Activate Microsoft Defender for Identity capabilities directly on a domain controller

Artikel
08/13/2024

Microsoft Defender for Endpoint customers, who've already onboarded their domain controllers to Defender for Endpoint, can activate Microsoft Defender for Identity capabilities directly on a domain controller instead of using a Microsoft Defender for Identity sensor.

This article describes how to activate and test Microsoft Defender for Identity capabilities on your domain controller.

Important

Information in this article relates to a feature that is currently in limited availablility for a select set of use cases. If you weren't directed to use the Defender for Identity Activation page, use our main deployment guide instead.

Prerequisites

Before activating the Defender for Identity capabilities on your domain controller, make sure that your environment complies with the prerequisites in this section.

Defender for Identity sensor conflicts

The configuration described in this article doesn't support side-by-side installation with an existing Defender for Identity sensor, and isn't recommended as a replacement for the Defender for Identity sensor.

Make sure that the domain controller where you're planning to activate Defender for Identity capabilities doesn't have a Defender for Identity sensor deployed.

System requirements

Direct Defender for Identity capabilities are supported on domain controllers only, using the one of the following operating systems:

Windows Server 2019
Windows Server 2022

You must also have the March 2024 Cumulative Update installed.

Important

After installing the March 2024 Cumulative Update, LSASS might experience a memory leak on domain controllers when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests.

This issue is addressed in the out-of-band update KB5037422.

Defender for Endpoint onboarding

Your domain controller must be onboarded to Microsoft Defender for Endpoint.

For more information, see Onboard a Windows server.

Required permissions

To access the Defender for Identity Activation page, you must either be a Security Administrator, or have the following Unified RBAC permissions:

Authorization and settings / System settings (Read and manage)
Authorization and settings / Security setting (All permissions)

For more information, see:

Connectivity requirements

Defender for Identity capabilities directly on domain controllers use Defender for Endpoint URL endpoints for communication, including simplified URLs.

For more information, see Configure your network environment to ensure connectivity with Defender for Endpoint.

Configure Windows auditing

Defender for Identity detections rely on specific Windows Event Log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.

Configure Windows event collection on your domain controller to support Defender for Identity detections. For more information, see Event collection with Microsoft Defender for Identity and Configure audit policies for Windows event logs.

You might want to use the Defender for Identity PowerShell module to configure the required settings. For more information, see:

For example, the following command defines all settings for the domain, creates group policy objects, and links them.

Set-MDIConfiguration -Mode Domain -Configuration All

Activate Defender for Identity capabilities

After ensuring that your environment is completely configured, activate the Microsoft Defender for Identity capabilities on your domain controller.

In the Defender portal, select Settings > Identities > Activation.

The Activation page lists any detected and eligible domain controllers.
Select the domain controller where you want to activate the Defender for Identity capabilities and then select Activate. Confirm your selection when prompted.

When the activation is complete, a green success banner shows. In the banner, select Click here to see the onboarded servers to jump to the Settings > Identities > Sensors page, where you can check your sensor health.

Test activated capabilities

The first time you activate Defender for Identity capabilities on your domain controller, it may take up to an hour for the first sensor to show as Running on the Sensors page. Subsequent activations show within five minutes.

Defender for Identity capabilities on domain controllers currently support the following Defender for Identity functionality:

Investigation features on the ITDR dashboard, identity inventory, and identity advanced hunting data
Specified security posture recommendations
Specified alert detections
Remediation actions
Automatic attack disruption

Use the following procedures to test your environment for Defender for Identity capabilities on a domain controller.

Check the ITDR dashboard

In the Defender portal, select Identities > Dashboard and review the details shown, checking for expected results from your environment.

For more information, see Work with Defender for Identity's ITDR dashboard (Preview).

Confirm entity page details

Confirm that entities, such as domain controllers, users, and groups, are populated as expected.

In the Defender portal, check for the following details:

Device entities: Select Assets > Devices, and select the machine for your new sensor. Defender for Identity events are shown on the device timeline.
User entities. Select Assets > Users and check for users from a newly onboarded domain. Alternately, use the global search option to search for specific users. User details pages should include Overview, Observed in organization, and Timeline data.
Group entities: Use the global search to find a user group, or pivot from a user or device details page where group details are shown. Check for details of group membership, view group users, and group timeline data.

If no event data is found on the group timeline, you may need to create some manually. For example, do this by adding and removing users from the group in Active Directory.

For more information, see Investigate assets.

Test advanced hunting tables

In the Defender portal's Advanced hunting page, use the following sample queries to check that data appears in relevant tables as expected for your environment:

IdentityDirectoryEvents
| where TargetDeviceName contains "DC_FQDN" // insert domain controller FQDN

IdentityInfo 
| where AccountDomain contains "domain" // insert domain

IdentityQueryEvents 
| where DeviceName contains "DC_FQDN" // insert domain controller FQDN

For more information, see Advanced hunting in the Microsoft Defender portal.

Test Identity Security Posture Management (ISPM) recommendations

Defender for Identity capabilities on domain controllers support the following ISPM assessments:

Install Defender for Identity Sensor on all Domain Controllers
Microsoft LAPS usage
Resolve unsecure domain configurations
Set a honeytoken account
Unsecure account attributes
Unsecure SID History attributes

We recommend simulating risky behavior in a test environment to trigger supported assessments and verify that they appear as expected. For example:

Trigger a new Resolve unsecure domain configurations recommendation by setting your Active Directory configuration to a non-compliant state, and then returning it to a compliant state. For example, run the following commands:

To set a non-compliant state
```
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="10"}
```
To return it to a compliant state:
```
Set-ADObject -Identity ((Get-ADDomain).distinguishedname) -Replace @{"ms-DS-MachineAccountQuota"="0"}
```
To check your local configuration:
```
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
```
In Microsoft Secure Score, select Recommended Actions to check for a new Resolve unsecure domain configurations recommendation. You might want to filter recommendations by the Defender for Identity product.

For more information, see Microsoft Defender for Identity's security posture assessments

Test alert functionality

The following alerts are supported by Defender for Identity capabilities on domain controllers:

Test alert functionality by simulating risky activity in a test environment. For example:

Tag an account as a honeytoken account, and then try signing in to the honeytoken account against the activated domain controller.
Create a suspicious service on your domain controller.
Run a remote command on your domain controller as an administrator signed in from your workstation.

For more information, see Investigate Defender for Identity security alerts in Microsoft Defender XDR.

Test remediation actions

Test remediation actions on a test user. For example:

In the Defender portal, go to the user details page for a test user.
From the options menu, select any or all of the following, one at a time:
- Disable user in AD
- Enable user in AD
- Force password reset
Check Active Directory for the expected activity.

Note

The current version does not collect the User Account Control (UAC) flags correctly. So disabled users, would still appear as Enabled in the portal.

For more information, see Remediation actions in Microsoft Defender for Identity.

Deactivate Defender for Identity capabilities on your domain controller

If you want to deactivate Defender for Identity capabilities on your domain controller, delete it from the Sensors page:

In the Defender portal, select Settings > Identities > Sensors.
Select the domain controller where you want to deactivate Defender for Identity capabilities, select Delete, and confirm your selection.

Deactivating Defender for Identity capabilities from your domain controller doesn't remove the domain controller from Defender for Endpoint. For more information, see Defender for Endpoint documentation.

Next steps

For more information, see Manage and update Microsoft Defender for Identity sensors.

Del via