Microsoft Defender for Identity Will Check for Insecure Domain Configurations

Microsoft Defender for Identity is getting the ability to detect insecure domain configurations, even when they are Microsoft's defaults.

Two assessments were described in Microsoft's Thursday announcement. Both are related to insecure default Active Directory configurations that are subject to Kerberos resource-based constrained delegation relay attacks, which Microsoft described last month.

Microsoft had described these vulnerabilities after the publication of the "KrbRelayUp" hacking tool created by security researcher Mor Davidovich, demonstrating a way to obtain system privileges. Computing environments using Active Directory, with or without Azure AD synchronization, are potentially vulnerable to such attacks, Microsoft had explained.

Microsoft Defender for Identity is getting the ability to detect two default configurations subject to the Kerberos resource-based constrained delegation relay attacks. One of them concerns "Set ms-DS-MachineAccountQuota," which, in its default setting is set to "10." It could allow attackers to set up to 10 accounts on an exploited network. Microsoft last month recommend it be set to "0," which will limit "the ability of non-privileged users to register devices in domain."

The other detection capability concerns default configurations with the Lightweight Directory Access Protocol (LDAP) channel binding on Active Directory domain controllers. Microsoft recommended turning on the "Require signing" LDAP policy setting because "unsigned network traffic is susceptible to man-in-the-middle attacks."

The detection for Set ms-DS-MachineAccountQuota is now in effect for Microsoft Defender for Identity users. The LDAP configuration detection "will be available in the next two weeks," the announcement indicated.

The announcement just concerned the detections, which will show up in the Secure Score section of the Microsoft 365 Defender portal. The announcement didn't describe making the changes, which apparently IT pros should carry out manually, even though they would be changing Microsoft's default configurations.

However, the good news is that Microsoft will be adding security posture configuration detections more generally to its Microsoft Defender for Identity product.

"We are working on adding more configurations to this Defender for Identity security posture assessments to help customers proactively secure their environments from exploitation, stay tuned!" the announcement indicated.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube