Historically, one of the big features missing “out of the box” with MDATP was web content filtering.  Customers typically look at MDATP as an option when their existing endpoint security is due for license renewal, and compare their existing solution against it.  They would be moving from one of the big security vendors such as Sophos, Norton, and McAfee, which all supported web content filtering.  Higher lever stakeholders often listed the ability to block websites as essential, and as Microsoft did not maintain such a categorisation database, if you wanted it with Defender ATP, you’d be looking at other solutions too.  This took away from Defender ATP’s “single pane of glass” selling point.

The solution was rolled out earlier this year via an integrated third party, Cyren.  In this blog, I will detail what Cyren offers within MDATP including limitations, what we know about the roadmap ahead, and how to configure it, including exceptions and manual additions.

About Cyren Web Content Filtering

Web content filtering is reasonably intuitive.  You specify a list of categories you want to prohibit users from accessing, and the web content filtering engine enforces this across all browsers and applications on the endpoint.  Thinking about how you would do this in an on-premises world, we are lifting the responsibility and ability to filter traffic from the firewall or web proxy appliance/software and putting it on the endpoint.  In a work-from-home world, this is essential.

The categories offered by Cyren are what you’d expect, but it isn’t as comprehensive as some solutions I’ve seen.  For example, you cannot filter on politics or job searches, even though these are categories maintained by Cyren, and often found in other solutions.

On desktop operating systems, Microsoft support MDATP on Windows 10, Windows 7, Windows 8.1, macOS, and even Linux.  Cyren web content filtering, however, is reliant on the Windows Defender feature Network Protection which only works on Windows 10 1709+.  Network Protection is really just SmartScreen but applied to outbound, rather than inbound, web traffic. Before deploying web content filtering, you should confirm that you have enabled Network Protection via your MDATP management tool (manually per-device, ConfigMgr, or Intune).

Furthermore, because of the dependence on Network Protection (SmartScreen), you will only see an explanation of the blocked web page in Edge (Chromium and Legacy).  Other browsers will report a generic error.  For example, Firefox reports SL_ERROR_NO_CYPHER_OVERLAP.

The Roadmap

Licensing

A key difficulty many customers have faced with Cyren is licensing.  As a third-party integration, you had to license it separately, even though it’s onboarded and managed from the normal MDATP web interface.  Cyren did not publish the pricing online, and there are a lot of reports that getting any information from them regarding it is difficult. The good news is this month (June 2020), Microsoft announced that Cyren licensing will be inclusive, so available at no extra charge.  A full announcement is expected next month (July 2020), but already the onboarding experience for web filtering has no requirement to sign up for Cyren – you can hit the ground running.  If rolling out to production, I would still confirm all licensing information before deployment, at least until the full announcement is published.

Platform Support

Although web content filtering only works on Windows 10 1709+ at the moment, Microsoft confirmed that macOS support is in the pipeline, but we don’t have a date.  Downlevel platforms such as Windows 7 and Windows 8.1 are not on the roadmap, but we shouldn’t expect them to be.

Administering and Using Web Content Filtering

Now I’ll take you through the administration of Cyren and how users experience blocks on Windows 10.  The steps in the Microsoft Defender Security Centre are best taken with (you guessed it) a Global Administrator account, though Microsoft advises an Application Administrator, with sufficient Security Centre permissions, should also be able to enable the integration (untested by me).

Set Up

1. In securitycentre.windows.com, navigate to Settings > General > Advanced features.

2. You need to enable two settings: Web content filtering and Custom network indicators (the latter will let us make inclusions and exclusions – technically not part of Cyren, but compliments it).

3. Navigate to Settings > Rules > Web content filtering.

4. You create web content filtering policies using the + Add item button.

Note: Previously, we would have to go through the Cyren onboarding/trial set up here.  Though straightforward and instant, (no credit card details needed, for example), the new licensing structure makes it that little bit easier.

5. Give the policy a name and choose the blocked categories.

The uncategorised option is a catchall for any that Cyren has not assigned a category to and would only be used in the most secure environments.

6. Finally, you scope the policy.  It can be assigned to one or several device/machine groups, or the entire scope your current user has permission to.

Note: If a device has multiple policies assigned, it will apply them all in the most restrictive way.  For example, Policy 1 blocks only peer-to-peer websites and Policy 2 blocks only violent websites.  If both are scoped, the user won’t get on either.

Note: If you add any process exclusions to the Defender engine, they will bypass any filter rules (including inclusions and exclusions).  For example, if you add a Defender exclusion for firefox.exe, web content filtering will not apply under any circumstances for Firefox users.

Inclusions and exclusions

MDATP has the concept of Indicators of Compromise (IOCs or just Indicators).  Indicators are about as fine-grained as you can get in allowing or denying files (by hash), IPs, URLs/domains, or certificates within your MDATP environment.  In the context of web content filtering, indicators will win against any of the categorisation rules.  Therefore, we can add setup exclusions using indicators, or add any sites manually.  There is a limit of 15000 indicators (combined total of any kind) and you can also import a CSV of indicators.  This is very useful when migrating from an existing security solution, assuming it lets you export too (which MDATP does).

Note: If you integrate MDATP with Microsoft Cloud App Security (MCAS), and specify a website as unsanctioned within MCAS, it automatically populates that website’s known addresses as indicators.

The process for including or excluding a website is the same with the only difference being the action.  This guide focuses on manual additions rather than CSV import.

1. Navigate to Setting > Rules > Indicators > URLs/Domains.

2. Click +Add Item

3. If you want to block a domain and all pages within it, you would use the format of www.website.com.  If you want to block a specific page of a website, you would use https://www.website.com/page.  You can choose an expiry date and also review the statistics MDATP has collected about this website from telemetry, to see the effects of what you’re about to do.

4. The response action is what MDATP does with what you’ve just entered.  Allow adds the URL/domain to an exception list, Alert creates an entry to the MDATP alerts queue if a user goes to it, and Alert and Block will prohibit access and log it to MDATP.  If you choose to alert or alert and block, you must give the alert a title and severity (informational, low, medium, high).

5. Finish the indicator setup by scoping it to a device group or all the devices in the current admin’s scope.

User Experience

An Edge user will see a SmartScreen red warning notification on any page that is blocked by either web content filtering or an indicator.  The message is the same in both circumstances.

A Google Chrome user will get a generic forbidden error.