Microsoft

Microsoft Defender for Identity Recommended Actions: Remove dormant accounts from sensitive groups

by thalpius

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with fourteen recommended actions. In a series of blog posts, I will go through all fourteen recommended actions of what it means, a plan of approach, their impact, and my security recommendations, hopefully helping others. The third one in the series is the “Remove dormant accounts from sensitive groups” recommended action.

Introduction

If you filter the Secure Score recommended actions for Microsoft Defender for Identity, you have the following fourteen recommendations.

  • Resolve unsecure domain configurations
  • Resolve unsecure account attributes
  • Remove dormant accounts from sensitive groups
  • Protect and manage local admin passwords with Microsoft LAPS
  • Configure VPN integration
  • Reduce lateral movement path risk to sensitive entities
  • Stop clear text credentials exposure
  • Disable Print spooler service on domain controllers
  • Stop legacy protocols communication
  • Stop weak cipher usage
  • Remove unsecure SID history attributes from entities
  • Modify unsecure Kerberos delegations to prevent impersonation
  • Install Defender for Identity Sensor on all Domain Controllers
  • Set a honeytoken account

Some recommended actions are easy to configure, but others take time, proper planning, auditing, and expertise. This short blog post will review the “Remove dormant accounts from sensitive groups” recommended action.

Update: Microsoft updated the recommended actions with an additional six recommendations, which makes it a total of twenty. I will describe the six updated ones after this series.

Remove dormant accounts from sensitive groups

The description of this recommended action is quite clear.

An easy and quiet path deep into your organization is through inactive accounts that are a part of sensitive groups. Removing dormant account access rights or deleting the account will help protect your organization’s sensitive data and prevent further compromise. Accounts become dormant if they are not used for a period of 180 days.

I am unsure if I agree with “an easy and quiet path,” but I agree that you must delete dormant accounts or remove them from sensitive groups. An account gets dormant if no authentication takes place for 180 days. Microsoft provides most of the information you need to see which accounts are dormant at the “exposed entities” tab.

Image 1: Exposed entities tab within Microsoft Defender for Identity

Sensitive Groups

So, how does Microsoft Defender for Identity identify a sensitive group? Luckily, Microsoft documented this in their docs. Any entity of one of these groups, including nested groups and their members, is automatically considered sensitive.

  • Administrators
  • Power Users
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Replicators
  • Network Configuration Operators
  • Incoming Forest Trust Builders
  • Domain Admins
  • Domain Controllers
  • Group Policy Creator Owners
  • Read-only Domain Controllers
  • Enterprise Read-only Domain Controllers
  • Schema Admins
  • Enterprise Admins
  • Microsoft Exchange Servers

You can manually add the sensitive tag to a group, so any group marked as sensitive manually is also considered a sensitive group.

Image 2: Sensitive entities set manually

I recommend deleting dormant accounts as there is no active login for at least 180 days.

Note: The documentation states, “This assessment is updated in near real-time,” but that is not what I experienced. It takes time before an account is not marked as sensitive anymore.

Inactive Accounts

Although Microsoft Defender for Identity helps identify a dormant account part of a sensitive group, do not forget about all inactive accounts within Active Directory. You can use this PowerShell command to identify accounts with no active login for 180 days.

$checkDate = ((Get-Date).AddDays(-180)).Date
Get-ADUser -Filter {LastLogonDate -lt $checkDate} -Properties * | select-object samaccountname,LastLogonDate

Conclusion

Microsoft Defender for Identity helps identify inactive accounts in a sensitive group. However, do not forget about all dormant accounts, especially with accounts synchronized to the cloud using Azure AD Connect or Cloud Sync, which introduces another attack vector in the cloud.