Last Updated on October 7, 2024 by Michael Morten Sonne
Introduction
Here at my blog, im committed to keeping you ahead of the newest of the new – and also for cool tools to help you agains threats and vulnerabilities. Excited to announce that Microsoft is now expanding coverage with new identity posture recommendations focusing on Active Directory as part of Microsoft Secure Score with Defender for Identity installed! 🙌
Last time, we focused on Microsoft Entra Connect, which received some much-deserved attention. You can read about those updates here: Microsoft Defender for Identity – Expands support to servers with Microsoft Entra Connect – Blog – Sonne´s Cloud (sonnes.cloud) – Now, it’s time for our good old on-premises Active Directory to get its share of enhancements! Now we can be excited that Microsoft bring these new improvements to help strengthen your identity security posture 🙌
These updates are designed to help you monitor misconfigurations, identify weak spots, and ultimately reduce the risk of potential attacks on your on-premises infrastructure.
What is Microsoft Defender for Identity
Microsoft Defender for Identity is a comprehensive solution designed to help organizations safeguard their Active Directory environments from advanced threats. It provides real-time monitoring and threat detection, helping you identify and respond to potential security risks within your identity infrastructure.
For a deeper dive into how Microsoft Defender for Identity works and its benefits, check out my detailed blog post here, where you can read more and get help to install it in your enviroment! 😎
The new Defender for Identity posture recommendations
The latest additions to our Defender for Identity posture recommendations include:
- Accounts with non-default Primary Group ID: Identifies accounts with unusual or non-default Primary Group IDs, which may indicate misconfigurations or hidden group memberships that attackers could exploit to escalate privileges without triggering standard audits.
- Domain Controllers with unchanged Computer Account passwords: Flags domain controllers with computer account passwords older than 45 days, as stale credentials increase the risk of compromise. Outdated passwords on domain controllers can allow attackers to exploit weaknesses, potentially gaining prolonged access to critical resources and weakening network security.
- GPO Assigns unprivileged Identities to Elevated Local Groups: Detects when Group Policy Objects (GPOs) incorrectly assign unprivileged identities to local groups with elevated privileges, creating security risks that attackers can exploit to gain higher access or blend into the environment.
- GPO modifiable by unprivileged Accounts: Monitors if GPOs can be modified by unprivileged accounts, posing a risk of unauthorized changes that attackers could exploit to gain higher access, assess security measures, or identify vulnerabilities for future attacks.
- Attackers may gather details about Group Policy settings to find vulnerabilities for higher access, assess security measures, and spot patterns in domain objects.
- GPO Contains Passwords in Group Policy Preferences Files: Checks for GPOs that store passwords in Group Policy Preferences files, which can be a significant security concern.
- Group Policy Preferences (GPP) once allowed administrators to embed credentials in domain policies, but this feature was removed in MS14-025 due to security risks. Despite this, files with embedded credentials might still be in the SYSVOL folder, where any domain user can access and decrypt them using a publicly available AES key (for the domain, not “public public” 😂). To avoid potential exploitation, it’s crucial to remove any existing preferences with embedded credentials.
- Built-In Active Directory Guest Account Enabled: Identifies if the built-in Active Directory Guest account is enabled, which could pose a security risk if not properly managed.
- The Guest account is a built-in, non-specific account that allows anonymous access to Active Directory. Enabling it grants domain access without a password, which can be a security risk.
- Unsafe Permissions on the DnsAdmins Group: Highlights unsafe permissions on the DnsAdmins group, which could potentially allow unauthorized access.
- Privileged Accounts Lack configuration Flag: Ensures that all privileged accounts are configured with the flag “this account is sensitive and cannot be delegated,” adding an extra layer of security.
- Change Password of krbtgt Account: Recommends changing the password of the krbtgt account, crucial for maintaining the integrity of Kerberos ticketing.
