As the deployment practices for Microsoft Defender for Identity (MDI) evolve, a critical evaluation of service account management is necessary. Commonly, organizations might opt for the simplicity of a single service account to manage their MDI sensor activities for Active Directory Domain Services (ADDS). Now that MDI supports ADDS, ADFS and ADCS, it is time to rethink the MDI sensor deployments.
However, the landscape of cybersecurity is ever-changing and demands more refined strategies. This blog post argues for a specialized approach—employing individual service accounts for each service plus an additional Action Account. This tailored method offers distinct advantages. By assigning a unique Group Managed Service Account (gMSA) to each service—ADDS, ADFS, and ADCS—we can ensure that the scope and permissions are precisely aligned with the needs and security requirements of each Tier-0 asset. Furthermore, introducing a separate Action Account allows for direct actions from the Defender portal on the on-premises AD, bypassing the need for traditional VPN access to the customer’s environment.
One-Day Deep Dive into Implementing Defender for Identity Training
Implementing Multiple Service Accounts in MDI
The visual depicted underscores a pivotal capability in Microsoft Defender for Identity (MDI) — the ability to employ multiple service accounts for various identity services. This functionality is crucial, as it allows organizations to enhance their security posture significantly. When configuring MDI, it is essential to leverage this capability by assigning individual Group Managed Service Accounts (gMSA) to each service: ADDS, ADFS, ADCS, as well as a separate Action Account.
Why Use Multiple gMSAs?
Each identity service within MDI holds specific roles and responsibilities that are crucial for the security of the entire Active Directory (AD) ecosystem. By segregating these services with dedicated gMSAs, organizations can:
- Minimize Attack Surface: Separate accounts limit the potential damage in case one service is compromised.
- Ease of Management: Individual accounts allow for simpler management and specific security settings adjustments.
- Compliance and Auditing: It simplifies tracking and auditing, as each service activity is isolated.
- Targeted Permissions: It aligns with the principle of least privilege, granting only the required permissions for each service to operate.
Advantages of gMSAs
Group Managed Service Accounts offer automated password management, which means the passwords for these accounts are managed by AD and changed regularly without manual intervention. This reduces the risk of password leaks or misuse. Additionally, gMSAs provide a more secure and manageable approach to service account passwords than traditional user-managed service accounts.
Action Account: A Must-Have
The Action Account is a distinctive addition that serves as a conduit for executing remediation actions directly from the MDI portal. Its integration allows for swift response to identified threats, enabling security teams to act immediately without the delays of traditional remote access methods.
To implement these service accounts in MDI:
- Identify the necessary permissions for each service account based on the roles of ADDS, ADFS, and ADCS.
- Create gMSAs within AD for each service and the Action Account.
- Configure MDI sensors to use the appropriate gMSA.
- Set up monitoring for each gMSA within your security information and event management (SIEM) system, such as Microsoft Sentinel, to ensure activities are logged and audited.
By embracing the practice of using multiple gMSAs and an Action Account, organizations can step into a new era of security within their AD environments. The next section of our post will delve into best practices for managing these accounts and maintaining a secure MDI deployment.
I made a short video about the same topic. You can watch it below.