{"id":233,"date":"2026-05-01T08:40:27","date_gmt":"2026-05-01T16:40:27","guid":{"rendered":"https:\/\/rainier-it.com\/blog\/?p=233"},"modified":"2026-05-01T08:40:27","modified_gmt":"2026-05-01T16:40:27","slug":"defender-is-free-configuring-it-correctly-is-the-work","status":"publish","type":"post","link":"https:\/\/rainier-it.com\/blog\/defender-is-free-configuring-it-correctly-is-the-work\/","title":{"rendered":"Defender Is Free. Configuring It Correctly Is the Work."},"content":{"rendered":"\n

Walk into any small business in Pierce County and ask the owner what’s protecting their computers. They’ll usually say “we have antivirus.” Press a little: which<\/em> antivirus? “I think it’s the Microsoft one.” Yes \u2014 that’s Microsoft Defender<\/strong>, and it’s been built into every Windows machine since Windows 10. It’s free. It’s already running on every PC they own.<\/p>\n\n\n\n

And yet small business breach rates keep climbing. 88% of SMB breaches in 2025 involved ransomware<\/a> \u2014 versus just 39% at large enterprises. So what’s going wrong?<\/p>\n\n\n\n

The short version: Microsoft Defender ships with permissive defaults.<\/strong> Microsoft built it to be polite \u2014 to not break legacy software, to not pop alerts that confuse users, to play nicely with whatever weird apps a business might still be running from 2014. The defaults are tuned for “first, do no harm.” That’s a reasonable choice for a product that has to ship to a billion machines. It’s a terrible choice for a security baseline.<\/p>\n\n\n\n

Out of the box, Defender catches roughly half of what it could<\/em> catch. The product isn’t the weak link. The configuration is.<\/strong><\/p>\n\n\n\n

What “good configuration” actually means<\/h2>\n\n\n\n

This is the gap that matters: anyone can install antivirus. The work \u2014 the part you’re paying a managed IT provider for \u2014 is making sure it’s actually configured to do its job. There are two layers to that work:<\/p>\n\n\n\n

    \n
  1. The CIS Level 1 baseline<\/strong> \u2014 turning every Defender knob to the security industry’s recommended setting.<\/li>\n\n\n\n
  2. 16 Attack Surface Reduction (ASR) rules<\/strong> \u2014 Microsoft’s specific “block this attack pattern” toggles, deployed in Block mode (not just Audit).<\/li>\n<\/ol>\n\n\n\n

    Let’s walk through both.<\/p>\n\n\n\n

    Microsoft Defender \u2014 what the product actually is<\/h2>\n\n\n\n

    Defender is Microsoft’s built-in endpoint protection. It ships with Windows 10 and Windows 11 at no additional cost. Under the hood, it includes:<\/p>\n\n\n\n

      \n
    • Antivirus + anti-malware (signature + heuristic)<\/li>\n\n\n\n
    • Behavior monitoring (catches malicious patterns even with no signature match)<\/li>\n\n\n\n
    • Network protection (blocks connections to known-malicious destinations)<\/li>\n\n\n\n
    • Exploit protection (mitigates memory-corruption attacks)<\/li>\n\n\n\n
    • EDR sensor capability (telemetry suitable for managed-detection layering)<\/li>\n\n\n\n
    • Cloud-delivered protection (samples submitted to Microsoft for behavioral analysis)<\/li>\n<\/ul>\n\n\n\n

      Defender consistently ranks in the top quadrant of independent endpoint-protection tests (AV-Comparatives, AV-TEST, MITRE ATT&CK evaluations). It’s a serious enterprise product. The same Microsoft that runs LinkedIn, GitHub, half the world’s cloud infrastructure, and the largest threat-intelligence telemetry on the planet built it.<\/p>\n\n\n\n

      The product is not the problem. Configuration is.<\/p>\n\n\n\n

      CIS Level 1 hardening \u2014 the configuration recipe<\/h2>\n\n\n\n

      CIS<\/strong> = Center for Internet Security. A US-based nonprofit. They publish the most-cited security configuration baselines in the industry. Used by:<\/p>\n\n\n\n

        \n
      • The federal government (FedRAMP, NIST 800-53)<\/li>\n\n\n\n
      • The Department of Defense (DISA STIGs reference CIS)<\/li>\n\n\n\n
      • Cyber-insurance underwriters (the questionnaire you fill out at renewal)<\/li>\n\n\n\n
      • Every major compliance framework \u2014 HIPAA, PCI-DSS, SOC 2, CMMC<\/li>\n<\/ul>\n\n\n\n

        CIS publishes Benchmarks<\/strong> \u2014 versioned recipe books that say “here is how to configure X securely, with the exact settings, in plain language, with rationale for each one.” There’s a benchmark for Microsoft Windows, one for Microsoft 365, one for Linux distros, one for AWS, one for Microsoft Defender specifically.<\/p>\n\n\n\n