- If the KRBTGT password is compromised, an attacker can generate valid Kerberos tickets, leading to Golden Ticket attacks and unauthorized access across the AD domain. Regularly monitoring and updating this password is essential to prevent such risks.
- Change password of built-in Domain Administrator account: Advises changing the built-in domain Administrator account’s password if not updated in over 180 days, as this highly privileged account is a prime target for attackers and essential for maintaining domain security.
Updated recommendations
Microsoft also updating the existing recommendation to “Modify unsecure Kerberos delegations to prevent impersonation.” This update now includes guidance on Kerberos Constrained Delegation with Protocol Transition to a privileged service, further enhancing protection against unauthorized access.
These new identity recommendations provide deeper insights into Active Directory infrastructure and Group Policy Objects (GPOs), offering you more comprehensive security posture reports. They will be available by default to customers who have installed a Defender for Identity sensor.
Stay tuned for more updates and tips on how to keep your identity and infrastructure secure. For more information, feel free to reach out or explore our blog for additional resources.
How to get the update
Keeping your Microsoft Defender for Identity sensors up to date ensures optimal protection for your organization. The service is updated a few times a month with new detections (like this), features, and performance enhancements. These updates often come with minor sensor updates, which only affect sensor detection capabilities and will be installed automaticly.
Defender for Identity sensors support two types of updates:
Minor updates:
- Frequent
- No MSI install or registry changes required
- Restarts: Defender for Identity sensor services
Major updates:
- Rare
- Include significant changes
- Restarts: Defender for Identity sensor services
Sensor update process overview
- Frequent Checks: Every few minutes, Defender for Identity sensors check for updates.
- Cloud Service Update: When the Defender for Identity cloud service updates to a new version, the sensor update process begins.
- Update Detection: The Defender for Identity sensor updater service detects the new version.
- Update Process
- Sensors not set to “Delayed update” start updating individually.
- The sensor updater pulls the updated version (in CAB file format) from the cloud.
- Checkis if the file signature is validated.
- The CAB file is extracted to a new folder, typically
C:\Program Files\Azure Advanced Threat Protection Sensor<version number>
. - The sensor service switches to the new files.
- The sensor service is restarted.
- Update Details
- Minor updates do not require MSI installs, registry changes, or system file modifications.
- Pending restarts do not affect the sensor update.
- Post-Update
- The next sensor begins its update process.
- Sensors operate with the updated version.
- Clearance is received from the Azure cloud service.
- Verify the sensor status on the Sensors page.
Sensors selected for a Delayed update will start their update process 72 hours after the Defender for Identity cloud service is updated. These sensors will then use the same update process as automatically updated sensors.
If an update fails, you can reinstall the sensor without any problems. If you run into issues, check out the script I created with insights from my friends at Microsoft you can find here on my blog 😎
Conclusion
Keeping your Defender for Identity sensors updated is crucial for maintaining robust security and performance. This latest update is a welcome improvement, offering enhanced detections, new features, and valuable security posture recommendations, helping to ensure your organization stays ahead of emerging threats.
By following the outlined update process, you can ensure your sensors remain current with minimal disruption. The automated checks and seamless installation further simplify the process, maintaining your system’s security posture without extensive manual intervention.
Staying on top of these updates not only strengthens your protection but also ensures your defenses are aligned with the latest advancements and best practices. With this new update, you’re gaining even more tools to safeguard your environment.
For additional support, don’t hesitate to use the available resources and scripts, and feel free to reach out if you encounter any issues. By keeping your sensors updated, you’re investing in the ongoing security and resilience of your Active Directory environment.
Thank you for taking the time to visit my blog. Kindly share it with others if you find it helpful for them! 😉🔐👍
Remember you can allways support me and my development of tools and creating of content and so via Why donate? – Blog – Sonne´s Cloud (sonnes.cloud)
Stay tuned for the new post about something cool! 🥳
References
What is Microsoft Defender for Identity? – Microsoft Defender for Identity | Microsoft Learn
What’s new – Microsoft Defender for Identity | Microsoft Learn