One of the features of Defender Exploit Guard is network protection. It blocks communication with dangerous domains or IP addresses at the system level. Network protection can be configured via group policies, PowerShell, or Intune.
Avatar

Microsoft's Exploit Guard (not to be confused with exploit protection) comprises several techniques to defend against phishing attacks and malware. These include controlled folder access, attack surface reduction, and network protection.

The latter is a close cousin of SmartScreen, which can also prevent access to malicious websites or at least warn against them. However, this feature is limited to Microsoft's web browser.

System-wide blocking of malicious sites

Network protection, on the other hand, operates as a filter driver at the kernel level and therefore affects all applications on the entire network stack. To assess the reputation of a domain or IP address, it uses the same Intelligent Security Graph as SmartScreen.

Like SmartScreen, network protection can be operated in two ways. In monitoring mode, it is limited to warning users of potential threats and logging such events. Alternatively, the feature can be configured to block connections to potentially malicious hosts.

Configure network protection

The protection mechanism is not enabled by default and cannot be configured from the Settings app or any other local GUI. To use it, the following requirements must be met:

  • Windows 10/11 (Pro or Enterprise), Windows Server 1803 or later
  • Defender Antivirus real-time protection and cloud-based protection must be enabled
  • Clients must be able to contact .smartscreen.microsoft.com and .smartscreen-prod.microsoft.com
Network protection requires real time protection and cloud based protection to be enabled

Network protection requires real time protection and cloud based protection to be enabled

PowerShell

The only way to interactively configure network protection is through PowerShell. The Get-MpPreference cmdlet can be used to view the current status of the feature:

Get-MpPreference | Select *NetworkProtection* | Format-List

Available network protection settings

Available network protection settings

The output of the command contains four settings. Network protection can be switched on via EnableNetwork Protection, optionally with the values Enabled or AuditMode:

Set-MpPreference -EnableNetworkProtection Enabled

With AllowNetworkProtectionOnWinServer, you can allow the feature to be activated on a Windows Server. By default, this is not possible, so you first have to execute the following:

Set-MpPreference -AllowNetworkProtectionOnWinServer $true

Network protection sends anonymized performance data about the monitored connections to Microsoft. You can prevent this using the following:

Set-MpPreference -DisableNetworkProtectionPerfTelemetry $true

The setting AllowNetworkProtectionDownLevel was used to enable network protection for versions of Windows 10 older than 1709. However, this is now obsolete.

Group Policy

Group Policy offers two settings under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection:

  • Prevent users and apps from accessing dangerous websites
  • This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server
Enable network protection via group policies select mode

Enable network protection via group policies select mode

If you enable the first, then you can choose between monitoring and blocking mode. The second is the counterpart of the AllowNetworkProtectionOnWinServer property in PowerShell, described above.

Summary

Network protection is another mechanism in Exploit Guard. It extends protection against malicious websites and dubious domains known from SmartScreen from the web browser to all applications.

Subscribe to 4sysops newsletter!

By default, the feature is disabled and can be configured in several ways. In addition to PowerShell and the group policies discussed here, Intune and SCCM can also be used.

avataravatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account