Dear IT Pros,
We knew that it is normal for Domain Controller and critical servers to be in isolated network without internet access.
How could we provide the cloud-based, Azure log analytic services for these objects? The services could originate from different products like DLP Cloud, MDE Cloud, MDI Cloud, Azure Log Analytics and more. What is the best way to accommodate these needs?
We will discuss the following topics:
The steps below are applicable only to devices running previous versions of Windows such as: Windows Server 2016 and earlier or Windows 8.1 and earlier. Offline devices in the same network of Azure Log Analytics
In this Demo Lab, we will use the Proxy Server on a Windows 2019 device instead of Proxy Appliance.
Proxy Server on Windows 2019 with Internet Connection:
Configure Wingate \ services
> WWW Proxy server
On Windows 2012R2 Server,
Run MMA setup
> Run MMA setup as usual
> Connect the agent to Azure Log Analytics (OMS)
> Click Advance
Typing in the proxy server IP Address and Port number (8080)
> Next, Finish.
Result:
There is no problem as long as the system time is within time discrepancy (15min) with Azure time.
For newer Server of Windows 2019 and Workstation of Windows 10, we need to use the built-in Telemetry service of Windows OS together with Proxy configuration to transport diagnostic logs to the Cloud Analytic Services like MDE,
For endpoint devices that aren't permitted to connect to the Internet, you need to configure a proxy connection to allow telemetry to forward log diagnostic data to Microsoft Cloud Service.
Let us start with an important notice:
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following auto discovery methods:
Prerequisite:
When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup:
These updates improve the connectivity and reliability of the CnC (Command and Control) channel.
Spreadsheet of specific DNS records for service locations, geographic locations, and OS.
Download the spreadsheet here.
Configure the proxy server manually using a registry-based static proxy
The static proxy is configurable through Group Policy (GP). The group policy can be found under:
Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
The policy sets two registry values TelemetryProxyServer as REG_SZ and DisableEnterpriseAuthProxy as REG_DWORD under the registry key HKLM\Software\Policies\Microsoft\Windows\DataCollection.
- The registry value TelemetryProxyServer is in this format <server name or ip>:<port>. For example: 10.0.0.3:8080
- The registry value DisableEnterpriseAuthProxy should be set to 1.
Configure the proxy server manually using "netsh" command
Use netsh to configure a system-wide static proxy.
Note:
This will affect all applications including Windows services which use WinHTTP with default proxy. - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration if you do not want the whole system communicate over the internet.
For example: netsh winhttp set proxy 10.0.0.3:8080
To reset the winhttp proxy, enter the following command and press Enter:
MDI Mirroring in Isolated Network
For MDI in Isolated Network, you will need to install a stand-alone sensor which will collect log data from all the Domain Controllers on the LAN Network.
Defender for Identity standalone sensor requirements:
Setup steps
The Npcap driver allow network adapter to collect all network traffic packets (windows capture in promicuos mode). Download the Npcap version 1.0 from https://nmap.org/npcap/
The Defender for Identity standalone sensor requires at least one Management adapter and at least one Capture adapter:
This adapter should be configured with the following settings:
Ports
The following table lists the minimum ports that the Defender for Identity standalone sensor requires configured on the management adapter:
MANAGEMENT ADAPTER PORTS |
||||
Protocol |
Transport |
Port |
From |
To |
Internet ports |
||||
SSL (*.atp.azure.com) |
TCP |
443 |
Defender for Identity Sensor |
Defender for Identity cloud service |
Internal ports |
||||
LDAP |
TCP and UDP |
389 |
Defender for Identity Sensor |
Domain controllers |
Secure LDAP (LDAPS) |
TCP |
636 |
Defender for Identity Sensor |
Domain controllers |
LDAP to Global Catalog |
TCP |
3268 |
Defender for Identity Sensor |
Domain controllers |
LDAPS to Global Catalog |
TCP |
3269 |
Defender for Identity Sensor |
Domain controllers |
Kerberos |
TCP and UDP |
88 |
Defender for Identity Sensor |
Domain controllers |
Netlogon (SMB, CIFS, SAM-R) |
TCP and UDP |
445 |
Defender for Identity Sensor |
All devices on network |
Windows Time |
UDP |
123 |
Defender for Identity Sensor |
Domain controllers |
DNS |
TCP and UDP |
53 |
Defender for Identity Sensor |
DNS Servers |
Syslog (optional) |
TCP/UDP |
514, depending on configuration |
SIEM Server |
Defender for Identity Sensor |
RADIUS |
UDP |
1813 |
RADIUS |
Defender for Identity sensor |
Localhost ports |
Required for Sensor Service updater |
|||
SSL (localhost) |
TCP |
444 |
Sensor Service |
Sensor Updater Service |
NNR ports |
||||
NTLM over RPC |
TCP |
135 |
Defender for Identity |
All devices on network |
NetBIOS |
UDP |
137 |
Defender for Identity |
All devices on network |
RDP |
TCP |
3389, only the first packet of Client hello |
Defender for Identity |
All devices on network |
Capture adapter - used to capture traffic to and from the domain controllers.
Limitation:
I hope the information is useful for future deployment in isolated environment.
Until next time, Cheer.
Reference:
Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.