Chapter 5. Configuring and Managing Identity Protection
After reading about and learning how to configure the monitoring of your identity management infrastructure in the previous chapter, we will now dive into identity protection. Protecting your identity is one of the main focuses of security today, so you should be able to put the right capabilities in place that protect your organization against any attack.
At the beginning of our identity protection journey, we will start with an overview of the Microsoft Cloud services that can help you in this field. We will also dive into a number of different services, starting with the theory before moving on and applying that theory in an example configuration. After working through this chapter, you should be able to identify the correct solution component for your existing or future requirements. To summarize, this chapter covers the following topics:
- Microsoft Identity Protection solutions
- Azure ATP and how to use it
- Azure AD Identity Protection...
Microsoft Identity Protection solutions
Microsoft has developed and established a huge portfolio of identity protection features on both Azure and on-premises to help organizations secure their identities and protect themselves against sensitive data leakage. There are many single services available, but a unified identity protection solution is expected in the near future. We already see many integrations between identity protection services that detect, investigate, and prevent advanced attacks, compromised identities, and insider threats—including data leakage—to form a broad and deep identity investigation solution that works on-premises and in the cloud. Some of the more common attacks that are faced by organizations include password spray attacks, leaked or reused credentials, spoofed domains, malicious links or attachments, and much more. The following figure illustrates the different services often used to maximize the detection of attacks in their various stages:
Attack vectors and...
Azure ATP and how to use it
Azure ATP is used to detect and investigate advanced attacks, compromised identities, and insider threats. Thanks to behavioral analytics in the backend, it provides very fast threat detection and also reduces the fatigue of false positives. Furthermore, it provides focused essential information using the Azure ATP attack timeline. Azure ATP is simple to work with, and the architecture is quite easy to understand because there are only two components per service and a downloadable sensor, which monitors local traffic, that is installed directly on your Domain Controllers. The sensors use dynamic resource limitation based on the domain controller's load.
There is another, more complex deployment method available, however, which uses a standalone sensor on a dedicated server and requires the configuration of port-mirroring from the Domain Controllers in order to receive network traffic. The service integrates directly with the Microsoft Intelligent Security Graph...
Azure AD Identity Protection
Azure AD Identity Protection introduces automatic, risk-based, conditional access to help protect users against suspicious logins and compromised credentials. Azure AD Identity Protections also offers insight into, and a consolidated view of, threat detection based on machine-learning. Furthermore, the service delivers an important level of remediation recommendations, as well as performing compromise risk calculations about a user and their session. The service requires an Azure AD Premium P2 or equivalent licensing.
You will get the following capabilities from this service:
- Detection: Vulnerabilities and risky accounts are detected by:
- Highlighting vulnerabilities and providing custom recommendations
- Calculating sign-in and user risk levels
- Investigation: Risk events are investigated and solved by:
- Notifications
- The provision of relevant and contextual information
- Basic workflows used in tracking
- Easy access to remediation actions (for example, a password reset)
- Risk...
Using Azure AD PIM to protect administrative privileges
Azure Active Directory Privileged Identity Management (PIM) provides similar functionality to the Microsoft Identity Manager, including Privileged Access Management (PAM) in the on-premises infrastructure.
With Azure AD PIM, you can manage, control, and monitor your privileged identities and access to your directory information and resources in an Azure environment. The main reason for using Azure AD PIM is to reduce the attack surface and to enable administrative access just-in-time. Privileged access is often configured as permanent and unmonitored, but with Azure AD PIM you can avoid security breaches and risks.
The service allows you to assign time-bound access to resources using a start and end date and that requires approval...
After completing this chapter, you should be able to explain the main requirements when protecting identities and why they're a part of your security solution. In this chapter, we looked at the key issues of core identity protection components, and how to enable and configure the relevant services for your needs. If you would like more information on the Windows Defender ATP service, check out the Chapters 13, Identifying and Detecting Sensitive Data.
In the next Chapter 6, Managing Authentication Protocols, we will discuss the all-important modern protocols, including OAuth 2.0, OpenID Connect, and SAML 2.0, which help you to establish a suitable authentication design for your organization and customers.