identity protection

35 Topics

Azure ATP Sensor Setup - service not starting - missing dependency
When installing Azure ATP Sensor Setup it just stalls midway and the rolls back the installation. I've looked into the logs and can see its unable to startup the service AATPSensorUpdater. I did a dependecy check and the WMI Performance Adapter (wmiApSrv) service is missing, which is a dependecy. We got 3 domain controllers, the setup only completed on one (it also got the WMI Performance Adapter (wmiApSrv) service). My question is now, how do I get the WMI Performance Adapter (wmiApSrv) service on the other 2 domain controllers so I can complete the installation? We are running virtual servers with VMware (WS2019)
Marthin2770
Jun 27, 2023 Place Microsoft Defender for Identity
15KViews
1like
18Comments
Remediating - Stop Weak Cipher Usage
Description Weak ciphers need to be disabled because they are susceptible to cracking and reduce the overall security posture of the organization. With this security assessment, Microsoft Defender for Identity detects network activities that are using weak ciphers as a misconfiguration or as a deliberate security downgrade. Under Exposed Identities it shows Protocol Kerberos and Cipher Rc4HMac. Attempted resolution: In AD - set "This account supports Kerberos AES 256 bit encryption". (and turned on 128 bit) It has been several days and the vulnerability is not clearing for any accounts. I also applied a GPO to all workstations: Policy Setting Network security: Configure encryption types allowed for Kerberos Enabled DES_CBC_CRC Disabled DES_CBC_MD5 Disabled RC4_HMAC_MD5 Disabled AES128_HMAC_SHA1 Enabled AES256_HMAC_SHA1 Enabled Future encryption types Enabled Any other suggestions?
JG-Burke
Oct 13, 2022 Place Microsoft Defender for Identity
5.1KViews
0likes
2Comments
How does MDI monitor DNS Requests?
Hello, the https://learn.microsoft.com/en-us/defender-for-identity/monitored-activities#monitored-user-activities-domain-controller-based-user-operations documentation states that MDI monitors all DNS requests that are performed against the domain controller. I wonder how this is done. Via event logs or DNS log file or ... ? Is there perhaps a blog article on how MDI works under the hood? Cheers Martin
Solved
NinjaKitty
Mar 08, 2023 Place Microsoft Defender for Identity
4.3KViews
0likes
7Comments
Password recommendations
Hello DFI community ! I'm reviewing some Identity-related recommendations about accounts and passwords. Let's focus on the following: Remove the attribute 'password never expires' from accounts in your domain Manage accounts with passwords more than 180 days old Do not expire passwords Achieving these 3 recommendations at the same time in hybrid environment for all types of accounts (user account, service account) seems a bit challenging and counterintuitive. If we disable password rotation policies in AD DS and set passwords to not expire in the 365 org's settings, user accounts will show up in the recommendations #1 and #2 after a while...If we don't, then the #3 recommendation pops-up. How can we combine features such as Azure Identity Protection/Conditionnal Access, Password Protection, Managed Identities, s/gMSA accounts to make all this work ? I'm a bit confused...What am i missing ? Any help would be much appreciated.
Chris_BYSA
Aug 21, 2023 Place Microsoft Defender for Identity
4.1KViews
0likes
2Comments
Azure Advanced Threat Protection Sensor service terminated
Since applying June patches and Azure automatically updating the Azure Advanced Threat Protection Sensor, the service continues to bomb. Anyone else seeing this behavior? The Azure Advanced Threat Protection Sensor service terminated unexpectedly. It has done this 31 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service. App event Application: Microsoft.Tri.Sensor.exe Framework Version: v4.0.30319 Description: The process was terminated due to an unhandled exception. Exception Info: System.Net.Sockets.SocketException at System.Net.Sockets.Socket.EndReceive(System.IAsyncResult) at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) Exception Info: System.IO.IOException at System.Net.Sockets.NetworkStream.EndRead(System.IAsyncResult) at Microsoft.Tri.Infrastructure.TaskExtension.UnsafeAsyncCallback[[System.Int32, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](System.IAsyncResult, System.Func`2<System.IAsyncResult,Int32>, Microsoft.Tri.Infrastructure.TaskCompletionSourceWithCancellation`1<Int32>) at System.Net.LazyAsyncResult.Complete(IntPtr) at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean) at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object) at System.Net.ContextAwareResult.Complete(IntPtr) at System.Net.LazyAsyncResult.ProtectedInvokeCallback(System.Object, IntPtr) at System.Net.Sockets.BaseOverlappedAsyncResult.CompletionPortCallback(UInt32, UInt32, System.Threading.NativeOverlapped*) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)
