Want to onboard you domain controllers to Microsoft Defender for Identity?

#MDI #MDE #AD #Security 🛡️

Out of scope: ADFS, actions accounts and remote SAM.

A thread 🧵
First create a new group policy or edit your current security baseline GPO.

Enable the following advanced auditing config settings to success and failure.

Enable NTLM auditing for incoming and outgoing traffic.

Add registry keys for event ID 1644 using GPP.
First create a new group policy or edit your current security baseline GPO.Enable the following advanced auditing config settings to success and failure.Enable NTLM auditing for incoming and outgoing traffic.Add registry keys for event ID 1644 using GPP.
First create a new group policy or edit your current security baseline GPO.Enable the following advanced auditing config settings to success and failure.Enable NTLM auditing for incoming and outgoing traffic.Add registry keys for event ID 1644 using GPP.
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"

Principal: Everyone
Type: Success
Applies to: Descendant User/Group objects

Scroll to the bottom and click "Clear all". Change as shown in screenshot
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"Principal: EveryoneType: SuccessApplies to: Descendant User/Group objectsScroll to the bottom and click "Clear all". Change as shown in screenshot
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"Principal: EveryoneType: SuccessApplies to: Descendant User/Group objectsScroll to the bottom and click "Clear all". Change as shown in screenshot
In Active Directory Administrative Center and open the Advanced security dialog for the domain root. Select "Auditing" and "Add"Principal: EveryoneType: SuccessApplies to: Descendant User/Group objectsScroll to the bottom and click "Clear all". Change as shown in screenshot
Create a new gMSA account with Kerberos encryption type AES256 and allow the domain controllers to retrieve the password.

Test if the account can be accessed.
Create a new gMSA account with Kerberos encryption type AES256 and allow the domain controllers to retrieve the password.Test if the account can be accessed.
Create a new gMSA account with Kerberos encryption type AES256 and allow the domain controllers to retrieve the password.Test if the account can be accessed.
Switch to Defender portal, Settings,
Identities, Directory services accounts.

Add the newly created credentials

https://security.microsoft.com/settings/identities?tabid=directory
Switch to Defender portal, Settings, Identities, Directory services accounts.Add the newly created credentials https://security.microsoft.com/settings/identities?tabid=directory
Switch to Defender portal, Settings, Identities, Directory services accounts.Add the newly created credentials https://security.microsoft.com/settings/identities?tabid=directory
Select Sensors and "Add sensor" to download the installer package and keep note of the access key.
Allow network communication from your domain controllers to the AATP service IPs. See script for current list of IPs.

If you are going to use a proxy server allow connections to and disable TLS inspection

* http://sensorapi.atp.azure.com 
*.atp.azure.com https://gist.github.com/f-bader/e9a48e1f24df32055d4775b58cb33cdc
Get-AzureAdvancedThreatProtectionIPRanges.ps1

GitHub Gist: instantly share code, notes, and snippets.

http://sensorapi.atp.azure.com
Also allow you domain controllers to reach out to your servers and clients using the following ports for name resolution:

🟢TCP/135 - NTLM over RPC
🟢UDP/137 - NetBIOS
🟢TCP/3389 - RDP

As a last resort MDI will use reverse DNS (UDP/53) https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy
Microsoft Defender for Identity Network Name Resolution

This article provides an overview of Microsoft Defender for Identity's Advanced Network Name Resolution functionality and uses.

https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy
Copy and expand installer package to your DCs

1️⃣ Install Npcap with WinPCAP mode enabled and loopback disabled
2️⃣ Install the MDI sensor using you access key
🔁Repeat on all domain controllers in your forest.

Check onboarding status in the MDE portal

https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a
Copy and expand installer package to your DCs Install Npcap with WinPCAP mode enabled and loopback disabled Install the MDI sensor using you access keyRepeat on all domain controllers in your forest.Check onboarding status in the MDE portal https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a
Copy and expand installer package to your DCs Install Npcap with WinPCAP mode enabled and loopback disabled Install the MDI sensor using you access keyRepeat on all domain controllers in your forest.Check onboarding status in the MDE portal https://gist.github.com/f-bader/d0029bdd0c9c55d9f648eb16baf6341a
If you have Exchange in your environment, you have to add additional auditing on your Configuration container. https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#enable-auditing-on-an-exchange-object
Configure Windows Event collection Microsoft Defender for Identity

In this step of installing Microsoft Defender for Identity, you configure Windows Event collection.

https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#enable-auditing-on-an-exchange-object
Optional: Regenerate access key through the MDE portal. This will not impact already onboarded DCs but makes sure that the used access key cannot be used anymore.

// End of thread 🧵
As @dougsbaker mentioned corretly please also enable the Recyle Bin Feautre in you forest and also grant the MDI service account read and list permissions on the Deleted Objects container.

https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552
As @dougsbaker mentioned corretly please also enable the Recyle Bin Feautre in you forest and also grant the MDI service account read and list permissions on the Deleted Objects container. https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552
As @dougsbaker mentioned corretly please also enable the Recyle Bin Feautre in you forest and also grant the MDI service account read and list permissions on the Deleted Objects container. https://gist.github.com/f-bader/06fafab0969f44066d4d0d727a8c2552
You can follow @fabian_bader.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more