You're reading from Mastering Microsoft 365 Defender

Product typeBook

Published inJul 2023

PublisherPackt

ISBN-139781803241708

Edition1st Edition

Concepts

Cybersecurity

Authors (2):

Ru Campbell

Viktor Hedberg

View More author details

Deploying Microsoft Defender for Identity

This chapter will focus on deploying Microsoft Defender for Identity (MDI) in your organization by digging into what it does, how it will help you detect and respond to identity-based threats on-premises, why it is an important security feature to have in place, and the dos and don’ts when it comes to configuring MDI.

Additionally, the chapter provides insights into best practices for optimizing MDI performance and troubleshooting common issues. By following the instructions in this chapter, organizations can deploy MDI and ensure that their identity infrastructure is effectively protected against advanced cyber threats.

In a nutshell, we will cover the following main topics in this chapter:

Why is MDI is important?
How to deploy MDI

Why is MDI important?

As stated at the beginning of this chapter, MDI is a cloud-based security feature that leverages signals (such as event IDs, traffic, and event trace logs (ETLs) from your on-premises Active Directory (AD) to identify, detect, and investigate threats within your environment.

Internet connectivity

MDI sensors must be able to connect to the internet, and we highlight this right at the start as, historically, and quite rightly, many domain controllers are completely restricted from the internet. Web proxy connections are supported, but Secure Sockets Layer (SSL) inspection is not. Make sure your network appliances and firewalls strictly limit and control any traffic you need to open to only the official requirements, found here: learn.microsoft.com/en-us/defender-for-identity/prerequisites#defender-for-identity-firewall-requirements.

This feature allows us to add another log source into Microsoft 365 Defender that greatly increases our capability for correlation...

Deploying MDI

Now we’ve recapped the significance of MDI for AD defense in depth, let’s discuss how it can be configured on-premises in the following section.

Getting on-premises AD ready for MDI

MDI relies on specific audit event log entries to provide detections and add additional information on who or what performed those actions on your AD Domain Services (ADDS) or AD Federation Services (ADFS) infrastructure.

The following Windows events need to be configured in the Advanced Audit Policy on each domain controller:

4662 – An Operation was Performed on an Object
4726 – User Account Deleted
4728 – Member Added to Global Security Group
4729 – Member Removed from Global Security Group
4730 – Global Security Group Deleted
4732 – Member Added to Local Security Group
4733 – Member Removed from Local Security Group
4741 – Computer Account Added
4743 – Computer Account...

Summary

This chapter has been all about introducing MDI and understanding what it is, how we can deploy it in different ways, and lastly, why it is a feature of utmost importance currently, with cybercrime being an industry on the rise and threat actors actively using the blind spots in our identity infrastructure to gain persistence within our environments.

Following the steps outlined in this chapter helps us to deploy MDI in our environment. MDI, when correctly deployed, will, without a doubt, help us identify identity-based threats in our on-premises AD.

In the next chapter, we will look at how to manage MDI, how to interpret some of the alerts, and how to respond to MDI alerts.

Questions

You can test what you’ve learned about in this chapter by trying the following questions:

True or false: MDI identifies risky cloud-only account sign-ins.
1. True
2. False
Which of these is a primary advantage of using gMSAs instead of standard accounts?
1. You can configure a gMSA using the command line and therefore automate it, which isn’t possible with standard accounts.
2. Passwords are rotated automatically with gMSAs, unlike standard accounts.
3. The MDI DSA doesn’t support standard user accounts, only gMSAs.
Which of the following should be configured to audit for event ID 8004?
1. Recovery console: Allow floppy copy and access to all drives and folders
2. Domain member: Disable machine account password changes
3. Network security: Restrict NTLM: Audit Incoming NTLM Traffic
4. System settings: Optional subsystems
What does Microsoft 365 Defender’s capability to action accounts contribute towards?
1. Session policies
2. Web content filtering
3. Attack disruption
4. Microsoft...

To extend the support of MDI to ADFS, you can find some great support in the official documentation: learn.microsoft.com/en-us/defender-for-identity/active-directory-federation-services
Similarly, you may want to extend auditing to Exchange objects if you have it integrated with AD: learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#enable-auditing-on-an-exchange-object
Few folks in the Microsoft community have as robust an understanding of MDI as Raymond Roethof MVP, and you can check out his excellent blog with a lot of MDI content (including tooling) at thalpius.com
Building on top of a tool developed by Raymond to check MDI audit configuration is in place, William Francillette developed a useful PowerShell script: french365connection.co.uk/post...

The rest of the chapter is locked

You have been reading a chapter from

Mastering Microsoft 365 Defender

Published in: Jul 2023Publisher: PacktISBN-13: 9781803241708

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at €14.99/month. Cancel anytime

Authors (2)

Ru Campbell

Ruairidh (Ru) Campbell is a Microsoft Security MVP and leads Microsoft consultancy at Threatscape. At Threatscape, Ru develops, delivers, and manages offerings and professional services for cybersecurity, compliance, identity, and management. In the cybersecurity community, Ru runs the Microsoft 365 Security & Compliance user group and his blog (campbell.scot), regularly speaks at other user groups and conferences, and contributes to well-known industry publications such as Practical 365. Ru holds 14 Microsoft certifications and a B.Sc. (Distinction) in computer networking from the University of the West of Scotland. Away from cybersecurity, he is a petrolhead who enjoys heavy metal and hiking around Scotland with his wife.
Read more about Ru Campbell

Viktor Hedberg

Viktor Hedberg is a Microsoft Security MVP and senior consultant at Truesec. At Truesec, Viktor works with proactive security measures within the Microsoft sphere of technologies, by delivering workshops on best practices and by his deep technical expertise in these areas. In the cybersecurity community, Viktor runs his blogs at Truesec (Experts – viktor-hedberg). Alongside this, he is one of the hosts of the Swedish Windows Security user group, as well as a co-host of the Swedish podcast The Nerd Herd. He is a frequent speaker at both conferences and user groups around the world, focusing on matters of Microsoft Security. Viktor holds numerous Microsoft certifications, as well as being a Microsoft Certified Trainer. Away from cybersecurity, Viktor is a family man, spending most of his time with his wife and three kids, as well as enjoying football, both as a practitioner and as a fan. Heavy metal has been part of his life since his early teens.
Read more about Viktor Hedberg

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages