Microsoft SQL Server is a database server. If I need a database server for a project, I can simply spin up a server and install Microsoft SQL Server on it and then use it to store data. In this situation, my requirement is static. As long as I am using the software/service, I need a working database server. But when it comes to cyber security, the requirements are not static – they change very often. There are new bugs and security threats found every day. A security solution we use today may not work well against new threats found in the future. The only possible way to address this challenge is to "continuously improve" the solutions in place. To do this, we can use the following steps as guidelines. These four steps are connected to each other and work as a life cycle rather than one-time process:
Before we come up with a solution, we first need to "identify" what to protect. The tools and services we can use to protect identities are different from what we can use to protect applications. Also, we need to be mindful when choosing where to make investments. As an example, we need to invest more to protect sensitive business data than protecting five-year-old pictures from a marketing campaign. Once we identify what we need to protect, then we can use the relevant tools and services to "protect" it.
One of the pillars of the Zero-Trust security approach is "assume a breach". We can't close all the doors. We need to assume a breach has already happened. But the important thing is that when it happens, there should be a way to "detect" it. If the solution or services in place are not in a healthy state, we need to detect those events as well. Once we detect a breach or issue, then we can "respond" in a timely manner. Each step through this life cycle is critically important. However, "detect" has more weight as we are not only looking to identify a breach, we can also use that information to confirm whether the solution in place is working as expected. This is why auditing and monitoring are important.
Before I use the London Underground service, I always check the Transport for London (TfL) website to see the status of the tube line services. This is a service provided by TfL to make sure its users are planning their journeys properly to avoid delays. The system TfL has in place to monitor line statuses gives us two benefits. As a service provider, TfL can detect problems and start to address them immediately. At the same time, some filtered information is passed to the public that is important for planning their journey.
Similarly, auditing and monitoring are not only there to enable engineers to find problems. They should also provide filtered, structured information that is important to the roles and responsibilities of different parties in the business. As an example, the IT manager would like to know the overall domain service availability over the last month, but it is not important for them to know each and every event that happened in the system during the last 30 days, although this can be important for the IT engineers.
In auditing and monitoring, we also need to identify what to monitor and what should be reported. Knowing each and every thing that happens in the system is good, but at the same time, unless it has been analyzed and prioritized, it will not deliver any benefit to engineers in detecting issues properly. Therefore, we need systems to audit and monitor the correct things and present it in a useful way.
Active Directory (AD) itself is not a security solution, but in previous chapters, I explained how we can use the features of AD to protect identities. So, it is important for us to monitor the health of AD.
In this chapter, we will look at the following:
Before we look into the other tools and services we can use to monitor AD, let's see what the built-in Windows tools can provide.
Microsoft offers built-in features and tools to monitor and audit AD environments. In this section, we are going to review these features and tools.
As an engineer, I am sure you are well aware of Windows Event Viewer. It is a built-in tool that can be used to view and filter event logs on a local or remote computer. The events shown there are generated by the operating system, services, server roles, and applications. This is the most commonly used tool in Windows systems for auditing and troubleshooting purposes.
We also can write custom events to event logs. This is useful if you plan to run a script or action based on a particular event ID. This can be done by using the Write-Eventlog
cmdlet.
As shown in the following screenshot, Windows Event Viewer (Local) has four different categories to group event logs:
Figure 19.1: Windows Event Viewer
In the preceding list, Windows Logs and Application and Service Logs both have additional predefined subcategories.
Event Viewer allows the creation of Custom Views based on event level, time, log type, source type, event ID, task category, keywords, users, or computers. Event Viewer catches thousands of different events. Using Custom Views, we can filter events and access the information we need. All these custom-made views will be listed under the Custom Views section. It also has predefined custom views.
These predefined custom views are based on the server roles. When AD DS roles are added, it also creates a custom view in the event log to group all the AD DS-related events, as shown in the following screenshot:
Figure 19.2: Windows Event Viewer Role logs
The data that appears in these custom views will also be available on other logs such as Windows Logs.
The Windows Logs section includes five Windows log files. These mostly contain OS-related events:
4321
from three computers. Using the Subscriptions event, we can collect only those events and forward them to the Forwarded Events log.Forwarded Events is the default location to push subscribed events. However, if needed, these events can also be forwarded to other log files.
The Application and Services Logs category was introduced after Windows Server 2008. This stores the events related to applications and their components. Most of the events listed here are more suited for application developers doing debugging and application-level troubleshooting.
