Microsoft Defender for Identity is getting a new update that enables IT admins to identify insecure domain configurations in their environments. These security capabilities aim to protect businesses from Kerberos resource-based constrained delegation relay attacks.
Specifically, Microsoft Defender for Identity provides real-time monitoring to detect two default configurations that are vulnerable to security breaches. These insecure domains could allow threat actors to gain system privileges by exploiting the Kerberos relaying (KrbRelayUp) hacking tool.
“Configuring Active directory optimal security has always been top of mind for the Microsoft Defender for Identity team and its research them, recent attacks, such as KrbRelayUp, had repeatedly shown us how certain, often default, settings can be used against their intended purpose and result in an identity compromise,” said Or Tsemah, Senior Product Manager for Microsoft Defender for Identity.
Microsoft highlighted that the “Set ms-DS-MachineAccountQuota” configuration lets attackers configure up to 10 accounts on the target network. The evaluation capability for this default configuration is now available for all users.
Additionally, Microsoft advises IT Pros to enforce the “Require signing” LDAP policy setting because “unsigned network traffic” is subject to man-in-the-middle (MITM) attacks. Basically, LDAP is a directory service protocol that lets users access files, servers, apps, and other IT resources. The firm plans to release the LDAP configuration detection capability within the “next two weeks.”
To get started with the new security assessment tool, IT admins can head to the Secure Score section of the Microsoft 365 Defender portal. Now, review the list of improvement actions to find insecure domain configurations. IT Pros can modify or remove the affected configurations as needed.
Overall, it’s great to see that Microsoft is improving its security tools to protect enterprise customers from potential exploitation. Meanwhile, the company also plans to add support for more security posture configuration detections to its Microsoft Defender for Identity solution.