Plan Defender for Servers deployment
The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk by providing actionable recommendations to improve and remediate machine security posture. Defender for Servers also helps to protect machines against real-time security threats and attacks.
This guide helps you design and plan an effective Defender for Servers deployment.
About this guide
The intended audience of this guide is cloud solution and infrastructure architects, security architects and analysts, and anyone who's involved in protecting cloud and hybrid servers and workloads.
The guide answers these questions:
- What does Defender for Servers do and how is it deployed?
- Where is my data stored and when do I need a Log Analytics workspace?
- How do I control access to Defender for Servers resources?
- Which Defender for Servers plan should I choose, and where should I deploy the plan?
- What agents and extensions are needed in my deployment?
- How do I scale a deployment?
Before you begin
Before you begin deployment planning:
- Learn more about Defender for Cloud capabilities, and review pricing details.
Deployment steps
The following table summarizes Defender for Servers deployment steps.
| Step | Details | Outcome |
|---|---|---|
| Connect on-premises machines | To protect on-premises machines, we recommend onboarding on-premises machines as Azure Arc VMs. However, with direct onboarding you won't have full access to Defender for Servers Plan features. |
On-premises machines are successfully onboarded to Defender for Cloud |
| Enable Defender for Servers | Deploy a Defender for Servers plan. | Defender for Cloud starts protecting supported machines within the deployment scope. |
| Take advantage of free data ingestion | To take advantage of 500 MB of free daily ingestion for specific data types, machines must be running the Azure Monitor Agent (AMA), and be connected to a Log Analytics workspace. The benefit is granted for the supported data types on the Log Analytics workspace to which machines report. |
Free daily ingestion is configured for supported data types. |
| Prepare for OS assessment | For Defender for Servers Plan to assesses operation system configuration settings against compute security baselines in Microsoft Cloud Security Benchmark, machines must be running the Azure Policy machine configuration extension. | Defender for Servers Plan collects OS configuration information for assessment. |
| Set up file integrity monitoring | After enabling Defender for Servers Plan, you set up file integrity monitoring after enabling the plan. You need a Log Analytics workspace for file integrity monitoring. You can use an existing workspace, or create a new workspace when you configure the feature. |
Defender for Servers monitors critical file changes. |
Next steps
After kicking off the planning process, review the second article in this planning series to understand how to control access to Defender for Servers.