This category has four log types:
As mentioned before, we also can see events data from remote locations by using subscriptions. Let's see what subscription data includes.
This category lists down the event subscriptions created with remote computers. Here, we can create/edit/disable event subscriptions, check the runtime status, and forcibly run subscription jobs.
When we open up an event, it gives different levels of information, such as the following:
In the previous section, I explained Applications and Services Logs and the types of data available under it. There are a few different Applications and Services Logs related to the AD service.
Apart from the events under the Windows Logs category, AD DS and related service events can be found under the following logs. These are located under the Applications and Services Logs category:
Apart from events, AD DS and related services have other system log files that record data about service installation/uninstallation, performance, service errors/failures, and so on.
These log files can be used for auditing, troubleshooting, or debugging purposes.
The default location for these log files is %SystemRoot%Debug
:
DCPromo.log
: This log file is created during the AD promotion process. It also records events during the demotion process. This log contains events such as the following:SYSVOL
directoryDCPromoUI.log
: This log file can be considered as a progress report for the AD DS promotion/demotion process. It starts the logging process as soon as the AD DS configuration wizard opens, and ends when it completes the installation successfully (until the reboot request is accepted) or when it is aborted due to errors. This includes the results of each and every act of the system during the service installation and removal process. This log includes useful information, such as the following:DFSR.log
: This log file includes events related to DFS replication. This can be used for SYSVOL
replication troubleshooting and the debugging process (if SYSVOL
uses DFS replication).After Windows Server 2008, AD uses DFS replication by default, but if domain controllers have been introduced to a Windows Server 2003 environment, it will use FRS by default.
The only way to identify potential security threats and security breaches in infrastructure is through continuous monitoring and auditing. When it comes to auditing, the Windows system itself provides advanced auditing capabilities to identify such security issues. However, by default, only certain types of actions are audited. These auditing settings are handled by Windows audit policies.
Here, we are only going to look at advanced security audit policies, which were first introduced with Windows Server 2008 R2.
There are 10 categories of events we can audit in a Windows system:
Each and every event category also has subcategories.
Legacy Windows auditing provides nine categories and each category also has subcategories. These are located under Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policies. Also, categories and subcategories can be listed using auditpol /get /category:*
. Advanced security audit policies provide 53 options to tune up the auditing requirements, and you can collect more granular-level information about your infrastructure events than by legacy auditing.
Auditing on these categories can be enabled using group policies. These are located under Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies, as shown in the following screenshot:
Figure 19.3: Advanced audit logs
All these categories can collect a lot of system and service events related to AD infrastructure activities. But in this section, we are only going to focus on the DS Access events category and its subcategories. It audits events related to AD objects access and AD object modification. Also, the settings under this category only apply to domain controllers.
The DS Access events category includes four subcategories:
As our next step, let's explore each of the above subcategories in more detail.
This category records events when an AD DS object is accessed. This will only work if the system access control list (SACL) is configured and the relevant objects have been added. This is similar to directory service access in legacy auditing.
SACL allows engineers to log access attempts to secured objects. SACL can generate audit records when an access attempt fails, when it succeeds, or both.
When auditing is enabled under this category, the following event can be found under security logs:
Event ID |
Event message |
|
An operation was performed on an object |
This category records events related to AD DS object changes, such as the following:
When an object value is changed, it records the old value and the new value it was changed to. Again, the event will only be generated for the entries listed under SACL. Once auditing is enabled, the following events can be found under security logs:
Event ID |
Event message |
|
A directory service object was modified. |
|
A directory service object was created. |
|
A directory service object was undeleted. |
|
A directory service object was moved. |
|
A directory service object was deleted. |
This category logs events when replication between two domain controllers begins and ends. When auditing is enabled, we will be able to find the following events in the logs:
Event ID |
Event message |
|
Synchronization of a replica of an AD naming context has begun. |
|
Synchronization of a replica of an AD naming context has ended. |
This category records detailed information about data replicated between domain controllers. Once auditing is enabled, it will generate a high volume of events and will be useful for troubleshooting replication issues. It will log the following types of events:
Event ID |
Event message |
|
An AD replica source naming context was established. |
|
An AD replica source naming context was removed. |
|
An AD replica source naming context was modified. |
|
An AD replica destination naming context was modified. |
|
Attributes of an AD object were replicated. |
|
Replication failure start. |
|
Replication failure end. |
|
A lingering object was removed from a replica. |
In this section, let's go ahead and see how we can use built-in Windows monitoring and audit capabilities. In order to do these configurations, you need to have domain administrator or enterprise administrator privileges.
