Microsoft Defender for Identity Recommended Actions: Install Defender for Identity Sensor on all Domain Controllers

Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with tweny-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The twelfth one in the series is the “Install Defender for Identity Sensor on all Domain Controllers” recommended action.

Introduction

You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.

• Resolve unsecure domain configurations
• Resolve unsecure account attributes
• Remove dormant accounts from sensitive groups
• Protect and manage local admin passwords with Microsoft LAPS
• Configure VPN integration
• Reduce lateral movement path risk to sensitive entities
• Stop clear text credentials exposure
• Disable Print spooler service on domain controllers
• Stop weak cipher usage
• Remove unsecure SID history attributes from entities
• Modify unsecure Kerberos delegations to prevent impersonation
• Install Defender for Identity Sensor on all Domain Controllers
• Set a honeytoken account
• Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers
• Accounts with non-default Primary Group ID
• Change Domain Controller computer account old password
• Reversible passwords found in GPOs
• Unsafe permissions on the DnsAdmins group
• GPO assigns unprivileged identities to local groups with elevated privileges
• Remove access rights on suspicious accounts with the Admin SDHolder permission
• Remove local admins on identity assets
• Remove non-admin accounts with DCSync permissions
• GPO can be modified by unprivileged accounts
• Built-in Active Directory Guest account is enabled
• Change password for krbtgt account
• Change password of built-in domain Administrator account
• Ensure that all privileged accounts have the configuration flag

Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Install Defender for Identity Sensor on all Domain Controllers.”

Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.

Microsoft Defender for Identity Sensor

This recommended action will probably be the shortest of them all. Microsoft recommends installing Microsoft Defender for Identity on all Domain Controllers. Microsoft recommends installing the Microsoft Defender for Identity sensor because Microsoft Defender for Identity monitors malicious attacks using events saved in the event viewer and by capturing packets using NPCAP. The event is not the issue, but the packet capture is. Forwarding all packets from all Domain Controllers is not doable. For this reason, Microsoft also does not recommend using the stand-alone version of Microsoft Defender for Identity.

Although I mentioned the Domain Controllers, this applies to all servers, including the AD FS servers, AD CS servers, and AD Connect.

Conclusion

Even if it is a Proof-of-Concept for Microsoft Defender for Identity, I always recommend installing the Microsoft Defender for Identity sensor on all servers. The sensor is a lightweight agent that does not use many resources and can easily be uninstalled.