        The Windows benchmark has two levels:<\/p>\n\n\n\n

          \n
        • Level 1 (L1)<\/strong> \u2014 “every business should have this on. No compatibility tradeoffs. No good reason not to.”<\/li>\n\n\n\n
        • Level 2 (L2)<\/strong> \u2014 “more aggressive. May break some legacy software. For compliance-driven environments.”<\/li>\n<\/ul>\n\n\n\n

          We deploy L1<\/strong> by default for every client. L2 we layer on for clients with regulated data (HIPAA-adjacent practices, contractors with CMMC obligations, etc.).<\/p>\n\n\n\n

          For Defender specifically, the L1 benchmark enforces things like:<\/p>\n\n\n\n

            \n
          • Real-time protection ON<\/li>\n\n\n\n
          • Cloud-delivered protection ON (samples submitted for behavioral analysis)<\/li>\n\n\n\n
          • Tamper protection ON<\/strong> \u2014 prevents users or<\/em> malware from disabling Defender<\/li>\n\n\n\n
          • Network protection in Block<\/strong> mode (not Audit \u2014 actually blocking, not just logging)<\/li>\n\n\n\n
          • Controlled Folder Access ON (ransomware mitigation)<\/li>\n\n\n\n
          • Scan removable drives, scan archive files<\/li>\n\n\n\n
          • PUA (potentially unwanted application) protection ON<\/li>\n\n\n\n
          • SmartScreen for Microsoft Edge ON<\/li>\n\n\n\n
          • Specific scan schedules, signature update intervals, sample submission policies<\/li>\n<\/ul>\n\n\n\n

            None of this is exotic. None of it costs extra. It’s all already in Defender. The question is whether anyone has actually flipped the switches.<\/p>\n\n\n\n

            The 16 Attack Surface Reduction (ASR) rules<\/h2>\n\n\n\n

            ASR is a specific Defender feature \u2014 a set of rules where each one blocks one specific attacker technique. Microsoft maintains them, updates them, and ships them with Windows. They have to be explicitly enabled, and each rule has three modes: Off, Audit (log but don’t block), and Block<\/strong> (actually stop the behavior).<\/p>\n\n\n\n

            We deploy 16 ASR rules in Block mode<\/strong> on every endpoint we manage. Here’s what each one does, in plain English:<\/p>\n\n\n\n

            Rule (plain English)<\/th>What it blocks<\/th><\/tr><\/thead>
            Block executables from email\/webmail<\/td>The classic “open this attachment” malware vector<\/td><\/tr>
            Block Office apps from creating child processes<\/td>Word\/Excel can’t spawn cmd.exe \/ powershell.exe \u2014 kills macro-based attacks<\/td><\/tr>
            Block Office apps from creating executable content<\/td>Stops Office from writing .exe files to disk<\/td><\/tr>
            Block Office apps from injecting code into other processes<\/td>Process injection \u2014 common malware persistence<\/td><\/tr>
            Block JS\/VBScript from launching downloaded executables<\/td>Drive-by download protection<\/td><\/tr>
            Block execution of obfuscated scripts<\/td>Obfuscation = “I’m trying to hide what I’m doing”<\/td><\/tr>
            Block Win32 API calls from Office macros<\/td>The technique behind 90% of “open the doc, get pwned” attacks<\/td><\/tr>
            Block credential stealing from LSASS<\/td>Defends against Mimikatz-style password dumping<\/td><\/tr>
            Block process creation from PSExec \/ WMI commands<\/td>Lateral movement (how attackers spread between PCs after first foothold)<\/td><\/tr>
            Block untrusted\/unsigned processes from USB<\/td>“Found a USB stick in the parking lot” attack<\/td><\/tr>
            Block Outlook\/communication apps from creating child processes<\/td>Outlook can’t be tricked into launching attached payloads<\/td><\/tr>
            Block Adobe Reader from creating child processes<\/td>PDF-borne malware<\/td><\/tr>
            Block persistence through WMI event subscription<\/td>Persistent malware that survives reboots<\/td><\/tr>
            Use advanced ransomware protection<\/td>Behavioral heuristics on file-mass-encryption patterns<\/td><\/tr>
            Block exploited vulnerable signed drivers<\/td>The “Bring Your Own Vulnerable Driver” technique<\/td><\/tr>
            Block rebooting machine in Safe Mode (newest addition)<\/td>Prevents attackers from booting around your security<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

            Inside one rule: what enabling “Block Office apps from creating child processes” actually looks like<\/h2>\n\n\n\n

            For the technically inclined \u2014 here’s the actual PowerShell one of our TacticalRMM scripts runs to enable that rule on a managed endpoint:<\/p>\n\n\n\n

            <\/circle><\/circle><\/circle><\/g><\/svg><\/span>