Maximizing security with Microsoft Defender for Identity

What is Microsoft Defender for Identity?

Microsoft Defender for Identity is a robust, cloud-based security solution designed to safeguard your organization’s on-premises Active Directory (AD) and cloud identities. Leveraging signals from both environments, it identifies, detects, and investigates advanced threats, compromised identities, and malicious insider actions. Formerly known as Azure Advanced Threat Protection (Azure ATP), it integrates seamlessly with Microsoft Defender XDR to provide comprehensive identity threat detection and response (ITDR) capabilities.

In today’s cybersecurity landscape, identity-based attacks are increasingly common. Hackers frequently exploit identity vulnerabilities to gain unauthorized access, move laterally within networks, and escalate privileges. These techniques are not only prevalent in real-world attacks but also regularly encountered during red teaming engagements, where security professionals simulate attacks to test an organization’s defenses. Microsoft Defender for Identity is specifically designed to counter these sophisticated threats, providing organizations with the tools they need to protect their identities and maintain robust security postures.

What’s New in Microsoft Defender for Identity?

October 2024: Enhanced threat detection capabilities

In October 2024, Microsoft Defender for Identity introduced enhanced threat detection capabilities. These updates include improved machine learning algorithms for detecting lateral movement and credential theft, as well as new integrations with Microsoft Sentinel for more robust incident response.

August 2024: New Entra Connect Sensor

In August 2024, a new Entra Connect sensor was introduced to enhance coverage in hybrid identity environments. This update also included new hybrid security detections and identity posture recommendations.

July 2024: Identity Posture insights

Released in July 2024, the Identity Posture Insights feature provides detailed assessments of an organization’s identity security posture, including recommendations for improving security configurations and reducing the attack surface.

Detailed overview of Identity Posture recommendations

October 2024

• Accounts with non-default primary group id: Identifies accounts with a primary group ID that is not the default, which can be a sign of misconfiguration or potential security risk.
• Change domain controller computer account old password: Recommends changing the old password for domain controller computer accounts to prevent unauthorized access.
• GPO assigns unprivileged identities to local groups with elevated privileges: Detects Group Policy Objects (GPOs) that assign unprivileged identities to local groups with elevated privileges, which can be exploited by attackers.
• GPO can be modified by unprivileged accounts: Identifies GPOs that can be modified by unprivileged accounts, posing a significant security risk.
• Reversible passwords found in GPOs: Alerts on GPOs that store passwords in a reversible format, which can be easily compromised.
• Built-in Active Directory guest account is enabled: Detects if the built-in AD Guest account is enabled, which can be a security vulnerability.
• Unsafe permissions on the DnsAdmins group: Identifies unsafe permissions on the DnsAdmins group, which can be exploited to gain elevated privileges.
• Ensure all privileged accounts have the configuration flag “This Account is sensitive and cannot be delegated”: Recommends ensuring that all privileged accounts have this configuration flag set to prevent delegation attacks.
• Change password of krbtgt account: Advises changing the password of the krbtgt account to mitigate the risk of Kerberos ticket-granting ticket (TGT) attacks.

August 2024

• Rotate password for Entra Connect Connector account: Recommends changing the password of MSOL accounts with the password last set over 90 days ago to prevent unauthorized access.
• Remove unnecessary replication permissions for Entra Connect account: Advises removing unnecessary permissions to reduce the potential attack surface.
• Change password for Entra Seamless SSO account configuration: Lists all Entra seamless SSO computer accounts with passwords last set over 90 days ago and recommends changing them to prevent lateral movement attacks.
• Suspicious interactive logon to the Entra Connect server: Detects unusual and potentially malicious direct logins to Entra Connect servers.

July 2024

• Lateral movement path analysis: Identifies potential paths attackers could use to move laterally within the network.
• Security configuration assessments: Evaluates current security settings and suggests improvements.
• User Behavior Analytics: Monitors user activities to detect anomalies that could indicate compromised identities.

