Defender for Identity
Microsoft Defender for Identity permit to monitor Azure Active Directory and Active Directory infrastructure. You can easily analyses the data of potential attacks. A Defender for Identity sensor is installed on domain controllers or AD FS servers to access the event logs of these servers. The logs and network traffic will be analyzed by the sensor and then the information needed by Microsoft Defender for Identity will be sent to the Defender for Identity cloud service.
Defender for Identity components
The Defender for Identity portal displays the data received by the sensor. He permit to monitor, manage and investigate threats. The Defender for Identity sensor monitors Domain Controller traffic. He does not require dedicated server or configuration of port mirroring. For the ADFS Server, the sensor monitor network traffic and authentification events.The Defender for Identity cloud service is present on Azure infrastructure. It’s deployed in US, Europe and Asia region.
The sensor read automatidally the following events :
- 4776
- 4732
- 4733
- 4728
- 4729
- 4756
- 4757
- 7045
- 8004
Prerequisites
Microsoft Defender for Identity requires Enterprise Mobility + Security 5 (EMS E5) or Microsoft 365 E5/A5/G5 or Microsoft 365 E5/A5/G5 Security or Microsoft Defender for Identity licence.
If you server use proxy server to access at Internet, you can use this link for configure Microsoft Defender for Identity.
If you server is configured with NIC Teaming adapter, an error installation appear. Use this link for install sensor with NIC Teaming adapter.
The defender for Identity portal require a browser that supports TLS 1.2 such as Microsoft Edge, Internet Explorer 11 or Google Chrome 3O.0. For communicate with the Defender for Identity Cloud Service, the following URLs must be open in the Firewall/proxy.
- *.atp.azure.com:443
The Microsoft Defender for Identity can be installed on Domain Controller or RODC (Read Only Domain Controller). If the .Net Framework 4.7 is not installed on the server, it’s installed and might require a reboot of the server.
The sensor require two cores and 6Gb of RAM on the domain controller. Be careful ! If your domain controller running on Windows Server 2008 R2 and Broadcom Network Adapter Teaming is enabled, sensor installed on domain controller is not supported..
Create ATP instance
For create an ATP instance, user must have a Microsoft Defender for Identity license (Microsoft 365 E5 or EMS E5). Go to the Microsoft Defender for identity portal and sign with global administrator or security administrator account. Click on Create.
Microsoft Defender for identity has been created.
Configure Microsoft Defender for Identity
Click on Provide a username and password then on Add credentials. My user account does not have administrative rights. This credential permit to connect at your Active Directory Forest.
You can now download the sensor. You can install the sensor on your Domain controller.
Click on Download Sensor Setup. You must download file with Download button and copy Access Key.
Run Azure ATP Sensor Setup on your domain controller.
A wizard appear, select the desired language and click on Next.
If a know issue is detected, a link appear, click on it for resolve a problem. Click on Next when the problem is fixed.
Paste Access Key and click on Install.
Click on Finish when installation is finished. The sensor appear on configurations.
Manually tagging entities
If you have sensitive accounts or sensitive groups (CIO, CTO, etc.), it is possible to mark them as sensitive. Thus defender for Identity will mark them as sensitive. I will add my service accounts as sensitive.
From the Defender for Identity portaln click on Configuration.
Click on Entity tags then add desired account or group on Sensisitive accounts or Sensitive groups.
Click on Save. Reporiting can take up to 30 days.
Configure SAM-R permissions
For allow Windows clients and servers to perform SAM-R, group policy must be modified. The group policy must be applied to all computers (except for domain controllers). From the Group Policy Management, right click on Group Policy Objects and click on New.
Enter the desired name and click on OK.
Edit the group policy and expand the different nodes
Computer Configuration / Policies / Windows settings / Security settings / Local policies / Security options
Open Network Access : Restrict clients allowed to make remote calls to SAM parameter.
Tick Define this policy setting and click on Edit Security.
Click Add button.
Enter user account used on Directory Services.
Link GPO on all computer and server except domain controller.
Configure Audit Parameter policy
Audit parameter must be configured for domain controller. From the Group Policy Management, create new Group Policy. Expand Computer configuration, Policies, Windows Settings then Security Settings.
Expand Advanced Audit Policy Configuration then Audit Policies.
Configure the following parameter :
- Account Logon – Audit Credential Validation : Success and Failure
- Account Management – Audit Computer Account Management : Success and Failure
- Account Management – Audit Distribution Group Management : Success and Failure
- System – Audit Security System Extension : Success and Failure
- Account Management – Audit User Account Management : Success and Failure
- System – Audit Security System Extension : Success and Failure
From Local Policies select Security Options.
Double click on Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers parameter and select Audit all.
Double click on Network security: Restrict NTLM: Audit Incoming NTLM Traffic parameter and select Enable auditing for all accounts.
Link Group Policy to Domain Controller OU and restart the domain controller.