Hi IT Pros,
Recently, I searched the internet and could not find the document for Microsoft Defender for Identity (Azure ATP) Setup and Troubleshooting. So, I prepared this document for our convenient reference and deployment in the future.
Please check it out and give your feedback.
If you need to trace all kinds of Identity attacks using the MD for Identity tool, please view this blog article, "Microsoft Defender for Identity Daily Operation".
____
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Identity includes the following features:
The setup procedure for Microsoft Defender for Identity, includes the following steps:
In Windows Server 2012 and later Domain, services or service administrators do not need to manage password synchronization between service instances when using group Managed Service Accounts (gMSA).
You provision the gMSA in AD and then configure the service which supports Managed Service Accounts.
You can provision a gMSA using the *-ADServiceAccount cmdlets which are part of the Active Directory module. Service identity configuration on the host is supported by:
gMSA Prerequisite:
Add-KdsRootKey -EffectiveImmediately
Will need time for the key to be propagated to all other DCs,
On the Windows Server 2012 domain controller or later, Run AD Powershell:
New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.donlearning.com -PrincipalsAllowedToRetrieveManagedPassword DC01$ -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.donlearning.com/donlearning.com, http/ITFarm1.donlearning.com/donlearning, http/ITFarm1/donlearning.com, http/ITFarm1/donlearning
Name |
ITFarm1 |
DNSHostName |
DC01.donlearning.com |
KerberosEncryptionType |
None, RC4, AES128, AES256 |
ManagedPasswordIntervalInDays |
Password change interval in days (default is 30 days if not provided) |
PrincipalsAllowedToRetrieveManagedPassword |
The computer accounts of the member hosts or the security group that the member hosts are a member of |
SamAccountName |
NetBIOS name for the service if not same as Name |
ServicePrincipalNames |
Service Principal Names (SPNs) for the service http/ITFarm1.donlearning.com/donlearning.com, http/ITFarm1.donlearning.com/donlearning, http/ITFarm1/donlearning.com, http/ITFarm1/donlearning, MSSQLSvc/ITFarm1.donlearning.com:1433, MSSQLSvc/ITFarm1.donlearning.com:INST01 |
Note: The password change interval can only be set during creation and cannot change later.
New-ADServiceAccount ITFarm1 -RestrictToOutboundAuthenticationOnly - PrincipalsAllowedToRetrieveManagedPassword DC01$
Or a better option:
You could create AD Security Group “SensorDCs” whose members are Sensor DCs and set AD service account to allow retrieving password:
Packets per second |
CPU (cores)* |
Memory** (GB) |
0-1k |
0.25 |
2.50 |
1k-5k |
0.75 |
6.00 |
5k-10k |
1.00 |
6.50 |
10k-20k |
2.00 |
9.00 |
20k-50k |
3.50 |
9.50 |
50k-75k |
3.50 |
9.50 |
75k-100k |
3.50 |
9.50 |
* This includes physical cores, not hyper-threaded cores.
** Random-access memory (RAM)
Sign in to https://portal.atp.azure.com with the Azure Account used as Microsoft Defender for Identity (AATP) administrator
A new AATP Instance will be created:
Your Azure ATP instance is automatically named with the Azure AD initial domain name and created in the data center located closest to your Azure AD.
Click Configuration, Manage role groups, and use the Azure AD Admin Center link to manage your role groups.
The first time you open the Azure ATP portal, the following screen appears:
Download and copy the Access key. The access key is required for the Azure ATP sensor to connect to your Azure ATP instance (one-time-password for sensor deployment).
Under Configure the sensor, enter the installation path and the access key that you copied from the previous step, based on your environment:
Azure ATP sensor service and Azure ATP sensor updater service are now available in Windows Services as shown:
To finish, reboot the DC Sensor Server.
If the domain controller is the first deployed sensor, you will need to wait at least 15 minutes to allow the database backend to finish initial deployment of the necessary microservices.
If you experience any error during installation process, please refer to the Troubleshooting section (section IV)
Sign in to portal.atp.azure.com and check if sensor is working:
Honeytoken accounts, which are used as traps for malicious actors - any authentication associated with these honeytoken accounts (normally dormant), triggers an alert.
Honeytokens can exist in many forms, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity. A particular example of a honeytoken is a fake email address used to track if a mailing list has been stolen.
Sensitive Accounts: Enter the account you want to monitor lateral movement, modification change, high privilege accounts.
Sensitive groups: Enter the account you want to monitor lateral movement, modification change, high privilege administrative group.
Azure Advanced Threat Protection (Azure ATP) detection relies on specific Windows Event log entries to enhance some detections and provide additional information on who performed specific actions such as NTLM logons, security group modifications and others.
You can use the Default Domain Controllers Policy or a dedicated GPO to set the following audit policies:
GPO SETTINGS |
||
Audit policy |
Subcategory |
Triggers event IDs |
Account Logon |
Audit Credential Validation |
4776 |
Account Management |
Audit Computer Account Management |
4743 |
Account Management |
Audit Distribution Group Management |
4753, 4763 |
Account Management |
Audit Security Group Management |
4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758 |
Account Management |
Audit User Account Management |
4726 |
System |
Audit Security System Extension |
7045 |
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers |
Audit all |
Network security: Restrict NTLM: Audit NTLM authentication in this domain |
Enable all |
Network security: Restrict NTLM: Audit Incoming NTLM Traffic |
Enable auditing for all accounts |
e. To configure Azure ATP service for accessing to SAM-R
To allow the Defender for Identity Service to perform SAM-R enumeration correctly and build Lateral Movement paths, you'll need to edit the SAM policy.
You could simulate the attacks from from at the following link :
https://docs.microsoft.com/en-us/defender-for-identity/playbook-lab-overview
View MDI responded alerts from MDI-MCAS portal at https://portal.cloudappsecurity.com
AATP logs ‘ locations:
The Azure ATP deployment logs are located in the temp directory for the user who installed the product. C:\Users\Administrator\AppData\Local\Temp (or one directory above %temp%).
C:\Program Files\Azure Advanced Threat Protection Sensor\version number\Logs.
Solution: Reboot is needed to start sensor service.
System.Net.Http.HttpRequestException: An error occurred while sending the request. --->
or System.Net.WebException: Unable to connect to the remote server --->
or System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond...
Solution: Make sure that communication is not blocked for localhost, on TCP port 444
NIC Teaming for AATP required Npcap driver with WinPcap mode.
Solution:
- Uninstall Sensor,
- Install the Npcap version 0.9984 installer from https://nmap.org/npcap/
- using the GUI installer, deselect the loopback support and select WinPcap mode.
- Reinstall the sensor package.
For Windows Operating systems 2008R2 and 2012, Azure ATP Sensor is not supported in a Multi Processor Group mode.
Suggested possible workarounds:
If hyper threading is on, turn it off. This may reduce the number of logical cores enough to avoid needing to run in Multi Processor Group mode.
If your machine has less than 64 logical cores and is running on a HP host, you may be able to change the NUMA Group Size Optimization BIOS setting from the default of Clustered to Flat.
Solution: You will need to create KDS Root key if get error: “Key does not exist”
Reference:
Azure ATP setup
Server Core setup:
Azure ATP Configuration
Troubleshooting
Thanks for reading this blog. Our next discussion topic would be the “Microsoft Defender for Identity - AATP Operation” blog article, you could access the article from here
Happy AATP Monitoring!
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.