JG-Burke
Jun 22, 2023 Place Microsoft Defender for Identity
3.6KViews
0likes
3Comments
DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
SpeedRacer
Mar 28, 2023 Place Microsoft Defender for Identity
3.3KViews
0likes
3Comments
ATP Sensor service is continuously trying to start but stops itself
Hello Techies, I've installed ATP Sensor across multiple DCs and it was completed successfully. However, the service is continuously trying to start and stop itself on every machine it's been installed on, with the following error message appearing in the Microsoft.Tri.Sensor-Errors log: Error ExceptionHandler Microsoft.Tri.Infrastructure.ExtendedException: RestrictCpuAsync failed, exiting ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at Stream System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, out TransportContext context) at void System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar) --- End of inner exception stack trace --- at async Task<HttpResponseMessage> System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task<HttpResponseMessage> sendTask, HttpRequestMessage request, CancellationTokenSource cts, bool disposeCts) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task<TResponse> Microsoft.Tri.Common.CommunicationWebClient.SendWithRetryAsync<TResponse>(byte[] requestBytes, int offset, int count) at async Task Microsoft.Tri.Common.CommunicationWebClient.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.Common.ServiceProxy<TWebClientConfiguration>.SendAsync(IVoidRequest request) at async Task Microsoft.Tri.Sensor.SensorResourceManager.RestrictCpuAsync() --- End of inner exception stack trace --- Has anyone came across this issue? Really appreciate any pointers here. Thank you!
Solved
manojviduranga
Feb 28, 2023 Place Microsoft Defender for Identity
3.2KViews
0likes
6Comments
Best practice for Microsoft Defender for Identity
Dear Team, I have installed Azure ATP Sensor for MDI in the domain controller (AD) already, but I don't know the best practice on how to configure it in MDI. Could you help to share best practices to configure MDI? Best Regards, Ravoth
Ravoth
Jun 30, 2023 Place Microsoft Defender for Identity
3.1KViews
0likes
3Comments
ATP sensor fails to start since yesterday
Hi there, we run the ATP sensor with a gMSA account on all domain controllers. Yesterday we restarted all machines because of January patch day and now the ATP sensor will get stuck while starting. Funny: there are more than 40 DC's. The service is still starting on exactly one (!) DC. It can be restarted on this DC without any issues. All others show this error. Rebooting the machines will not help. 2024-01-24 16:24:50.9788 Info RemoteImpersonationManager CreateImpersonatorInternalAsync started [UserName=mdiuser$ Domain=domain.local IsGroupManagedServiceAccount=True] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager GetGroupManagedServiceAccountTokenAsync finished [UserName=mdiuser$ Domain=domain.local IsSuccess=False] 2024-01-24 16:24:51.4632 Info RemoteImpersonationManager CreateImpersonatorInternalAsync finished [UserName=mdiuser$ Domain=domain.local] 2024-01-24 16:24:51.4632 Warn DirectoryServicesClient CreateLdapConnectionAsync failed to retrieve group managed service account password. [DomainControllerDnsName=dc03.domain.local Domain=domain.local UserName=mdiuser$ ] We have not changed anything regarding sensors or the gMSA account for months, so this configuration was running without issues until yesterday. Running Test-ADServiceAccount -Identity "mdiuser" on the affected machines gives "True", so the machine can successfully retrieve the gMSA password. I have checked that the mdiuser account is part of the GPO that allows logon as service on all machines. Now I am running out of ideas. The system tells me, it can access the gMSA password, the agent tells me it can't. Whats wrong? Best regards, Ingo
ingo-boettcher
Jan 24, 2024 Place Microsoft Defender for Identity
3KViews
0likes
13Comments
ATP Sensor failed upgrade to 2.198.16173.18440 on Win2012
Hi all, I have a customer running multiple AD Domain Controllers on windows server 2012, 2016 and 2019. ATP sensor version 2.197.16100.44617 was working fine, but a few days ago it started automatic upgrade to 2.198.16173.18440, the new sensor service "Azure Advanced Threat Protection Sensor" cannot start. Application event log also shows a variety of error messages from soure 'Perflib'. This is new, as the 2012 domain controllers were working fine and had no errors in Application log prior to ATP Sensor upgrade. Has anybody experienced the same issue? PS1: the new ATP sensor version on windows 2016 and 2019 domain controllers works fine. PS2: windows 2012 servers running january and february patches. -Ruslan
Solved
RNalivaika
Feb 28, 2023 Place Microsoft Defender for Identity
2.9KViews
0likes
10Comments