Today's blog post is about Defender for Identity (MDI), previously known as Azure Advanced Threat Protection (ATP).
Many customers are still operating in a hybrid environment with AD DS, and some also have AD CS and AD FS. They have (Azure) Entra AD Connect up and running, synchronizing identities, groups, and endpoints to Entra. Their focus is on moving to the CLOUD (we need to the CLOUD). But what about their on-premises infrastructure? What about their AD, which is still running many services, roles, high-privileged accounts, certificates, etc.? How do you monitor and secure these on-premises assets?
This is where Defender for Identity comes into play, especially with its integration with Defender XDR and Microsoft Sentinel.
What is Defender for Identity?
Microsoft Defender for Identity is a cloud-based security solution designed to enhance identity monitoring across your organization.
Fully integrated with Microsoft Defender XDR, Defender for Identity utilizes signals from both on-premises Active Directory and cloud identities to help you more effectively identify, detect, and investigate advanced threats targeting your organization.
Key features include:
Preventing breaches through proactive identity security posture assessments
Detecting threats using real-time analytics and data intelligence
Investigating suspicious activities with clear, actionable incident information
Responding to attacks with automatic responses to compromised identities
Prerequisites
Microsoft 365 E5/F5 or G5
Microsoft 365 E3/F1/F3 + E5/F5/A5/G5 Security add-ons
Office 365 F3 + E3 Security
Standalone Defender for Identity license
Requirements
At least one Windows Server 2016 with AD DS, CS or FS roles installed and configured
PS: If you are using Windows Server 2019 ensure that you have KB4487044 installed
How to start ?
The easiest way is to run this MDI readiness script in your environment to test if it has necessary requirements.
You can also find this in Defender portal security.microsoft.com -> Identities -> Tools (after onboarding process is finished, not before)
I'll skip this in my post, I have an Windows Server 2019 test environment running on my Hyper-V local host with AD DS. Yeah, this one really need for cloud :-)
Now, if your environment fulfill all requirements , let's go forward with setup and configuration on server
Sign in security.microsoft.com with at least Security Administrator role
Go to Settings -> Identities
Let the onboarding process finish, it can take some minutes. In my case it took about 1 minute
Press on +Add Sensor
Press on Download installer
Copy paste your downloaded .zip folder to your domain controller, unzip it and run Azure ATP Sensor Setup as administrator
Press Next , Next
Press Next again and copy paste your Access key from Defender portal and press Install
After install is complete you can go back to Defender portal security.microsoft.com -> Settings -> Identities
In my case I got some errors in health status and I needed to install the required KB. Health status changed to Healthy after I fixed all required steps, installed updates and rebooted the server.
Take a look at health issue page here if you need full overview of how you resolve different issues Microsoft Defender for Identity health issues - Microsoft Defender for Identity | Microsoft Learn
You should also be able to see resolutions in Sensor Health issues tab here by pressing on the error message
or under Sensors in Settings by pressing on your sensor once
Here you can see my closed health issues which I resolved. If I press on on of them, I'll get recommendations with link to how to fix this issue. Some of them needs to be fixed manually, some with PS scripts.
You can close fixed issues, if there is something that's not OK, MDI will notify you in the Sensor portal about them again.
Now, when the issues are fixed and sensor is healthy, let's start configuring our Defender for Identity workspace. Go back to Settings -> Identities and press Sensitive -> Tag users
Here you can tag All your sensitive (critical) identities in your Active directory, like Global admins, Enterprise admins etc or just accounts with high privileged access. Defender for Identity will then focus extra on those accounts.
I just tagged some critical accounts from my environment in this case. Yes, my brother in crime Magnus Mikkelsen got some nice short username - mami. Sometimes he is my mami and I'm his papi.
You can also tag critical devices, for example Privileged Workstations, DHCP servers, DNS server etc. I don't have any devices , so we will skip this step and look at the Groups tab
In Groups you can add all your groups from your Active Directory as well. This one is a very critical because if you get new domain admins or enterprise admins and so on you'll then be able to scope them automatically without any gaps vs only adding users. I just added some of mine groups as example, but it should of course be more than that.
Now Let's take a look on Honeytoken tab
Here we can add a honeytoken accounts and devices if you have any of those. I just added two of mine honeytoken accounts
We can also add your Exchange servers if you have some on-prem exchange servers, by pressing the Exchange server tab below
There is also possibilities to exclude users, domains, devices or IP addresses in Actions and exclusions-> Global excluded entities
or exclude users, groups, ip's, devices by detection rules in Exclusions by detection rule
Under Notifications we can set up Health Issues, alert and syslog notifications sent to our e-mail(s).
PS:
Alert notifications will be deprecated and are now managed in Settings-> Microsoft Defender XDR -> Email notifications -> Incidents
Under General -> Adjust alerts thresholds we can also select our threshold level on our alerts
In VPN section we can enable our Radius accounting to integrate with your VPN solution by listening to RADIUS accounting events forwarded to Defender for Identity sensors, such as the IP addresses and locations where connections originated. VPN accounting data can help your investigations by providing more information about user activity, such as the locations from where computers are connecting to the network, and an extra detection for abnormal VPN connections.
In Directory services accounts we can set up our DSA to connect to the domain controller at startup. A DSA can also be used to query the domain controller for data on entities seen in network traffic, monitored events, and monitored ETW activities. This is optional for setup the sensor setup and required is some scenarios (AD FS , CS ), but it's recommended to set this up on AD DS as well of course. I skipped this for the demo purpose, but do it in the prod environment.
In Manage actions accounts we can add an other account manually to which will be used to performs remediations actions in on-prem AD. This is optional and not recommended to use, so use your local system account for this.
Now, as we covered all the settings , we can take a look at our dashboard in
Defender portal -> Identities -> Dashboard
Here we can get a great ITDR (Identity Threat Detection and Response) overview over all our identities, both on-prem, cloud and hybrid. In my case I don't have any hybrid identities which is synchronized yet. It's important to notice that Defender for Identity monitors all our identities and based, not only on-prem. Based on the signals it generates alerts and incidents and sends them to our unified Defender XDR portal.
It's fully integrated with Defender XDR and can data can be ingested to Microsoft Sentinel for which makes it a powerful Identity Protection tool.
We can also see a separate Identity score in here which is a part of original Secure score in Defender portal
By pressing Improve your score button, we'll be redirected to Microsoft Secure score
Here we can filter the recommendations to Category: Identity to only get insight in our Identity recommendations
I hope I covered the most part of functions and setup here. As I mentioned before, this is powerful tool from Microsoft to help customers detecting and response to Identity related attacks, threats and breaches.
Thanks for reading and have a nice day. See you soon!
Comments