deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update wording

Browse Source
This commit is contained in:
Beth Levin 2020-01-08 16:13:14 -08:00
parent 6b5e4db65b
commit 12ef63d839
1 changed files with 68 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
View File

@ -1,6 +1,6 @@
---
title: Monitoring web browsing security in Microsoft Defender ATP
description: Use web protection in Microsoft Defender ATP to monitor web browsing security
title: Web content filtering
description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories.
keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -8,140 +8,130 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 08/30/2019
---
# Web content filtering configuration & reporting
# Web content filtering
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web content filtering enables you to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
Web content filtering enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns.
You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption, but web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions.
Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support.
To summarize the benefits:
- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the Microsoft Defender ATP role-based access control settings
- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
- You can access web reports in the same central location, with visibility over actual blocks and web usage
## User experience
The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
For a more user-friendly experience, consider user SmartScreen on Edge
## Prerequisites
Before trying out this feature, make sure you have the following:
- Windows E5 license
- Windows 10 Enterprise E5 license
- Access to Microsoft Defender Security Center portal
- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox)
- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking.
- A valid license with a partner data provider. For details on how to acquire a license, please read the section below.
## Partner licensing
In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. Weve chosen Cyren as our first partner, who weve worked with closely to build an integrated solution. Heres a brief description of what they do:
### About Cyren
More than 1.3 billion users around the world rely on Cyren's 100% cloud security solutions to protect them against cyberattacks and data loss every day. Powered by the world's largest security cloud, Cyren (NASDAQ: CYRN) delivers fast time-to-protection with award-winning email security, cloud sandboxing and DNS filtering services for business, and threat intelligence solutions for service providers and security vendors like Microsoft, Google and Check Point.
### About Cyren and Threat Intelligence Service for Microsoft Defender ATP
CYRENS URL FILTERING (URLF) INCLUDES 70 CATEGORIES, PROVIDING PARTNERS WITH THE ABILITY TO BUILD POWERFUL AND ADVANCED WEB SECURITY APPLICATIONS.
The broad range of categories enables numerous applications: Protecting users browsing the web from threats such as malware and phishing sites; Ensuring employee productivity; Consumer services such as parental control. Cyrens comprehensive categories provide the necessary flexibility for any implementation requirement.
Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities.
Learn more at https://www.cyren.com/oem
### Signing up for a Cyren License
Cyren is offering a 60-day free trial for all MDATP customers. To sign up, please follow the steps below from the portal.
1. Go to Reports > Web protection from the side nav
2. Click the "connect to a partner" button
3. Go through the flow from the flyout to register and connect your Cyren account. Note: a user with AAD app admin/global admin permissions is required to complete these steps
- A valid license with a partner data provider.
## Data handling
For this feature, we will follow whichever region you have elected to use as part of your Microsoft Defender ATP data handling settings. Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
For this feature, we will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
## Partner licensing
In order to give customers access to various sources of web content categorization data, we are very excited to partner with data providers for this feature. Weve chosen [Cyren](https://www.cyren.com/threat-intelligence) as our first partner, who weve worked with closely to build an integrated solution.
### About Cyren and Threat Intelligence Service for Microsoft Defender ATP
Cyrens URL filtering includes 70 categories, providing partners with the ability to build powerful and advanced web security applications. Cyrens comprehensive categories provide the necessary flexibility for any implementation requirement.
The broad range of categories enables numerous applications:
- Protecting users browsing the web from threats such as malware and phishing sites
- Ensuring employee productivity
- Consumer services such as parental control
Cyren's web content classification technology is integrated by design into Microsoft Defender ATP to enable web filtering and auditing capabilities.
Learn more at https://www.cyren.com/products/url-filtering.
### Signing up for a Cyren License
Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
>[!NOTE]
>A user with AAD app admin/global admin permissions is required to complete these steps.
1. Go to **Reports > Web protection** from the side navigation
2. Select the **Connect to a partner** button
3. Go through the flow from the flyout to register and connect your Cyren account
## Turn on web content filtering
From the left-hand navigation menu, select Settings. Under the section General, choose Advanced Features. Scroll down until you see the entry for Web content filtering. Switch the toggle to On, then hit the Save preferences button.
From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
## Configure web content filtering policies
### Configure web content filtering policies
Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to Settings > Rules > Web content filtering.
Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups. For more information on categories, see the appendix.
Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups.
### Create a policy
To add a new policy:
1. Click **Add policy** on the **Web content filtering** page in **Settings**.
2. Specify a name.
3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines.
1. Select **Add policy** on the **Web content filtering** page in **Settings**.
2. Specify a name.
3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories.
5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines.
Note: If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment.
## Information worker UX
The standard blocking experience is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
For a more user-friendly experience, consider user SmartScreen on Edge, which will show the following page when blocked:
>[!NOTE]
>If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment.
## Web content filtering cards and details
Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
### Web activity by category card
### Web activity by category
This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months.
This card lists the parent web content categories with the largest percentage change in the number of access attempts, whether they have increased or decreased. You can use this card to understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information about that particular category.
Click a category name to view more information about that particular category.
Note: In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
In the first 30 days of using this feature, your organization might not have sufficient data to display in this card.
### Web content filtering summary card
This card displays the distribution of blocked access attempts across the different parent web content categories. Click a colored slice to view more information about a specific parent web category.
This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
### View card details
You can access the Report details for each card by selecting a rowThe Report details page contains reports in separate tabs providing extensive statistical data about web content categories, website domains, and machine groups.
Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and machine groups.
- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
This report
- **Machine groups**: Lists all the machine groups that have generated web activity in your organization
#### Machine groups
This report lists all the machine groups that have generated web activity in your organization.
Clicking on a specific machine group will open a summary flyout. In the flyout, you will see:
• A graph showing the change in access attempts over your chosen time period
• Top ten domains accessed by the selected machine group. Click a domain to view more information about that domain.
• Top ten machines in that machine group in terms of total access attempts. Click a machine to view more information about that machine.
• Top ten web content categories accessed by machines in the selected group.
Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
## FAQ
@ -150,63 +140,20 @@ Clicking on a specific machine group will open a summary flyout. In the flyout,
You need to be logged in to an AAD account with either App administrator or Global Administrator privileges. Your IT admin would most likely either have these permissions and/or be able to grant them to you.
### What exactly are the permissions the app is asking for?
Sign in and read user profile allows Cyren to read your tenant info from your MDATP account, such as your tenant ID, which will be tied to your Cyren license.
Read and Write Integration settings exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the MDATP portal.
"Sign in and read user profile" allows Cyren to read your tenant info from your MDATP account, such as your tenant ID, which will be tied to your Cyren license.
## Categories
We have grouped individual web content categories from the data provider into parent categories, making it easier for you to block and monitor closely related categories. Below is a list of categories we currently support, with their descriptions provided by Cyren.
### Adult content
- Cults - Sites relating to non-traditional religious practice typically known as "cults," that is, considered to be false, unorthodox, extremist, or coercive, with members often living under the direction of a charismatic leader.
- Gambling - Sites that offer or are related to online gambling, lottery, casinos and betting agencies involving chance.
- Nudity - Sites that contain full or partial nudity that are not necessarily overtly sexual in intent. Includes sites that advertise or sell lingerie, intimate apparel, or swimwear.
- Pornography/Sexually Explicit - Sites that contain explicit sexual content. Includes adult products such as sex toys, CD-ROMs, and videos, adult services such as videoconferencing, escort services, and strip clubs, erotic stories and textual descriptions of sexual acts.
- Sex Education - Sites relating to sex education, including subjects such as respect for partner, abortion, gay and lesbian lifestyle, contraceptives, sexually transmitted diseases, and pregnancy.
- Tasteless - Sites with offensive or tasteless content, including profanity.
- Violence - Sites that contain images or text depicting or advocating physical assault against humans, animals, or institutions. Sites of a particularly gruesome nature. Sites that contain profanity.
### High bandwidth
- Download Sites - Sites that contain downloadable software, whether shareware, freeware, or for a charge. Includes some peer-to-peer sites.
- Image Sharing - Sites that host digital photographs and images, online photo albums and digital photo exchanges.
- Peer-to-Peer - Sites that enable direct exchange of files between users without dependence on a central server.
- Streaming Media & Downloads - Sites that deliver streaming content, such as Internet radio, Internet TV or MP3 and live or archived media download sites. Includes fan sites, or official sites run by musicians, bands, or record labels.
### Legal liability
- Child Abuse Images - Sites that portray or discuss children in sexual or other abusive acts.
- Criminal Activity - Sites that offer advice on how to commit illegal or criminal activities, or to avoid detection. These can include how to commit murder, build bombs, pick locks, etc. Also includes sites with information about illegal manipulation of electronic devices, hacking, fraud and illegal distribution of software.
- Hacking - Sites that promote or give advice about how to gain unauthorized access to proprietary computer systems, for the purpose of stealing information, perpetrating fraud, creating viruses, or committing other illegal activity related to theft of digital inform.
- Hate & Intolerance - Sites that promote a supremacist political agenda, encouraging oppression of people or groups of people based on their race, religion, gender, age, disability, sexual orientation or nationality.
- Illegal Drugs - Sites with information on the purchase, manufacture, and use of illegal or recreational drugs and their paraphernalia, and misuse of prescription drugs and other compounds.
- Illegal Software - Sites that illegally distribute software or copyrighted materials such as movies or music, software cracks, illicit serial numbers, illegal license key generators.
- School Cheating - Sites that promote unethical practices such as cheating or plagiarism by providing test answers, written essays, research papers, or term papers.
- Self-Harm Sites that promote actions that are relating to harming oneself, such as suicide, anorexia, bulimia, etc.
- Weapons - Sites that depict, sell, review or describe guns and weapons, including for sport.
Leisure
- Chat - Sites that enable web-based exchange of real-time messages through chat services or chat rooms.
- Games - Sites relating to computer or other games, information about game producers, or how to obtain cheat codes. Game-related publication sites.
- Instant Messaging - Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like.
- Professional Networking - Sites that enable professional networking for online communities.
- Social Networking - Sites that enable social networking for online communities of various topics, for friendship, or/and dating.
- Web-based Email - Sites that enables users to send and receive email through a web-accessible email account.
### Uncategorized
- Unknown Sites that are not yet assigned a category
"Read and Write Integration settings" exists under the WindowsDefenderATP scope within permissions. This line allows Cyren to add/modify/revoke Cyren license status on the Microsoft Defender ATP portal.
## Limitations and known issues in this preview
1. Unassigned machines will have incorrect data shown within the report
- Unassigned machines will have incorrect data shown within the report
In the Report details > Machine groups pivot, you may see a row with a blank Machine Group field. This group contains your unassigned machines in the interim before they get put into your specified group. The report for this row may not contain an accurate count of machines or access counts.
2. The data in our reports may not be congruent with other data on the site
- The data in our reports may not be congruent with other data on the site
We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page.
## Related topics
- [Web protection overview](web-protection-overview.md)
- [Respond to web threats](web-protection-response.md)