Protect Active Directory with Microsoft Defender for Identity

• Author
• Recent Posts

Brandon Lee

Brandon Lee has been in the IT industry 15+ years and focuses on networking and virtualization. He contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Latest posts by Brandon Lee (see all)

• ManageEngine OpManager: Comprehensive monitoring for on-prem, cloud, and containers - Thu, Mar 23 2023
• Install K3s, a lightweight, production-grade Kubernetes distro - Mon, Mar 20 2023
• VMware NSX Advanced Load Balancer: Installation and configuration - Fri, Mar 10 2023

Microsoft Defender for Identity has its roots in Azure, as well as in the former Advanced Threat Protection (Azure ATP). Therefore, organizations do not have to house the security solution on-premises aside from the sensor installed on the domain controllers. It is helpful to provide clear steps to resolve misconfigurations.

Microsoft Defender for Identity helps boost cybersecurity posture in the following four security pillars:

• Prevent—From the moment it's installed, it starts monitoring the Active Directory environment. This includes assessing the security configuration and AD schema. It provides recommendations on how to best protect the environment to prevent security from being compromised in the first place.
• Detect—It provides real-time analytics and data intelligence. This includes monitoring network activity, Windows events, and other metrics to provide real-time alerts to SecOps to provide the evidence needed to understand the threat and mitigate it effectively.
• Investigate—Provide user investigation priority scoring, activity events, and other contextual events to help SecOps understand what is happening in the environment to best respond.
• Respond—Automatic response to compromised identities. Automatically or semi automatically respond to threat alerts.

Microsoft Defender for Identity security pillars

One of the benefits of this cloud service is lifecycle management, and security intelligence is handled automatically by Microsoft. Microsoft Defender for Identity is updated weekly with the latest security intel, alerts, and security assessments.

The solution is also evolving in its capabilities and protected platforms. For example, Microsoft has extended the platform to include Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). Now, organizations can deploy sensors to analyze threat signals related to their AD FS environments.

How does it fit in with other Microsoft cloud-driven products and solutions? Microsoft Defender for Identity is not an "end all be all" solution. However, it fits nicely with the layered approach, including:

• Application protection
• Endpoint protection
• Email and data protection

Layered security approach including Microsoft Defender for Identity

Microsoft Defender for Identity architecture

The Microsoft Defender for Identity architecture comprises the following:

1. Defender for Identity portal—Allows creating the Defender for Identity instance and displays the data received from the remote sensors. It is primarily where you will perform monitoring, management, and investigation activities.
2. Defender for Identity sensor—The remote threat signal collector that monitors network traffic and authentication requests.
3. Defender for Identity cloud service—The cloud service running in Azure infrastructure connected to Microsoft's intelligent security graph.

Microsoft Defender for Identity architecture

Sensor requirements

You can think of the sensor as the Microsoft Defender for Identity "agent." The requirements for it include the following:

• Server support—Windows Server 2008 R2 SP1 and higher
• .Net Framework 4.7
• Recommended hardware—6 GB RAM, 2 Cores
• Network ports—443 (outbound), DNS, NetLogon, RADIUS (internal) and NTLM, NetBIOS, and RDP on devices for Name Resolution
• Service account / Group Managed Service Account (read-only)
• Auditing events—4726, 4728, 4729, 4730, 4732, 4733, 4743, 4753, 4756, 4757, 4758, 4763, 4776, 7045, 8004

Specific capabilities of Microsoft Defender for Identity

What specific capabilities are provided by Microsoft Defender for Identity and integration with Microsoft 365 Security? Note the features below for detecting compromise and preventing lateral movement.

Reconnaissance

• Security principal enumeration (LDAP)
• User's group membership enumeration
• Users and IP address enumeration
• Host and server name enumeration (DNS)
• Resource access and suspicious activities
• Reconnaissance by targeted entity attributes

Credential access

• Brute force attempts (now also detected via AD FS)
• Suspicious VPN connections
• Honeytoken account suspicious activities
• Suspected AS-Rep roasting
• Logon/failed logon, and suspicious activities
• Suspected Kerberos SPN exposure
• Suspicious DC password change using NetLogon (CVE-2020-1472)

Lateral movement

• NTLM Relay and NTLM tampering
• Pass-the-Ticket
• Pass-the-Hash
• Overpass-the-Hash
• Suspicious group membership changes
• Suspicious SID history injection
• Suspected Pass-the-Certificate
• Suspicious rogue certificate

Persistence

• Golden ticket attack detection
• DCShadow, DCSync
• Data exfiltration detection
• Code execution/service creation on DC and AD FS
• SMB packet manipulation
• Skeleton key
• Golden ticket leveraging RBCD
• Suspicious print spooler registration
• Remote code execution attempt—Exchange server vulnerability (CVE-2021-26855)
• AD FS DKM read

Below is a screenshot of the user and IP address reconnaissance dashboard in Microsoft Defender for Identity:

User and IP address reconnaissance screen in Microsoft Defender for Identity courtesy of Microsoft

Proactive actioning of threat signals

Alerting and information about a potential attack are great. However, can Microsoft Defender for Identity proactively contain attacks? Yes, it can. Note the following containment actions provided by Microsoft Defender for Identity:

• Disable user—A compromised user account can be proactively disabled, preventing the user from logging into AAD/AD
• Revoke user sessions—The session/access token is automatically voided, and it prevents the user from refreshing the token
• Change/reset a user password—This action can change the user's password and force an account password change at the next login to AAD/AD
• Confirm the user as compromised—The user's risk level is set to "high" in the AAD IP

Licensing

Defender for Identity is available as part of Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users. You can acquire a license directly from the Microsoft 365 portal or through the CSP program.

Wrapping up

As more attacks target Microsoft Active Directory and user credentials, protecting your Active Directory is crucial to the overall security posture of your organization.

Microsoft Defender for Identity provides an interesting security solution for AD DS and AD FS that allows businesses to leverage Microsoft security intelligence to spot potential threats in the environment quickly and contain them.