Microsoft Secure Score helps organizations get insights into security posture based on security-related measurements. Microsoft Defender for Identity leverages Secure Score with twenty-seven recommended actions. In a series of blog posts, I will go through all twenty-seven recommended actions and what they mean, a plan of approach, their impact, and my security recommendations, hopefully helping others. The fourteenth one in the series is the “Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers” recommended action.
Introduction
You have twenty-seven recommendations if you filter the Secure Score recommended actions for Microsoft Defender for Identity.
- Resolve unsecure domain configurations
- Resolve unsecure account attributes
- Remove dormant accounts from sensitive groups
- Protect and manage local admin passwords with Microsoft LAPS
- Configure VPN integration
- Reduce lateral movement path risk to sensitive entities
- Stop clear text credentials exposure
- Disable Print spooler service on domain controllers
- Stop weak cipher usage
- Remove unsecure SID history attributes from entities
- Modify unsecure Kerberos delegations to prevent impersonation
- Install Defender for Identity Sensor on all Domain Controllers
- Set a honeytoken account
- Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers
- Accounts with non-default Primary Group ID
- Change Domain Controller computer account old password
- Reversible passwords found in GPOs
- Unsafe permissions on the DnsAdmins group
- GPO assigns unprivileged identities to local groups with elevated privileges
- Remove access rights on suspicious accounts with the Admin SDHolder permission
- Remove local admins on identity assets
- Remove non-admin accounts with DCSync permissions
- GPO can be modified by unprivileged accounts
- Built-in Active Directory Guest account is enabled
- Change password for krbtgt account
- Change password of built-in domain Administrator account
- Ensure that all privileged accounts have the configuration flag
Some recommended actions are easy to configure, but others require time, proper planning, auditing, and expertise. This blog post will review the recommended action of “Start your Defender for Identity deployment, installing Sensors on DC’s and other eligible servers.”
Update: Microsoft keeps updating the recommended actions list. I will do my best to keep the list up-to-date.
Installing sensors on Domain Controllers and other eligible servers
In one of my previous blog posts, I mentioned installing Microsoft Defender for Identity on all domain controllers because not all data synchronizes between them. Not installing a sensor on a Domain Controller increases the risk of a successful compromise if a malicious actor attacks that Domain Controller. For that reason, Microsoft recommends installing a sensor on all Domain Controllers. This recommended action looks the same as my previous blog post, but there is a difference. This recommended action is for workspaces with a license but no sensors. With “no sensor,” I mean the Active Directory Domain Services servers (AD DS), Active Directory Federation Services servers (AD FS), Active Directory Certificate Services servers (AD CS), and AD Connect servers, hence “other eligible servers.”
Conclusion
The description is confusing, as there is a recommended action about installing the sensors already. Still, as confirmed by Microsoft, this recommended action describes when no sensors are installed at all. Once again, it is crucial to install sensors on all eligible servers, as it is a security risk not to install a sensor since there are ways to detect whether a server contains a sensor mentioned in my previous blog post.
Microsoft Security Blog 