Event Viewer can simply be opened by running eventvwr.msc
. The same MMC can also be used to connect to a remote computer using the Connect to Another Computer... option, as highlighted in the following screenshot:
Figure 19.4: Review events on another computer
We can simplify this by creating server groups in Server Manager. Server groups allow us to group systems running similar server roles or acting as part of a distributed system.
Before we go ahead and create server groups, we need to take note of the following information:
winrm get winrm/config
command. If it's not enabled, we can enable it using the winrm quickconfig
command.Event Log Readers
group. This is a built-in local group. Members of this group can read event logs from the local machine. We can add a computer account to the group using the following command:
Add-ADGroupMember –identity 'Event Log Readers'
–members REBELNET-PDC01$
REBELNET-PDC01
can be replaced with the collector computer account.
Figure 19.5: Create a server group
Figure 19.6: Add servers
Figure 19.7: Events from the remote server
We can configure the event data and modify it as follows:
Figure 19.8: Configure Event Data option
The following screenshot explains how we can configure event data using different options:
Figure 19.9: Configure Event Data window
We also can filter events and save them as queries for future use. As an example, I need to list events with ID 129
. I can just filter it out by typing 129
in the filter field. But at the same time, I can create a query for it and save it for future use. So, next time, I can just run the query to filter out the data, as shown in the following screenshot:
Figure 19.10: Save a query
The following screenshot shows how once the query is created; it can be accessed whenever needed:
Figure 19.11: Access a saved query
So far, we have only considered accessing Event Viewer data locally. In the next section, we are going to look into accessing Event Viewer data centrally.
Event Viewer contains lots of different event entries. There can be several thousand events per day. Even if every event provides some useful information, we do not need to go through each and every one when we are troubleshooting a particular application or performing a service audit. There are specific events relevant to each server role, application, service, and system component.
On some occasions, when we're auditing or troubleshooting, we need to review events on multiple computers. Event Viewer only allows us to connect to one computer at a given time. It can be a local or a remote computer. Event subscriptions allow us to collect event logs from remote computers and review them on one console.
Before we configure event subscriptions, we need to perform the following steps:
Event Log Readers
group.Configuration steps for the aforementioned tasks are explained in the previous section.
Once the prerequisites are fulfilled, follow these steps:
We can select any log file available in the drop-down menu, as shown in the following screenshot:
Figure 19.12: Event subscription
Figure 19.13: Select source computer
In there, the collector should be added in the Server=http://<eventcollector FQDN>:5985/wsman/SubscriptionManager/WEC,Refresh=10
format.
Figure 19.14: Query events
Figure 19.15: Advanced Subscription Settings
By default, we can't collect security logs from remote domain controllers due to permissions issues. Let's see how we can update the permissions manually to access the relevant data.
In order to collect security logs from remote domain controllers, we need to add a network service account to the channel access permissions of the security event log.
This is because the WinRM service is running under the network service account. This can be done by running the following code:
wevtutil sl security /ca:'O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)'
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
contains READ permission settings for network service account (A;;0x1;;;)
. In the preceding code, the SID value for the network service account is (S-1-5-20), and the channel access value is (O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573))
. Once all this is done, after a few minutes, we can see the Forwarded Events.
As we have seen previously, for successful auditing, we need to have a SACL configured for the relevant AD objects. If there is no SACL entry, no events will be generated against that object. In order to configure the SACL, we need Domain Admin or Enterprise Admin privileges. To add a SACL entry, perform the following steps:
Figure 19.16: SACL entry
Once the SACL entries are in place, we can enable advanced audit policy configuration. In order to do that, perform the following steps:
Figure 19.17: Audit Directory Service Access events
I have repeated the same configuration for the rest of the audit categories, as shown in the following screenshot:
Figure 19.18: Audit categories
Once the group policy is applied successfully, it will start to log new events according to the audit policy.
Before Windows Server 2008, there were nine main auditing categories and subcategories. Those still continue to appear under Windows Server 2022. It is recommended not to mix them up, and only use advanced auditing instead. We can enforce the system to only accept advanced auditing policy settings if legacy audit policy settings are applied to the same category.
