New identity security posture assessment: Unsecure domain configurations

Published Jun 23 2022 09:00 AM 5,885 Views
Microsoft

“The tyranny of the default” has been a phrase that has worried many a security professional over the years; the constant struggle to make sure their systems are configured for optimal security, which often requires them to examine each feature individually.

 

To help security teams keep on top of monitoring where these configurations are, we are happy to report that we are adding a new identity-based security assessment called “Unsecure domain configurations” to the growing list of Microsoft Defender for Identity posture assessments.

 

Why are we adding this assessment?

Configuring Active directory optimal security has always been top of mind for the Microsoft Defender for Identity team and its research them, recent attacks, such as KrbRelayUp, had repeatedly shown us how certain, often default, settings can be used against their intended purpose and result in an identity compromise.

 

What configurations are we evaluating first?

We will be evaluating two distinct configurations as part of this assessment

  • Set ms-DS-MachineAccountQuota to "0" - Limiting the ability of non-privileged users to register devices in domain.
    • You can learn more about this particular property and how it affects device registration here
    • This evaluation will be available from launch, today.
  • Enforce LDAP Signing policy to "Require signing" - Unsigned network traffic is susceptible to man-in-the-middle attacks
    • This evaluation will be available in the next two weeks

This new assessment is part of our existing effort to secure your identity infrastructure alongside existing assessments such as the recommendation to disable the print spooler service on domain controllers

 

How do I use this security assessment?

  1. This new security assessment will be part of Microsoft Defender for identity list of improvement actions under Secure Score, you can click on the assessment and evaluate the list of affected domains and their configurations.

If you have the appropriate permissions to view the identity posture assessments, you can directly access this assessment on your tenant using this link.

 

ISPM1.jpg

 

 

  1. Take appropriate action on the affected domain, you can learn more here

 

We are working on adding more configurations to this Defender for Identity security posture assessments to help customers proactively secure their environments from exploitation, stay tuned!

For more information about Identity Security Posture assessments and Microsoft secure score, see

 

Or Tsemah, Senior Product Manager, Microsoft Defender for Identity.

Co-Authors
Version history
Last update:
‎Jun 22 2022 02:10 PM
Updated by: