Hey everyone, hope you guys had a wonderful day. Starting of a new year 2021. I hope everyone stay healthy and stay safe distance from one another or avoid crowded places.
I know that this pandemic has test us in many ways, in terms of physically and mentally. If you manage to get through year 2020 challenges, then give yourself a pad on the back, you did good.
This blog post I’m going to write about what is Azure ATP, before I jump into the topic, I want to say that security is a journey. If you guys have read about the recent news about attacks rises double/triple in the year 2020 and also the news about solarwinds attack, then these are enough proof that hackers are given more chances to attack in this situation, because they know majority businesses or corporates are still vulnerable or not up to par in terms of securing their environment and providing security training to users. Users mistakes in allowing attackers are also risk to the corporate that is why users training is still important to corporates. Losing money/profit to attackers is twice painful to the corporates then purchasing and implementing security technologies/products in the environment. Let’s take ransomwares as an example for this case. Due to this pandemic, I notice quite an amount of corporates are now implementing the concept of “Zero-trust“. If you would like to know what is “Zero-trust”, do feel free to Google them up.
Anyway, alright lets start our topic. The ATP term has been quite awhile in the security industry, or if you still not too sure what is ATP, ATP stands for Advanced Threat Protection. It contains advanced intelligent technology and combination of algorithms to identify and investigate types of malicious behavior and it will select appropriate action to quarantine/block the malicious actions before doing any harm to the environment and provide deep dive detailed reports to administrators.
Azure ATP has been known quite awhile in Microsoft 365, and Microsoft had given a different naming, Microsoft Identity Defender. It’s capability is to:
Identify compromised accounts
Investigate malicious activities of accounts
Provide best practice security actions to administrators on how to handle accounts that reported by Azure ATP as suspicious or compromised
Provide detail visibility authentication of attacks
Azure ATP able to provide details of attack’s source
Reports are real-time and signals back to Microsoft Identity Defender portal
This is just a summary of the entire structure looks like implementing Azure ATP into the environment with Domain Controllers only.
Azure ATP agent is only for on-premises like Domain controllers and ADFS and the agent will send a signal back to Microsoft Identity Defender if detected malicious activities or compromised accounts. I do recommend that you read more about requirements of deploying Azure ATP, before deploying into your customer’s environment. There is a medium impact required.
Make sure you have Enterprise Admin account/permission to run this command and run the PowerShell as Admin.
If you run into error that you can’t bring up a new Domain Controller due to Operating System is not in the suitable forest functional level, this solution could help you out. RODC is not accepted to run these commands.
I am not sure whether does this require FSMO roles to make the changes towards these functional levels. Hence, I run these commands on the Primary domain controller.
Login to your existing domain controller using an enterprise admin account
Run the Windows PowerShell as Admin
Type in the following command to change the forest functional level
#Get Forest level Info
#To Set the forest level
Set-ADForestMode -ForestMode <Operating System Name>
#Example: Set-ADForestMode -ForestMode Windows2012R2Forest
Type the following command to change the domain level
#Get Domain level Info
#To Set the forest level
Set-ADDomainMode -DomainMode <Operating System Name>
#Example: Set-ADDomainMode -DomainMode Windows2012R2Forest
Would recommend that you study on the difference between Forest Functional Level and Domain level. I would write a blog post about it soon!
Both source and target domain controllers has to hold the PDC role to establish the trust.
Make sure you transfer the fsmo
Both domain controllers must be able to ping each other
At target domain controller, Ping <source domain DNS>
Ping domain controller IP addresses
Firewall are disable at both domain controllers
Able to Nslookup each other domains
You will fail with an error if the prerequisites are not met;
“The secure channel verification on Active Directory Domain Controller <DC name> of domain <source domain> to <target domain> failed with error: The specified domain either does not exist or could not be contacted.”