Mastering Web Content Filtering Policy: Enhancing Security with Microsoft Defender for Endpoint
Ensuring the security and compliance of your organization's network is of paramount importance. Web content filtering is a key element of this strategy, allowing you to regulate and manage access to websites based on their content categories. In this blog post, we will delve into the world of web content filtering and explore how Microsoft Defender for Endpoint can be a valuable asset in implementing an effective web content filtering policy.
What is Web Content Filtering?
Web content filtering, offered through Microsoft Defender for Endpoint and Microsoft Defender for Business, enables organizations to control and monitor access to websites based on their content. This control is vital for various reasons, including compliance with regulations, managing bandwidth usage, and enhancing security.
Key Features of Web Content Filtering:
Category-Based Filtering: You can configure policies to block specific website categories, preventing users within defined device groups from accessing them. Unblocked categories are automatically audited.
Auditing: For categories that are not blocked, the URLs are audited, providing valuable insights into user behavior and website access patterns.
Browser Support: Web content filtering is compatible with major web browsers, with blocking capabilities integrated into Windows Defender SmartScreen for Microsoft Edge and Network Protection for other browsers.
Benefits of Web Content Filtering
Implementing web content filtering in your organization offers several significant advantages:
Improved Security: Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or remotely. This enhances your network's security posture.
Centralized Reporting: Security teams can access web reports from a central location, gaining visibility into actual blocks and web usage patterns.
Flexible Policy Deployment: In Defender for Endpoint, you can conveniently deploy policies to specific groups of users using device groups defined in role-based access control settings. For Defender for Business, a single policy applies to all users.
Before setting up web content filtering in Microsoft Defender for Endpoint, ensure that you meet the following prerequisites:
Subscription: Your subscription must include the necessary licenses, such as Windows 10/11 Enterprise E5, Microsoft 365 E5, Microsoft 365 A5, Microsoft 365 E5 Security, Microsoft 365 E3, Microsoft Defender for Endpoint Plan 1 or Plan 2, Microsoft Defender for Business, or Microsoft 365 Business Premium.
Portal Access: You need access to the Microsoft 365 Defender portal.
Operating System: Ensure that your organization's devices are running compatible operating systems with the latest antivirus and antimalware updates.
Browser Compatibility: Your organization's devices should run compatible browsers, including Microsoft Edge, Google Chrome, Mozilla Firefox, Brave, and Opera.
Related Protection: Windows Defender SmartScreen and network protection must be enabled on your organization's devices.
Data Handling: Data is stored in the region selected as part of your Microsoft Defender for Endpoint data handling settings, ensuring data remains within the data center and is not shared with third parties.
Implementing Web Content Filtering
To enable and configure web content filtering policies, follow the steps below
1. Turn on web content filtering
Go to the Microsoft 365 Defender portal and sign in.
In the navigation pane, select Settings > Endpoints > General > Advanced Features.
Scroll down until you see Web content filtering.
Switch the toggle to On, and then select Save preferences.
2. Configure Web Content Filtering Policies:
Policies specify which site categories are blocked on specific device groups. To manage policies, go to Settings > Endpoints > Web content filtering (under Rules).
3. Create a new Policy:
In the Microsoft 365 Defender portal, choose Settings > Endpoints > Web content filtering > + Add policy.
Specify a name for the policy.
Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. Remember, for Microsoft 365 Business Premium and Defender for Business, the web content filtering policy applies to all users by default.
Review the summary and save the policy.
There might be up to 2 hours of latency between the time a policy is created and when it's enforced on the device.
You can deploy a policy without selecting any category on a device group. This action creates an audit-only policy to help you understand user behavior before creating a block policy.
If you are removing a policy or changing device groups at the same time, there could be a delay in policy deployment.
Blocking the "Uncategorized" category could lead to unexpected and undesired results.
The experience for end-users may vary depending on the browser used. Microsoft Edge provides a user-friendly in-browser experience, while third-party supported browsers receive system-level messages notifying users of blocked connections.
Allowing Specific Websites
If you need to override a blocked category to allow access to a specific site, you can create a custom indicator policy. This policy takes precedence over the web content filtering policy.
To define a custom indicator, follow these steps:
In the Microsoft 365 Defender portal, go to Settings > Endpoints > Indicators > URL/Domain > Add Item.
Enter the domain of the site.
Set the policy action to Allow.
In cases where a domain has been incorrectly categorized, you can dispute the category directly from the Microsoft 365 Defender portal. This allows you to request a category reclassification, ensuring accurate filtering.
To dispute the category of a domain, navigate to Reports > Web protection > Web Content Filtering Details > Domains. On the domains tab of the Web Content Filtering reports, you will see an ellipsis beside each of the domains. Hover over this ellipsis and select Dispute Category.
A panel opens where you can select the priority and add more details such as the suggested category for recategorization. Once you complete the form, select Submit. Microsoft Defender's team will review the request within one business day.
Web Content Filtering Reports
Microsoft Defender for Endpoint provides various reports to help you monitor web content filtering and web threat protection. These reports offer insights into web activity patterns, category distribution, and blocked access attempts.
Known Issues and Limitations
Network protection does not currently support SSL inspection, which might result in some sites being allowed by web content filtering that would normally be blocked. Sites would be allowed due to a lack of visibility into encrypted traffic after the TLS handshake has taken place and an inability to parse certain redirects. This includes redirections from some web-based mail login pages to the mailbox page. As an accepted workaround, you can create a custom block indicator for the login page to ensure no users are able to access the site. Keep in mind, this might block their access to other services associated with the same website.
If you are using Microsoft 365 Business Premium or Microsoft Defender for Business, you can define one web content filtering policy for your environment. That policy will apply to all users by default.
In conclusion, web content filtering is a crucial component of your organization's cybersecurity strategy. It helps you regulate website access, improve security, and ensure compliance. Microsoft Defender for Endpoint simplifies the implementation of web content filtering, providing you with the tools and insights needed to protect your network effectively. By understanding and implementing web content filtering, you can enhance your organization's security posture in today's digital landscape.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.