This can be done by enabling the Group Policy setting under Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
We also can use PowerShell commands to review event logs or filter events from local and remote computers without any additional service configurations. Get-EventLog
is the primary cmdlet we can use for this task, as shown in the following example:
Get-EventLog -List
The previous command will list the details about the log files in your local system, including the log file name, max log file size, and number of entries.
Get-EventLog -LogName 'Directory Service' | fl
The previous command will list all the events under the Directory Service
log file. We can also limit the number of events we need to list. As an example, if we only need to list the latest 5 events from the Directory Service
log file, we can use the following command:
Get-EventLog -Newest 5 -LogName 'Directory Service'
We can further filter it down by listing events according to entry type, as shown in the following example:
Get-EventLog -Newest 5 -LogName 'Directory Service' -EntryType Error
The previous command will list the first 5 errors in the Directory Service
log file. We also can add a time limit to filter events further, as follows:
Get-EventLog -Newest 5 -LogName 'Directory Service' -EntryType Error –After (Get-Date).AddDays(-1)
The previous command will list the events with error type Error
within the last 24 hours under the Directory Service
log. We can also get the events from remote computers as follows:
Get-EventLog -Newest 5 -LogName 'Directory Service' -ComputerName 'REBEL-SRV01' | fl -Property *
The previous command will list the first 5 log entries in the Directory Service
log file from the REBEL-SRV01
remote server.
We can also extract events from several computers simultaneously, as follows:
Get-EventLog -Newest 5 -LogName 'Directory Service' -ComputerName "localhost","REBEL-SRV01"
The previous command will list the log entries from the local computer and the REBEL-SRV01
remote computer. When it comes to filtering, we can further filter events using the event source, as follows:
Get-EventLog -LogName 'Directory Service' -Source "NTDS KCC"
The previous command will list the events with the source NTDS KCC
. It also allows us to search for the specific event IDs, as shown in the following example:
Get-EventLog -LogName 'Directory Service' | where {$_.eventID -eq 1000}
The previous command will list the events with eventID
as 1000
.
There is a recommended list of events that we need to audit periodically to identify potential issues in an AD environment. The complete list is available for review at https://bit.ly/3nKlQK4.
In several places in this book, I have talked about why we need the Zero-Trust approach to security. Zero-Trust is not a product or service it is a mindset. We need to understand the importance of this approach and implement relevant controls where ever possible. Especially with the COVID-19 pandemic, the word "Zero-Trust" is resounding in the tech industry, and this completely makes sense due to the following reasons:
Once attackers achieve the initial breach, they don't stop there. Instead, they move laterally to the cloud or other remote networks. The Solorigate attack is a great example of this.
Out of those concerns, if we consider "identities" specifically, we can see the complexity of enterprise identities is growing, which can create room for attackers to find success. Enterprises are moving assets to the cloud more due to the accelerated pace of digital transformation. This means that enterprise identities are starting to appear in public clouds, SaaS applications, partner systems, BYOD, and mobile devices. When complexity grows,
Microsoft identified these challenges and came up with Defender for Identity, a cloud-based solution that monitors signals from on-prem AD Domain Controllers and AD FS servers to detect, identify, and investigate identity threats and malicious activities.
In the previous two editions of this book, this section was allocated to Microsoft Advanced Threat Analytics (ATA). This is an on-prem platform to help us protect our identity infrastructure from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal behavior (from users, devices, and resources). Microsoft also had a cloud version of it called Azure Advanced Threat Protection (Azure ATP). This cloud service has now been renamed Defender for Identity. Microsoft ATA mainstream support ended on January 12, 2021, so going forward, users only can use the cloud-based Defender for Identity service.
When we consider a typical attack kill chain, we can identify four main areas to protect:
Microsoft offers security solutions to protect all these areas:
Microsoft has grouped these four products – Microsoft Defender for Office 365, Microsoft Defender for Endpoints, Microsoft Defender for Identity, and MCAS – and created a unified pre- and post-breach enterprise defense suite called Microsoft 365 Defender, which can provide integrated protection for all four areas. So, Microsoft Defender for Identity is one pillar of a far greater solution. If you want to achieve unified protection in stages, it is recommended to start with identity protection first and then move to other products in the suite, as identity is the key to everything.
Defender for Identity has the following key capabilities that help to streamline SecOps operations:
When it comes to identity protection, Microsoft Defender for Identity focuses on four main deliverables.