Prerequisites for Microsoft Defender for Identity

Before deploying Microsoft Defender for Identity, ensure the following prerequisites are met:

• Licensing requirements: One of the following Microsoft 365 licenses is required:
  • Enterprise Mobility + Security E5 (EMS E5/A5)
  • Microsoft 365 E5 (Microsoft E5/A5/G5)
  • Microsoft 365 E5/A5/G5/F5 Security
  • Microsoft 365 F5 Security + Compliance
  • A standalone Defender for Identity license.
• Required permissions: At least one Security administrator access on your Microsoft Entra ID tenant.
• Connectivity requirements: The Defender for Identity sensor must communicate with the Defender for Identity cloud service via proxy, ExpressRoute, or firewall configurations.
• System requirements: Ensure the servers where the sensors will be installed meet the necessary specifications.

How to Deploy the New Features in Microsoft Defender for Identity

Deployment via Entra Connector Sensor

1. Install the Entra Connector sensor: Download the Entra Connector Sensor from the Microsoft Defender for Identity portal. Download and run the installer and follow the on-screen instructions to complete the installation.
2. Configure the sensor: Open the Entra Connector Sensor configuration tool. Enter the required credentials and configuration settings. Save the configuration and start the sensor.
3. Verify deployment: Log in to the Microsoft Defender for Identity portal. Navigate to the Sensors page and verify that the Entra Connector Sensor is active and reporting data.
4. Configure logging and event logs: Ensure that the necessary Windows event logs are being collected. Configure Advanced Audit Policy settings to ensure these events are logged correctly.

Deployment via Defender for Identity

1. Access the Defender for Identity portal: Log in to the Microsoft Defender for Identity portal.
2. Configure Identity sensors: Navigate to the Sensors page. Click on “Add Sensor” and select the appropriate sensor type. Follow the on-screen instructions to configure the sensor settings.
3. Monitor and manage sensors: Once configured, monitor the sensor status and data flow from the Sensors page. Ensure that all sensors are active and reporting data correctly.
4. Configure logging and event logs: Ensure that the necessary Windows event logs are being collected. Configure Advanced Audit Policy settings to ensure these events are logged correctly.
5. Review and troubleshoot logs: The Defender for Identity sensor logs are located in the installation directory, typically at C:\Program Files\Azure Advanced Threat Protection Sensor\Logs. Key logs include: Microsoft.Tri.Sensor.log (contains overall status and operations), Microsoft.Tri.Sensor-Errors.log (contains error logs for troubleshooting), Microsoft.Tri.Sensor.Updater.log (logs related to sensor updates).

Configuration steps for Microsoft Defender for Identity

1. View and configure sensor settings:
   • Navigate to Settings > Identities > Sensors in the Microsoft Defender XDR portal.
   • Configure sensor details such as domain controllers, network adapters, and update settings.
2. Set up directory service accounts:
   • Add Directory Service Accounts with read access to all objects in the monitored domains.
3. Enable advanced features:
   • Enable features like sensitive accounts monitoring, alert notifications, and syslog integration for enhanced security.

Post-Deployment Steps

After deploying Microsoft Defender for Identity, follow these steps to ensure optimal performance and security:

Regularly review security posture: Use the Identity Posture Insights feature to regularly review and improve your organization’s identity security posture.

Verify sensor health: Regularly check the health status of all deployed sensors in the Microsoft Defender for Identity portal.

Configure alerts and notifications: Set up alerts and notifications for suspicious activities and potential threats.

Integrate with other security tools: Integrate Defender for Identity with other Microsoft security tools like Microsoft Sentinel and Microsoft Defender for Endpoint for comprehensive threat detection and response.

Conclusion

Microsoft Defender for Identity is a powerful tool for protecting your organization’s identities and reducing the attack surface. With its advanced threat detection capabilities, proactive security posture assessments, and automated response features, it helps organizations stay ahead of potential threats. By deploying the latest features through the Entra Connector Sensor or directly via Defender for Identity, you can ensure comprehensive protection for your identity infrastructure.

Changelog

• July 2024 – initial blog post
• October 2024 – updates to new recommendations