly other db platforms in the future
- How do you get to it?
- Open your Azure Portal
- Navigate to the “” category
- Select your SQL Database
- Click the “Auditing and Threat Detection” node
- Toggle the buttons to enable “Auditing” and “Threat Detection”
- NOTE: It costs $15/server/month
- What is it and what does it do?
- Azure Network Monitor (aka Network Watcher, aka Network Performance Monitor)
- What is it and what does it do?
- Similar to the Solarwinds Traffic Analyzer and Network Performance Monitor, Azure Network Monitor allows you to setup monitors between services and servers in your Azure instance. You can also monitor your ExpressRoute traffic if you have that setup.
- What uses it?
- Nothing really uses it other than you.
- How do you get to it?
- What is it and what does it do?
- Office 365 Secure Score
- What is it and what does it do?
- This tool will evaluate your Office 365 tenant and compare your settings and service configurations to over 364 different reference points
- What uses it?
- Nothing uses it, its another recommendation tool like Azure Advisor
- How do you get to it?
- What is it and what does it do?
- Operation Management Suite (OMS)
- What is it and what does it do?
- Its your SCOM server in the cloud, only, much cooler! You can utilize events to fire off configuration tasks similar to how SolarWinds uses its NCM product to push configurations to Cisco devices
- OMS is not really a single product, but a set of services, these include:
- Log Analytics
- Automation
- Backup
- Site Recovery
- What uses it?
- OMS uses everything else. It can make changes to your infrastructure based on the data it is receiving.
- How do you get to it?
- Open your Azure Portal
- The OMS services are under the “MONITORING + MANAGEMENT” category
- What is it and what does it do?