Defender for Identity helps SecOps teams to identify hidden vulnerabilities in their environments. These are present mostly due to misconfiguration of services/products and a lack of system updates.
The Defender for Identity security posture assessment can detect vulnerabilities such as:
Defender for Identity not only detects these issues, but also advises what should be done to fix these issues. Defender for Identity's reports show how many times these issues have been reported, their impact levels, and their resolution statuses. This rich information helps SecOps teams to improve their secure posture and prevent attacks proactively.
In the Zero-Trust security approach, we need to assume a breach. We can't close all the doors. But more importantly, if there is breach, we need a way to "detect" it quickly so we can prevent further damage and also use that information to further improve our security. Microsoft Defender for Identity can detect identity attacks faster due to its analysis of rich information from a variety of data sources:
A typical identity attack has different stages. First of all, the attacker needs to uncover details about the environment they are attacking. We call this the reconnaissance stage of the attack. Defender for Identity can detect the following types of reconnaissance events:
After reconnaissance, the attacker's next step is to gain some sort of access to the system. The attacker can use many different methods for this. Defender for Identity can detect the following types of credential access events:
If an attacker successfully achieves an initial breach, the next step will be to move laterally within the infrastructure and try to gain more privileges. Most of the time, the initial breach is a typical end user account. To do significant damage, attackers will need higher privileges, so they will continue compromising systems until they have access to the keys of the kingdom, Enterprise/Domain Admin accounts. Defender for Identity can detect the following types of events, helping to identify lateral movement attempts:
If the attacker has access to privileged accounts, they can go further and compromise the remaining systems to get full control over the infrastructure. If the defender uses a hybrid setup, the attacker can try to extend their attack to cloud resources. Defender for Identity can detect the following types of events, helping to detect an attack in progress:
It is important to know whether an attack is progressing to the stage mentioned above, as this means attacker already has access to most of the system. In such a situation, we need to act fast to minimize the impact.
When there is a security event, SecOps teams can get overwhelmed by the number of events and alerts they are receiving. Prioritization of these events mostly depends on the skills of the engineers. Also, if a large number of alerts have been produced, it's possible for the engineers to miss some critical events.
Defender for Identity not only alerts us to security incidents, but also helps SecOps teams to prioritise their investigation efforts to make them more effective. As an example, User investigation priority score for a user account will help to shortlist the accounts for which immediate attention is required. A higher score here means more attention is required. This value is calculated based on the alerts connected to the user and any abnormal activities detected from the user account.
Some attacks involve large numbers of users. In such a situation, we can use impact ranking (from Low to High) to easily identify the users requiring immediate attention. Each attack can have multiple incidents. Defender for Identity marks each incident with a severity score (from Low to High), which also helps SecOps teams to identify which incidents to focus on first.
In addition to this, Defender for Identity also allows us to create custom detection rules to help SecOps teams focus on environment-specific security events.
We also can use Microsoft 365 Defender advanced threat hunting to query cross-domain data to investigate security events further. For that, we need to use KQL queries.
So far, we have seen how Defender for Identity can increase the efficiency of detection and prioritization of incidents. This also helps to reduce the time it takes from the initial detection of an event to its final fix.
Not only that, but when it comes to incident response, we can use Microsoft 365 Defender to automate our incident response process. For more information about automated remediation, please visit https://bit.ly/3l7kZkK.
Figure 19.19: MDI architecture
The preceding diagram explains the components involved in the Microsoft Defender for Identity setup. Let's go ahead and see the roles of each of these components:
Microsoft Defender for Identity portal – This portal allows us to configure our Defender for Identity instance. Using this portal we can download MID sensors, check the status of our MID sensors, configure honeytoken accounts, configure email settings, and so on. We also can view and investigate security incidents in the environment using the Microsoft Defender for Identity portal.
MDI sensors – Microsoft Defender for Identity collects security events, analyzes network traffic, and monitors AD entities via MDI sensors. These sensors need to be installed in each domain controller and AD FS server in the environment for best results. Defender for Identity also has standalone sensors. Instead of installing a sensor in each domain controller, we can configure a dedicated server as a sensor. We then need to configure port mirroring in our domain controllers to pass traffic through the standalone sensor. However, this standalone sensor can't collect Event Tracing for Windows (ETW) log entries, which use for multiple detection. Microsoft's recommendation is to install sensors on domain controllers and AD FS servers for best results.
