So, you are going to deploy Microsoft Defender for Identity? (previously known as Azure ATP), make sure you check this little summary so you make sure you don't miss any important point, and make the best use of this product!
Best Practice #1 - Don't rush into installation, read and plan!
Defender for Identity (MDI for short) deployment, seems to be pretty straightforward right? Just download the tool and install it on all Domain Controllers... Well, it's not that easy. As with any product or service, understanding the product and planning correctly is key for success. I recommend reading these articles before rushing into downloading and installing stuff:
Best Practice #2 - Check your DCs meet some minimums
Validate that your Domain Controllers, meet at least these min specs:
| Cores | RAM |
|---|---|
| 2 cores | 6 GB |
Best Practice #3 - No Dynamic Memory
- If Domain Controllers are Virtual, validate no dynamic memory is enabled. More info: VMWare Memory Balloning / Hyper-V Dynamic Memory
Best Practice #4 - Configure Domain Controllers Audit Policy
MDI uses AD event logs (as well as ETW traces, and network monitoring) to gather its data. So be sure to collect the right events for key AD activity:
Best Practice #5 - Make sure you collect NTLM audit logs
In order to maximize MDI resolution and accurancy, it is important to collect NTLM Auditing logs (EventID 8002):
Best Practice #6 - Consider your proxy requirements
Azure ATP needs to talk to the internet to send its data to the AI data analysis service. Domain Controllers should never have Internet access, so you will probably need to setup a proxy to allow these destinations. Consider reading this article to check the proxy requirements:
Best Practice #7 Enable SAM-R for full Lateral Movement Path detection
Defender for Identity builds its lateral movement path graph based on AD group membership and also local group membership.
In order to make Azure ATP able to discover local groups, you need to make the Azure ATP AD account able to query machines SAM databases. We have a GPO for that in place (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Restrict clients allowed to make remote calls to SAM), make sure you have your Azure ATP account added there:
More info:
- Configure Defender for Identity to make remote calls to SAM
- Network Access: Restrict clients allowed to make remote calls to SAM
Conclusion - Read read read before adopting the solution
Any Security solution (or any IT solution in general) requires proper planning, this article just enumerates a couple of points that are overseen when adopting the solution. However we insist on reading as much documentation as posible before deploying any solution. See you!
Top comments (0)