HOTSPOT -
You need to recommend a strategy for securing the litware.com forest. The solution must meet the identity requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Box 1: Microsoft defender for cloud
Scenario: Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.
When Microsoft Defender for Cloud detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the 'entities' field of the alert.
Box 2: An account lockout policy in AD DS
Scenario:
Detect brute force attacks that directly target AD DS user accounts.
Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive.
Verify on-premises account lockout policy
To verify your on-premises AD DS account lockout policy, complete the following steps from a domain-joined system with administrator privileges:
1. Open the Group Policy Management tool.
2. Edit the group policy that includes your organization's account lockout policy, such as, the Default Domain Policy.
3. Browse to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
4. Verify your Account lockout threshold and Reset account lockout counter after values.
Reference:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/automation-to-block-brute-force-attacked-ip-detected-by/ba-p/1616825 https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#verify-on-premises-account-lockout-policy
Box 1: Identity Protection https://docs.microsoft.com/en-us/defender-cloud-apps/aadip-integration#configure-identity-protection-policies Box 2: Lockout policy The case study scenario says "Azure AD Connect is used to implement pass-through authentication." The link below explains "Smart lockout can be integrated with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS." https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout#how-smart-lockout-works Any other solution relies on AD FS. Since the case study doesn't say anything about AD FS, use the lockout policy as described. That's my last comment, I'm taking the exam in 20 minutes. Thank you all and good day.
How did you do?
I agree on both points, 1 cannot be defender as it misses the word apps.
I am not sure if these are correct choices however, the case study clearly says 'password has sync has been disabled' under overview. Also, this specific question of the case study clearly says 'Forest' (AD Forest).
Block 1; Microsoft AD Identity protection Block 2 ; Microsoft Defender for Identity The ones saying it is Lockout policy that does not provide protection, there are things like Suspected overpass‑the‑hash attack (Kerberos) 2002 Medium Account enumeration reconnaissance 2003 Medium Suspected Brute Force attack (LDAP) 2004 Medium there are some of the protection and alerts the Defender for identity on perm provides, the password lock out policy will only actually prevent the brute force attack...
Answers should be: 1. Azure AD Identity Protection Brute Force Detection: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection 2. Defender for Identity MDI can detect brute force attacks: ref: https://docs.microsoft.com/en-us/defender-for-identity/compromised-credentials-alerts#suspected-brute-force-attack-ldap-external-id-2004
Box 1: Wrong. Identity protection does not provide AAD account smart lockout. Only the Password Protection service can. Box 2: Correct
Box1: Correct, box one doesn't relate to smart lockout? Box 2: Incorrect
Answers mapped to Identity Requirements as asked in the question > Implement leaked credential detection in the Azure AD tenant of Litware. > Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts. Box 1. Azure AD Password protection - offers leaked credential detection and Smart Lockout which can be combined carefully with a custom AD lockout policy to prevent the AD account from being locked in an Entra ID account attack scenario https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout > Detect brute force attacks that directly target AD DS user accounts. Box 2. Defender for Identity - detects and notifies of brute force attacks having happened https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-brute-force-attack-kerberos-ntlm-external-id-2023
1. Azure AD Identity Protection 2. Microsoft Defender for Identity https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts#suspected-brute-force-attack-ldap-external-id-2004 In a brute-force attack, the attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account. Once found, an attacker can log in using that account. In this detection, an alert is triggered when Defender for Identity detects a massive number of simple bind authentications. This alert detects brute force attacks performed either horizontally with a small set of passwords across many users, vertically with a large set of passwords on just a few users, or any combination of the two options. The alert is based on authentication events from sensors running on domain controller and AD FS servers.
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#sign-in-risk Password spray - A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance.
box 1 - Microsoft defender for cloud. Identity protection also similar protection but in the requirement for this states "Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose." which is disabled in the case study. Box 2 - Smart lockout - Some premium features of Azure AD, like Identity Protection and Azure AD Domain Services, require password hash synchronization, no matter which authentication method you choose.
Box 2 - Smart lockout - You can integrate Smart Lockout with hybrid deployments that use password hash sync or pass-through authentication to protect on-premises Active Directory Domain Services (AD DS) accounts from being locked out by attackers. By setting smart lockout policies in Azure AD appropriately, attacks can be filtered out before they reach on-premises AD DS. If you want your Azure AD lockout threshold to be 5, then you want your on-premises AD lockout threshold to be 10. This configuration would ensure smart lockout prevents your on-premises AD accounts from being locked out by brute force attacks on your Azure AD accounts.
Case Study says " Implement leaked credential detection in the Azure AD tenant of Litware" This broad range of signals helps Identity Protection detect risky behaviors like: Password spray attacks Leaked credentials
Box 1: Azure AD Identity Protection Box 2: Microsoft Defender for Identity (the key point "Prevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts." , the requirement is to don't lockout their accounts from Brute-force attacks)
One of the requirements was to NOT lock out accounts, so account lockout policy won’t work. Defender for identity will detect the ddos attack and it can be configured to force an account password reset vs locking out the account, by configuring it’s remediation actions. https://learn.microsoft.com/en-us/defender-for-identity/manage-action-accounts
This is a tricky one as it does say that password hash sync is disabled... So technically Identity Protection wouldn't work as it requires PHS. Hmm.
Box B is the Account Lockup Policy NOT the Smart Lockup. This will not help for satisfying the requirements https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/account-lockout-policy
Azure AD identity requirement in question ** Implement leaded credentials detection in the Azure AD tenant of Litware. Answer: Azure AD identity protection Reference: https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection Key worr: Leaked Credentials; Azure AD (Entra ID) Azure AD DS identity requirement in question ** Detect brute force attacks that directly target AD DS user accounts. ** Prevent AD DS user accounts from being locked out by brute force attacks. Answer:Azure account lockup policy in AD DS Refernce: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout Key Words/sentence: Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. (Brute force) This configuration would ensure smart lockout prevents your on-premises AD DS accounts from being locked out by brute force attacks on your Microsoft Entra accounts. (Prevent being locked out by brute force)
Box 1: is Password Protection - Using Smart Lockout that only needs PassThrough authentication or PHS... PHS isn't used in this case but PTA is! Box 2: I believe is MDI.
Block 1; Microsoft AD Identity protection Block 2 ; Microsoft Defender for Identity
Box 1: Identity Protection Box 2: Lockout policy Explanation: https://www.youtube.com/watch?v=YJqZjdzC9xE&list=PLQ2ktTy9rklhzzkSEZvDZT4QSIVUQZD-Y&index=7 SC-100 Question 91
"The solution must meet the identity requirement" Azure AD Identity Protection Defender for Identity
Although the current overview states pwd has sync is disabled, the identity requirements state: "Implement leaked credential detection in the Azure AD tenant of Litware.". Therefore, you need to implement the best controls to meet the requirements. 1: Identity Protection 2: Defender for Identity
Q1 Microsoft AD Identity protection Q2 Microsoft Defender for Identity