Microsoft 365 Defender portal – Defender for Identity is a product in the Microsoft 365 Defender suite. It uses one portal to collect data from different products and then analyzes the data to identify attacks spread across different domains. Using this portal, SecOps teams can also do advanced threat hunting. If we need to configure automated remediation or custom detection rules, we need to use this portal to do it. The Microsoft Defender for Identity portal also forwards activity data, alerts, and metadata to the Microsoft 365 Defender portal. It is recommended to use the Microsoft 365 Defender portal for investigation as it contains rich data from different sources.
Microsoft Cloud App Security – Prior to the release of the Microsoft 365 Defender portal, the data it now handles was forwarded to Microsoft Cloud App Security, and engineers were able to do their investigations using the Cloud App Security portal.
In the next section, we are going to look into the things we need to consider before deployment of Microsoft Defender for Identity.
Before we deploy Microsoft Defender for Identity, it is important to check for the following prerequisites.
Microsoft Defender for Identity requires the Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365 E5 (M365 E5/A5/G5), or standalone licenses. These licenses can purchase through Microsoft 365 portals or via your Cloud Solution Partner (CSP).
It is a common best practice to block/limit internet access to domain controllers. Unless you are using standalone sensors, all domain controllers with MDI sensors need to be able to communicate with the Defender for Identity cloud service. More info about the links and proxy configuration is available on https://bit.ly/3cM3KkB.
Microsoft Defender for Identity requires a service account to connect to AD. This service account must have read permissions for all objects in the domain.
Microsoft Defender for Identity supports two types of service accounts:
If the sensors' machines are running Windows Server 2012 or above, the recommended type of service account is gMSA. In Chapter 8, I explained gMSA and how we can set up this type of account. Please check Chapter 8 for more info.
If you are using an older operating system than Windows Server 2012, you will have to use a standalone service account.
During the reconnaissance or lateral movement phases of an attack, the hackers will try to access different user accounts. A honeytoken account helps MDI to detect such activities quickly. This account should be set up as a standard company account, but should never be used to log in. If any activity is detected in this honeytoken account, it will immediately be flagged by Microsoft Defender for Identity.
Certain ports need to be open in your firewalls for internal and external communication by Microsoft Defender for Identity, as follows:
Protocol |
TCP/UDP |
Port |
To/From |
Direction |
SSL |
TCP |
443 |
Defender for Identity cloud services |
Outbound |
SSL |
TCP |
444 |
Sensor service |
Both |
DNS |
TCP and UDP |
53 |
Sensors to DNS Servers |
Outbound |
Netlogon |
TCP/UDP |
445 |
Sensors to all devices |
Outbound |
RADIUS |
UDP |
1813 |
RADIUS to sensors |
Inbound |
NTLM over RPC |
TCP |
135 |
Sensors to all devices |
Outbound |
NetBIOS |
UDP |
137 |
Sensors to all devices |
Outbound |
TLS to RDP |
TCP |
3389 |
Sensors to all devices |
Outbound |
For standalone sensors, the port requirements are different. More info about this is available at https://bit.ly/3l6MVFr.
Defender for Identity detects 4726, 4728, 4729, 4730, 4732, 4733, 4753, 4756, 4757, 4758, 4763, 4776, 7045, and 8004 Windows event logs from domain controllers. Some of these event logs only appear if advanced audit policies are enabled in the domain controllers. I explained earlier in this chapter how we can enable advanced audit policies.
To capture the above events, we need to enable the following advanced audit policies:
We need to capture Success and Failure events for all the above policies.
Windows event 8004 contains NTLM authentication data. By enabling NTLM auditing, we can allow Microsoft Defender for Identity to enrich event data by displaying the source user, source device, and accessed resource.
NTLM auditing should be enabled on domain controllers. We can enable this by using GPO settings under Computer configuration | Policies | Windows Settings | Security Settings | Local Policies | Security Options.
To collect the relevant data, we need to enable the following policy settings:
Once the settings are in place, MDI will display the NTLM data in Resource Access over NTLM and Failed logon events.
Microsoft Defender for Identity can detect lateral movement paths. To do this, MDI needs to be able to query the local administrators of any computer. This query uses the SAM-R protocol and the Microsoft Defender for Identity service account. By default, the service account can't do this query, so we need to grant the relevant permissions by using GPO. This policy setting should apply to all computers except domain controllers. To update the settings, go to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options and add the service account to the list under the Network access – Restrict clients allowed to make remote calls to SAM policy.
