Get started with web content filtering in MDATP

Update 7-7-2020: Microsoft anounced that you no longer need a Cyren subscription. Web content filtering will be offered as part of Microsoft Defender ATP without any additional partner licensing. Now you get the benefits of web content filtering without the need for additional agents, hardware, and costs.  

From the article:

If you joined in on the public preview, you might be in one of the following scenarios: 

  • If your 60-day trial for the partner license has already expired, all your policies are now active and protecting your enterprise.  
  • If you have an active 60-day trial for a partner license, all your policies will continue to work even after 60 days.  

You can un-register any partner integration that you have previously signed up for in the Azure portal: 

  • Go to Azure Active Directory > App Registrations 
  • Search for the name you have registered the partner app (Cyren)  
  • Select the partner application and delete it. 

Web content filtering is part of Web protection in Microsoft Defender ATP. This gives you the ability to audit or even block websites based on a specific category.


Network protection

Web content filter uses Network protection to cover 3rd party browsers and uses Smartscreen to protect Edge. Before you start with, be sure that Network protection is enabled. You can do this, using the ATP baseline settings in Intune or trough GPO or registry settings. If you want to enable Network protection manually on a device, the easiest way is to do it with Powershell.

Set-MpPreference -EnableNetworkProtection Enabled

Machine Groups

Next, you want to be sure that you have at least one machine group created, with test devices included. Otherwise, the policy will have effect on all of your devices that you have onboarded with ATP.

Other prerequisites

Before you can try out this feature you’ll need a couple of things in place:

  • Windows 10 Enterprise E5 license (or trial)
  • You need access to the Microsoft Defender Security Center portal in order to enable this feature and configure the policies
  • Devices running Windows 10 Anniversary Update (version 1607) or later with the latest Defender update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
  • Devices must run Windows 10 May 2019 (1903) or later. (for better user experience from SmartScreen on Edge).
  • A Cyren (trial) license

Let’s get started

To enable web content filtering, you’ll need to sign up for a trial with Cyren. In your Microsoft Defender Security Center portal, go to Reports > Web protection from the side navigation. Select the Connect to a partner button and follow the instructions in the wizard.

You’ll be redirected to the Cyren setup page. Follow the steps to enable the trial and accept the consent pop-up.

Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers

Cyren needs some permissions in order to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license. Learn more about this consent.

Next, you can continue and enable Web content filtering. Go to Settings > Advanced features.

After we enabled this feature we can now continue and make our first policy. Navigate to Settings > Web content filtering and choose for + Add policy

Enter a name for your policy, and choose Next. In this example, I like to test out the Social Media category. Expand the Leisure section and select Social networking. Next, choose the right scope for this policy. Select the machine group(s) and choose Next.

Finish the wizard to apply the policy. Is takes around 15 minutes before the policy takes effect.

End-user experience

Next, move over to your test device and see if you can still access the blocked websites. If you want to do a category check you can use this URL: https://www.cyren.com/security-center/url-category-check

For the best user experience use Edge. The action is blocked by SmartScreen. If SmartScreen is turned off, it will fall back to Network protection.

End-user experience using Edge browser

In other browsers, Network protection blocks the action and the browsers will display an error page. A toast notification is shown to the user.

Reports and logging

Administrators can see reports on web content using the Web protection dashboard. Go to Reports > Web protection to see an overview.

You can look deeper and apply filters if needed. It can take a while for data to show up.

If you want to see what’s going on on device level, check the Timeline tab on the machine page and filter for Smart Screen events.

Create exclusions / whitelisting

Most organizations need some flexibility and might want to allow some websites, even when they are categorized in certain blocked categories. You can allow specific websites by using the Indicators feature. First, make sure that you enabled custom network indicators in the settings pane.

After that, you van add URL’s in the indicator section. For example, you can allow Facebook, while the social media category remains blocked.

Conclusion

Using web content filtering trough ATP gives you the ability to regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. While this feature will getting better in the future, organizations can move away from 3rd party web content filtering and can fully integrate this with Defender ATP.

While testing this feature, it is good to keep notice of a few things:

  • Users can still access blocked websites by using proxy websites. According to Cyren proxy websites are categorized as Anonymizers, but this category is not available in ATP.
  • I tested Firefox, Google Chrome, Edge, and IE. They all blocked the websites properly.
  • You cannot whitelist any website.
  • You can report misclassified URLs to Cyren directly.

8 thoughts on “Get started with web content filtering in MDATP”

    1. I’m very much interested in adding specific exclusions to predefined web filter categories. Any info regarding that would be greatly appreciated.

      1. 1> Wonder if you can alert / create an incident if a website is blocked (rather just in reports)
        2> Can you block all websites other than few been allowed (rather groups i.eSocial networking) – i dodnt see a blanket block all but allow in indicators

Leave a Reply

Your email address will not be published. Required fields are marked *