Want to onboard you domain controllers to Microsoft Defender for Identity?

#MDI #MDE #AD #Security https://abs.twimg.com/emoji/v2/... draggable="false" alt="🛡️" title="Schild" aria-label="Emoji: Schild">

Out of scope: ADFS, actions accounts and remote SAM.

A thread https://abs.twimg.com/emoji/v2/... draggable="false" alt="🧵" title="collectie" aria-label="Emoji: collectie">
First create a new group policy or edit your current security baseline GPO.

Enable the following advanced auditing config settings to success and failure.

Enable NTLM auditing for incoming and outgoing traffic.

Add registry keys for event ID 1644 using GPP.
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"

Principal: Everyone
Type: Success
Applies to: Descendant User/Group objects

Scroll to the bottom and click "Clear all". Change as shown in screenshot
Create a new gMSA account with Kerberos encryption type AES256 and allow the domain controllers to retrieve the password.

Test if the account can be accessed.
Switch to Defender portal, Settings,
Identities, Directory services accounts.

Add the newly created credentials

https://security.microsoft.com/settings/identities?tabid=directory">https://security.microsoft.com/settings/...
Select Sensors and "Add sensor" to download the installer package and keep note of the access key.
Allow network communication from your domain controllers to the AATP service IPs. See script for current list of IPs.

If you are going to use a proxy server allow connections to and disable TLS inspection

* http://sensorapi.atp.azure.com"> http://sensorapi.atp.azure.com 
*.atp.azure.com https://gist.github.com/f-bader/e9a48e1f24df32055d4775b58cb33cdc">https://gist.github.com/f-bader/e...
Also allow you domain controllers to reach out to your servers and clients using the following ports for name resolution:

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🟢" title="Groene cirkel" aria-label="Emoji: Groene cirkel">TCP/135 - NTLM over RPC
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🟢" title="Groene cirkel" aria-label="Emoji: Groene cirkel">UDP/137 - NetBIOS
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🟢" title="Groene cirkel" aria-label="Emoji: Groene cirkel">TCP/3389 - RDP

As a last resort MDI will use reverse DNS (UDP/53) https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy">https://docs.microsoft.com/en-us/def...
Copy and expand installer package to your DCs

https://abs.twimg.com/emoji/v2/... draggable="false" alt="1️⃣" title="Nummertoets een" aria-label="Emoji: Nummertoets een"> Install Npcap with WinPCAP mode enabled and loopback disabled
https://abs.twimg.com/emoji/v2/... draggable="false" alt="2️⃣" title="Nummertoets twee" aria-label="Emoji: Nummertoets twee"> Install the MDI sensor using you access key
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🔁" title="Open cirkelende pijlen die met de klok mee naar rechts en naar links gaan" aria-label="Emoji: Open cirkelende pijlen die met de klok mee naar rechts en naar links gaan">Repeat on all domain controllers in your forest.

Check onboarding status in the MDE portal

https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a">https://gist.github.com/f-bader/d...
If you have Exchange in your environment, you have to add additional auditing on your Configuration container. #enable-auditing-on-an-exchange-object">https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection #enable-auditing-on-an-exchange-object">https://docs.microsoft.com/en-us/def...
Optional: Regenerate access key through the MDE portal. This will not impact already onboarded DCs but makes sure that the used access key cannot be used anymore.

// End of thread https://abs.twimg.com/emoji/v2/... draggable="false" alt="🧵" title="collectie" aria-label="Emoji: collectie">
As @dougsbaker mentioned corretly please also enable the Recyle Bin Feautre in you forest and also grant the MDI service account read and list permissions on the Deleted Objects container.

https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552">https://gist.github.com/f-bader/0...
You can follow @fabian_bader.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: