Forum Discussion

Kailashj's avatar
Kailashj
Copper Contributor
Oct 21, 2024

MDI sensor best recommendations

Here’s a corrected version of your text:

 

I am in the middle of setting up MDI in my environment. I have one Server 2019 and five additional domain controllers running unsupported versions like 2012 R2.

 

My question is:

 

I have already installed the MDI sensor on the 2019 DC. Will my environment benefit from MDI protection?

 

Please share your best recommendations.

 

Additionally, I am using the local system account as my action account instead of GMSA, as Microsoft states it’s optional. Is there a way to configure remediation actions manually, or are they automated?

  • Alikoc's avatar
    Alikoc
    Iron Contributor
    Hi,
    Since you have installed the MDI sensor on the Server 2019 DC, you’ll gain protection and detection capabilities on that particular domain controller. However, for full protection, it's ideal to have sensors on all DCs in your environment.

    MDI will only monitor activities and generate alerts based on the data from the 2019 DC where the sensor is installed. Activities occurring on the unsupported 2012 R2 DCs will not be captured by MDI, potentially creating blind spots in your detection capabilities.

    Although MDI doesn’t support direct sensor installation on Windows Server 2012 R2, you can use a strategy called Port Mirroring to capture traffic from unsupported DCs. Set up port mirroring to send traffic from the unsupported DCs to the 2019 DC where MDI is installed. This can allow MDI to analyze authentication and other relevant traffic, providing better coverage

    Microsoft allows using the local system account as the action account for MDI, but I though gMSA is recommended for enhanced security and ease of management.

    lastly I agree with micheleariis . manual response is necessary, but integration with SIEM solutions can help automate responses.
  • micheleariis's avatar
    micheleariis
    Steel Contributor

    Kailashj Hi, extending retention logs for a single entity, such as a user or device, is not supported in the default configurations.

    However, you can export entity data to external systems such as Azure Log Analytics or SIEM for longer retention. Or, you can use Azure Monitor Logs to set custom retention policies for specific data.

     

    Any remediation actions based on the alerts and findings from MDI must be manually executed unless you integrate with other tools that provide automation capabilities.

     

     

Resources