The Microsoft Defender for Identity sensor requires a minimum of 2 cores and 6 GB of RAM. However, this can be changed based on network traffic, server roles, and the server's current resource usage. Therefore, it is best to run the sensor sizing tool before installation. This tool will automatically analyze the current system and make recommendations for resource upgrades. To download the tool, please go to https://bit.ly/3xh7y6S.
This completes the prerequisites section for Microsoft Defender for Identity. Please note that I didn't mention much here about standalone sensors because they have limitations and are not the recommended method.
After the prerequisites are sorted, the next phase is to set up the Microsoft Defender for Identity service and sensors. This is a very straightforward process and Microsoft has well-structured documentation for it. You can access this at https://bit.ly/30RUc4L. After deployment, I highly recommend doing the testing as specified in the documentation, so we know the service is working as expected.
In the previous chapter, we learned what Azure AD Connect is and how it works in a hybrid Azure AD environment. Azure AD Connect is responsible for synchronization between Azure AD and on-prem AD. Therefore, it is important to monitor the health of the Azure AD Connect service to make sure it is running as expected. In a given computer infrastructure, only one Azure AD Connect instance can be active at a given time, so this puts more pressure on the health of the service. The Azure AD Connect service is a Windows service, so there are many tools on the market that can monitor the status of the service. But even if the service is up and running, it doesn't mean synchronization is healthy.
Azure AD Connect Health is a service that comes with Azure AD Premium to monitor the health of Azure AD Connect. Azure AD Connect Health can monitor the following types of sync errors:
Azure AD Connect Health insights are gathered via health agents.
There are three types of agents used by Azure AD Connect Health:
We need to meet the following prerequisites to use Azure AD Connect Health:
443 & 5671
traffic to Azure endpoints from the target servers (for a complete list of URLs, see https://bit.ly/3FK3BdP)In this section, we are going to look at Azure AD Connect Health in action. In my demonstration environment, I have the latest version of Azure AD Connect installed.
Azure AD Connect Health (sync) comes as a part of it, as shown in the following screenshot:
Figure 19.20: Azure AD Connect health services
But I'd like to install Azure AD Connect Health Agent for AD DS to gather additional insights from my on-prem AD environment. In order to do that, perform the following steps:
Figure 19.21: Azure AD Connect Health access
Figure 19.22: Download Azure AD Connect Health Agent for AD DS
ADHealthAddsAgentSetup.exe
as administrator.Figure 19.23: Azure AD login
Figure 19.24: Azure AD Connect Health service registration
If a proxy is in place, we have to import the proxy settings from Internet Explorer by running Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings
.
Once registration is completed, it can take a few hours to display the collected data.
Figure 19.25: Sync errors and Sync services
The landing page shows the high-level health status of Azure AD Connect:
Figure 19.26: Overview of Azure AD Connect Health
On the error pages, we can see detailed descriptions of events:
Figure 19.27: Sync errors
Figure 19.28: AD DS services
Figure 19.29: Replication health
Azure AD Connect Health is mainly focused on monitoring the health of directory synchronization. Additional insights collected from AD FS and AD DS agents primarily help to troubleshoot directory synchronization health issues. However, healthy synchronization doesn't mean we are running a healthy Azure AD hybrid environment. This can only be ensured by monitoring identity infrastructure security threats. Microsoft has different services that can monitor identity infrastructure threats. Azure Security Center and Azure Sentinel are good examples of this. I highly recommend that you look into these solutions to further improve the overall health of your identity infrastructure.
Continuous monitoring and auditing are a must for identity infrastructures to identify potential security threats and maintain a healthy environment. There are a lot of tools and methods out there to do this, but the success of these solutions depends on the accuracy of detection, the way it presents data, and how it helps in identifying the root cause.
In this chapter, we started by looking at Windows' built-in tools and methods that can be used to monitor and audit AD environments. First, we started with GUI tools and then moved to PowerShell-based auditing. Then we looked at Microsoft Defender for Identity and how it can help to identify security threats in the infrastructure that cannot be detected using traditional tools and methods. Last but not least, we also learned how Azure AD Connect Health can help to monitor the synchronization health of the Azure AD hybrid environment.
After a long journey, we are now reaching the end of this book. In the final chapter, we will look at the most common AD-related issues and how we can fix them.