Forum Discussion
MDI sensor best recommendations
Here’s a corrected version of your text: I am in the middle of setting up MDI in my environment. I have one Server 2019 and five additional domain controllers running unsupported versions like 20...
Hi,
Since you have installed the MDI sensor on the Server 2019 DC, you’ll gain protection and detection capabilities on that particular domain controller. However, for full protection, it's ideal to have sensors on all DCs in your environment.
MDI will only monitor activities and generate alerts based on the data from the 2019 DC where the sensor is installed. Activities occurring on the unsupported 2012 R2 DCs will not be captured by MDI, potentially creating blind spots in your detection capabilities.
Although MDI doesn’t support direct sensor installation on Windows Server 2012 R2, you can use a strategy called Port Mirroring to capture traffic from unsupported DCs. Set up port mirroring to send traffic from the unsupported DCs to the 2019 DC where MDI is installed. This can allow MDI to analyze authentication and other relevant traffic, providing better coverage
Microsoft allows using the local system account as the action account for MDI, but I though gMSA is recommended for enhanced security and ease of management.
lastly I agree with micheleariis . manual response is necessary, but integration with SIEM solutions can help automate responses.
Since you have installed the MDI sensor on the Server 2019 DC, you’ll gain protection and detection capabilities on that particular domain controller. However, for full protection, it's ideal to have sensors on all DCs in your environment.
MDI will only monitor activities and generate alerts based on the data from the 2019 DC where the sensor is installed. Activities occurring on the unsupported 2012 R2 DCs will not be captured by MDI, potentially creating blind spots in your detection capabilities.
Although MDI doesn’t support direct sensor installation on Windows Server 2012 R2, you can use a strategy called Port Mirroring to capture traffic from unsupported DCs. Set up port mirroring to send traffic from the unsupported DCs to the 2019 DC where MDI is installed. This can allow MDI to analyze authentication and other relevant traffic, providing better coverage
Microsoft allows using the local system account as the action account for MDI, but I though gMSA is recommended for enhanced security and ease of management.
lastly I agree with micheleariis . manual response is necessary, but integration with SIEM solutions can help automate responses.