Want to onboard you domain controllers to Microsoft Defender for Identity?
#MDI #MDE #AD #Security
Out of scope: ADFS, actions accounts and remote SAM.
A thread
#MDI #MDE #AD #Security

Out of scope: ADFS, actions accounts and remote SAM.
A thread

First create a new group policy or edit your current security baseline GPO.
Enable the following advanced auditing config settings to success and failure.
Enable NTLM auditing for incoming and outgoing traffic.
Add registry keys for event ID 1644 using GPP.
Enable the following advanced auditing config settings to success and failure.
Enable NTLM auditing for incoming and outgoing traffic.
Add registry keys for event ID 1644 using GPP.
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"
Principal: Everyone
Type: Success
Applies to: Descendant User/Group objects
Scroll to the bottom and click "Clear all". Change as shown in screenshot
Principal: Everyone
Type: Success
Applies to: Descendant User/Group objects
Scroll to the bottom and click "Clear all". Change as shown in screenshot
Create a new gMSA account with Kerberos encryption type AES256 and allow the domain controllers to retrieve the password.
Test if the account can be accessed.
Test if the account can be accessed.
Switch to Defender portal, Settings,
Identities, Directory services accounts.
Add the newly created credentials
https://security.microsoft.com/settings/identities?tabid=directory
Identities, Directory services accounts.
Add the newly created credentials
https://security.microsoft.com/settings/identities?tabid=directory
Allow network communication from your domain controllers to the AATP service IPs. See script for current list of IPs.
If you are going to use a proxy server allow connections to and disable TLS inspection
* http://sensorapi.atp.azure.com
*.atp.azure.com https://gist.github.com/f-bader/e9a48e1f24df32055d4775b58cb33cdc
If you are going to use a proxy server allow connections to and disable TLS inspection
* http://sensorapi.atp.azure.com
*.atp.azure.com https://gist.github.com/f-bader/e9a48e1f24df32055d4775b58cb33cdc
Also allow you domain controllers to reach out to your servers and clients using the following ports for name resolution:
TCP/135 - NTLM over RPC
UDP/137 - NetBIOS
TCP/3389 - RDP
As a last resort MDI will use reverse DNS (UDP/53) https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy



As a last resort MDI will use reverse DNS (UDP/53) https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy
Copy and expand installer package to your DCs
Install Npcap with WinPCAP mode enabled and loopback disabled
Install the MDI sensor using you access key
Repeat on all domain controllers in your forest.
Check onboarding status in the MDE portal
https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a



Check onboarding status in the MDE portal
https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a
If you have Exchange in your environment, you have to add additional auditing on your Configuration container. https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#enable-auditing-on-an-exchange-object
Optional: Regenerate access key through the MDE portal. This will not impact already onboarded DCs but makes sure that the used access key cannot be used anymore.
// End of thread
// End of thread

As @dougsbaker mentioned corretly please also enable the Recyle Bin Feautre in you forest and also grant the MDI service account read and list permissions on the Deleted Objects container.
https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552
https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552