- Veeam Backup for Microsoft 365—Why you need to back up your M365 data - Tue, Nov 15 2022
- Cloud-based patch management with Action1 - Tue, Nov 8 2022
- Wi-Fi not working? Analyze with free Wi-Fi stumblers - Fri, Nov 4 2022
Microsoft Defender for Identity has its roots in Azure, as well as in the former Advanced Threat Protection (Azure ATP). Therefore, organizations do not have to house the security solution on-premises aside from the sensor installed on the domain controllers. It is helpful to provide clear steps to resolve misconfigurations.
Microsoft Defender for Identity helps boost cybersecurity posture in the following four security pillars:
- Prevent—From the moment it's installed, it starts monitoring the Active Directory environment. This includes assessing the security configuration and AD schema. It provides recommendations on how to best protect the environment to prevent security from being compromised in the first place.
- Detect—It provides real-time analytics and data intelligence. This includes monitoring network activity, Windows events, and other metrics to provide real-time alerts to SecOps to provide the evidence needed to understand the threat and mitigate it effectively.
- Investigate—Provide user investigation priority scoring, activity events, and other contextual events to help SecOps understand what is happening in the environment to best respond.
- Respond—Automatic response to compromised identities. Automatically or semi automatically respond to threat alerts.
One of the benefits of this cloud service is lifecycle management, and security intelligence is handled automatically by Microsoft. Microsoft Defender for Identity is updated weekly with the latest security intel, alerts, and security assessments.
The solution is also evolving in its capabilities and protected platforms. For example, Microsoft has extended the platform to include Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). Now, organizations can deploy sensors to analyze threat signals related to their AD FS environments.
How does it fit in with other Microsoft cloud-driven products and solutions? Microsoft Defender for Identity is not an "end all be all" solution. However, it fits nicely with the layered approach, including:
- Application protection
- Endpoint protection
- Email and data protection
Microsoft Defender for Identity architecture ^
The Microsoft Defender for Identity architecture comprises the following:
- Defender for Identity portal—Allows creating the Defender for Identity instance and displays the data received from the remote sensors. It is primarily where you will perform monitoring, management, and investigation activities.
- Defender for Identity sensor—The remote threat signal collector that monitors network traffic and authentication requests.
- Defender for Identity cloud service—The cloud service running in Azure infrastructure connected to Microsoft's intelligent security graph.
Sensor requirements ^
You can think of the sensor as the Microsoft Defender for Identity "agent." The requirements for it include the following:
- Server support—Windows Server 2008 R2 SP1 and higher
- .Net Framework 4.7
- Recommended hardware—6 GB RAM, 2 Cores
- Network ports—443 (outbound), DNS, NetLogon, RADIUS (internal) and NTLM, NetBIOS, and RDP on devices for Name Resolution
- Service account / Group Managed Service Account (read-only)
- Auditing events—4726, 4728, 4729, 4730, 4732, 4733, 4743, 4753, 4756, 4757, 4758, 4763, 4776, 7045, 8004
Specific capabilities of Microsoft Defender for Identity ^
What specific capabilities are provided by Microsoft Defender for Identity and integration with Microsoft 365 Security? Note the features below for detecting compromise and preventing lateral movement.
- Security principal enumeration (LDAP)
- User's group membership enumeration
- Users and IP address enumeration
- Host and server name enumeration (DNS)
- Resource access and suspicious activities
- Reconnaissance by targeted entity attributes
- Brute force attempts (now also detected via AD FS)
- Suspicious VPN connections
- Honeytoken account suspicious activities
- Suspected AS-Rep roasting
- Logon/failed logon, and suspicious activities
- Suspected Kerberos SPN exposure
- Suspicious DC password change using NetLogon (CVE-2020-1472)
- NTLM Relay and NTLM tampering
- Suspicious group membership changes
- Suspicious SID history injection
- Suspected Pass-the-Certificate
- Suspicious rogue certificate
- Golden ticket attack detection
- DCShadow, DCSync
- Data exfiltration detection
- Code execution/service creation on DC and AD FS
- SMB packet manipulation
- Skeleton key
- Golden ticket leveraging RBCD
- Suspicious print spooler registration
- Remote code execution attempt—Exchange server vulnerability (CVE-2021-26855)
- AD FS DKM read
Below is a screenshot of the user and IP address reconnaissance dashboard in Microsoft Defender for Identity:
Proactive actioning of threat signals ^
Alerting and information about a potential attack are great. However, can Microsoft Defender for Identity proactively contain attacks? Yes, it can. Note the following containment actions provided by Microsoft Defender for Identity:
- Disable user—A compromised user account can be proactively disabled, preventing the user from logging into AAD/AD
- Revoke user sessions—The session/access token is automatically voided, and it prevents the user from refreshing the token
- Change/reset a user password—This action can change the user's password and force an account password change at the next login to AAD/AD
- Confirm the user as compromised—The user's risk level is set to "high" in the AAD IP
Defender for Identity is available as part of Enterprise Mobility + Security E5/A5, Microsoft 365 E5/A5/G5, Microsoft 365 E5/A5/G5/F5 Security, Microsoft F5 Security & Compliance, and Microsoft Defender for Identity for Users. You can acquire a license directly from the Microsoft 365 portal or through the CSP program.
Wrapping up ^
As more attacks target Microsoft Active Directory and user credentials, protecting your Active Directory is crucial to the overall security posture of your organization.
Subscribe to 4sysops newsletter!
Microsoft Defender for Identity provides an interesting security solution for AD DS and AD FS that allows businesses to leverage Microsoft security intelligence to spot potential threats in the environment quickly and contain them.