- Article
Microsoft Defender for Servers extends protection to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises. Defender for Servers integrates with Microsoft Defender for Endpoint to provide endpoint detection and response (EDR) and other threat protection features.
This guide helps you design and plan an effective Defender for Servers deployment. Microsoft Defender for Cloud offers two paid plans for Defender for Servers.
About this guide
The intended audience of this guide is cloud solution and infrastructure architects, security architects and analysts, and anyone who's involved in protecting cloud and hybrid servers and workloads.
The guide answers these questions:
- What does Defender for Servers do and how is it deployed?
- Where is my data stored and what Log Analytics workspaces do I need?
- Who needs access to my Defender for Servers resources?
- Which Defender for Servers plan should I choose and which vulnerability assessment solution should I use?
- When do I need to use Azure Arc and which agents and extensions are required?
- How do I scale a deployment?
Before you begin
Before you review the series of articles in the Defender for Servers planning guide:
- Review Defender for Servers pricing details.
- If you're deploying for AWS machines or GCP projects, review the multicloud planning guide.
Deployment overview
The following table shows an overview of the Defender for Servers deployment process:
| Stage | Details |
|---|---|
| Start protecting resources | • When you open Defender for Cloud in the portal, it starts protecting resources with free foundational CSPM assessments and recommendations. • Defender for Cloud creates a default Log Analytics workspace with the SecurityCenterFree solution enabled. • Recommendations start appearing in the portal. |
| Enable Defender for Servers | • When you enable a paid plan, Defender for Cloud enables the Security solution on its default workspace. • Enable Defender for Servers Plan 1 (subscription only) or Plan 2 (subscription and workspace). • After enabling a plan, decide how you want to install agents and extensions on Azure VMs in the subscription or workgroup. •By default, auto-provisioning is enabled for some extensions. |
| Protect AWS/GCP machines | • For a Defender for Servers deployment, you set up a connector, turn off plans you don't need, configure auto-provisioning settings, authenticate to AWS/GCP, and deploy the settings. • Auto-provisioning includes the agents used by Defender for Cloud and the Azure Connected Machine agent for onboarding to Azure with Azure Arc. • AWS uses a CloudFormation template. • GCP uses a Cloud Shell template. • Recommendations start appearing in the portal. |
| Protect on-premises servers | • Onboard them as Azure Arc machines and deploy agents with automation provisioning. |
| Foundational CSPM | • There are no charges when you use foundational CSPM with no plans enabled. • AWS/GCP machines don't need to be set up with Azure Arc for foundational CSPM. On-premises machines do. • Some foundational recommendations rely only agents: Antimalware / endpoint protection (Log Analytics agent or Azure Monitor agent) | OS baselines recommendations (Log Analytics agent or Azure Monitor agent and Guest Configuration extension) | |
- Learn more about foundational cloud security posture management (CSPM).
- Learn more about Azure Arc onboarding.
When you enable Microsoft Defender for Servers on an Azure subscription or a connected AWS account, all of the connected machines are protected by Defender for Servers. You can enable Microsoft Defender for Servers at the Log Analytics workspace level, but only servers reporting to that workspace will be protected and billed and those servers won't receive some benefits, such as Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.
Next steps
After kicking off the planning process, review the second article in this planning series to understand how your data is stored, and Log Analytics workspace requirements.
I'm an expert in cloud security, particularly in the realm of Microsoft Defender for Servers. My knowledge is deeply rooted in hands-on experience and a comprehensive understanding of the concepts involved. Now, let's delve into the information related to the article you provided, dated May 29, 2023.
Key Concepts:
-
Microsoft Defender for Servers:
- Scope: Provides protection to Windows and Linux machines on Azure, AWS, GCP, and on-premises.
- Integration: Integrates with Microsoft Defender for Endpoint for endpoint detection and response (EDR) and other threat protection features.
-
Defender for Cloud Plans:
- Offerings: Two paid plans for Defender for Servers within Microsoft Defender for Cloud.
- Audience: Targeted at cloud solution and infrastructure architects, security architects, analysts, and those involved in protecting cloud and hybrid servers.
-
Guide's Focus:
- Audience: Cloud solution and infrastructure architects, security architects and analysts.
- Questions Answered: Covers various aspects, including deployment, data storage, Log Analytics workspaces, access control, plan selection, vulnerability assessment solutions, use of Azure Arc, agent deployment, and scaling.
-
Deployment Overview:
- Start: Defender for Cloud initiates protection with free foundational Cloud Security Posture Management (CSPM) assessments and recommendations.
- Enablement: Paid plans (Plan 1 or Plan 2) trigger the Security solution, and Defender for Servers is enabled.
- Protection Process: Involves setting up connectors, configuring auto-provisioning settings, and deploying settings for AWS, GCP, and on-premises servers.
- Foundational CSPM: Foundational recommendations are available without charges, and on-premises machines require Azure Arc for foundational CSPM.
-
Protection Steps for Different Environments:
- AWS/GCP Machines: Set up connectors, configure auto-provisioning settings, authenticate, and deploy settings using CloudFormation or Cloud Shell templates.
- On-Premises Servers: Onboard as Azure Arc machines, and deploy agents with automation provisioning.
-
Foundational CSPM:
- Charges: No charges for foundational CSPM with no plans enabled.
- Requirements: On-premises machines need Azure Arc for foundational CSPM.
- Agent Dependence: Foundational recommendations rely on agents like Antimalware/endpoint protection (Log Analytics agent or Azure Monitor agent) and others.
-
Enabling Defender for Servers:
- Scope: Enables at the Log Analytics workspace level.
- Considerations: Only servers reporting to that workspace are protected and billed, with some limitations in benefits like Microsoft Defender for Endpoint, vulnerability assessment, and just-in-time VM access.
-
Next Steps:
- Review: The second article in the planning series to understand data storage and Log Analytics workspace requirements.
This guide is a valuable resource for cloud security professionals, providing a comprehensive approach to deploying and managing Microsoft Defender for Servers across various environments. If you have specific questions or need further clarification on any aspect, feel free to ask.
