This is part two of the series and now we are concentrating to Active Directory and Defender for Identity.
In Hybrid scenarios your Source of Authority is the on-premises AD and from the the users will flow to the cloud with Azure AD Connect, Google Cloud Directory Sync or AWS Directory Service for Microsoft Active Directory.
So there’s many options for multi-cloud scenarios with Active Directory identity. And like I said wrote in my last article, this is is probably one of the biggest reasons Microsoft is so popular, they have a big market share within on-premises as the competitors don’t have this kind of services to provide and Microsoft keeps their identity solutions usable to different scenarios, so that a big plus.
What about provisioning users to local AD, how you can do it, well there is several ways.
- not the greatest way for larger enterprise companies nor small either. Mistakes can be made and was made in many cases.
- PowerShell with csv or json.
- This is a great way if you have all the attributes in-place and working process to do it. Some smaller IAM solutions use this way to provision users to on-prem AD.
- Better mistakes can be made and also has been. With PowerShell scripted approach there is always the possibility that schedules or triggered tasks can stop running. In those cases not updates don’t happen, users will be left alone, too high privileges, what ever can happen in this scenario. But still it’s much much much recommended than manually handling your users.
- Identity and Access Management Solution
- This is an excellent to create users. When there is joiners, movers and leavers in organizations this will be the efficient way to handle that processes. Nobody gets left behind, rights, group membership will maintained as long as you setup it correctly in the beginning and think the process thru.
- Example Saviynt has their own Identity and Access Management solution and PAM solutions for Azure. Microsoft and Saviynt announced their partnership at Ignite 2020.
“Saviynt Cloud Privileged Access Management (PAM) now integrates with Azure AD Privileged Identity Management and Identity Protection to create an identity led, Zero Trust security service to accelerate an enterprise’s digital transformation journey.”
Read more from Ignite 2020 partnership announcement.
So as you can see there is options to build an sustainable Identity and Access Management solution.
When you build it you have to protect it by all means necessary as Identity is the access key to all your services, especially in a multi-cloud environment. One Identity is all you have.
With these forewords we will see how Microsoft protect your on-premises with Defender for Identity.
What is Defender for Identity
Defender For Identity was in the past know as Azure Advanced Threat Protection or in short Azure ATP.
So it’s the same meal, but with new spices.
Defender for Identity monitors Azure AD and local AD. It install a sensors to your domain controllers and adfs-servers to get collect data to Azure and from there up-to Log Analytics to be used with Sentinel.
First you create an instance for Defender at https://portal.atp.azure.com/
For instance creation you need the following licenses.
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/G5/F5 Compliance
- Microsoft 365 F5 Security & Compliance
- Microsoft 365 E5/A5/G5 Information Protection and Governance
- Office 365 E5/A5/G5
Defender for Identity features are enabled at the tenant-level for all users within the tenant so every user needs a license.
And when that is done you will be redirected to welcome page.
You can the use the sensor in these platforms.
|Operating system version||Server with Desktop Experience||Server Core||Nano Server||Supported installations|
|Windows Server 2008 R2 SP1||✔||❌||Not applicable||Domain controller|
|Windows Server 2012||✔||✔||Not applicable||Domain controller|
|Windows Server 2012 R2||✔||✔||Not applicable||Domain controller|
|Windows Server 2016||✔||✔||❌||Domain controller, AD FS|
|Windows Server 2019*||✔||✔||❌||Domain controller, AD FS|
And the sensors need the port open to query your network.
- NTLM over RPC (TCP Port 135)
- NetBIOS (UDP port 137)
- RDP (TCP port 3389) – only the first packet of Client hello
- Queries the DNS server using reverse DNS lookup of the IP address (UDP 53)
And it’s preferred to user gMSA service account if you are using Server 2012 or above.
|Account type||Windows Server 2008 R2 SP1||Windows Server 2012 or above|
|Standard AD user account||Yes||Yes|
And the sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the machine running the Defender for Identity sensor to High Performance.
Defender for Identity sensors can be deployed on domain controller or AD FS servers of various loads and sizes, depending on the amount of network traffic to and from the servers, and the amount of resources installed.
One you install the sensor it will send event log data to Defender and also mirrors the traffic on dc’s or adfs servers.
- Capture and inspect domain controller network traffic (local traffic of the domain controller)
- Receive Windows Events directly from the domain controllers
- Receive RADIUS accounting information from your VPN provider
- Retrieve data about users and computers from the Active Directory domain
- Perform resolution of network entities (users, groups, and computers)
- Transfer relevant data to the Defender for Identity cloud service
Defender for Identity is located in multiple data centers world wide and you can check the status for the services from here.
One of top features for Defender for Identity is it’s ability to predict and follow lateral movement in possible breaches.
These entities will be tracked.
- Sensitive users – potential LMP(s) leading to this user are shown.
- Non-sensitive users and computers – potential LMP(s) the entity is related to are shown.
Really that you can predict what possible breaches Lateral Movement Path could look like. This will give a clear view what should you protect and consider in our Identity and access governance.
Defender for Identity will exmplae discover vulnerabilities like the in-famous Print Nightmare https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
Defender for Identity uses Microsoft Intelligent Security Graph for learning from the attack landscapes and protecting your environment.
Alerts from Defender
Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
- Reconnaissance phase alerts
- Compromised credential phase alerts
- Lateral movement phase alerts
- Domain dominance phase alerts
- Exfiltration phase alerts
Defender for Identity can also monitor multiple forest, you can install one sensor to each forest and there is now limitation how many forest can there be.
- After the Defender for Identity sensor is running, it queries the remote Active Directory forests and retrieves a list of users and machine data for profile creation.
- Every 5 minutes, each Defender for Identity sensor queries one domain controller from each domain, from each forest, to map all the forests in the network.
- Each Defender for Identity sensor maps the forests using the “trustedDomain” object in Active Directory, by logging in and checking the trust type.
- You may also see ad-hoc traffic when the Defender for Identity sensor detects cross forest activity. When this occurs, the Defender for Identity sensors will send an LDAP query to the relevant domain controllers in order to retrieve entity information.
Only limitation is that when you login with another forests credentials to the other one that users logins isn’t shown in the Defender for Identity dashboard.
So Defender for Identity is a really good addition to your organizations security posture, it let’s even on-premise admins sleep their nights.
Here you can see whats new.
And here you can check whats coming.