MC875063 - Microsoft Defender for Identity: New recommendations for Microsoft Secure Score

Service

Microsoft Defender XDR

Published

Aug 27, 2024

Tag

New feature
User impact
Admin impact

Summary

Microsoft Defender for Identity will soon add new recommendations to Microsoft Secure Score, automatically updating scores to better reflect security posture. Public Preview and General Availability rollouts will begin mid-September 2024. Organizations should review Microsoft Secure Score improvement actions to prepare.

More information

Coming soon for Microsoft Defender XDR | Microsoft Defender for Identity: We’re adding to Microsoft Secure Score improvement actions to ensure a more accurate representation of security posture. We will update your score automatically.

When this will happen:

Public Preview: We will begin rolling out mid-September 2024 and expect to complete by late September 2024.

General Availability (Worldwide, GCC, GCC High, DoD, USSec, USNat): We will begin rolling out mid-September 2024 and expect to complete by mid-October 2024.

How this will affect your organization:

After this rollout, the Defender XDR portal will include these new Microsoft Defender for Identity recommendations as Microsoft Secure Score improvement actions:

  • Accounts with non-default Primary Group ID
  • Domain Controllers with computer account password unchanged for more than 45 days
  • GPO assigns unprivileged identities to local groups with elevated privileges
  • GPO can be modified by unprivileged accounts
  • GPO contains passwords Group Policy Preferences files
  • Built-in Active Directory Guest account is enabled
  • Unsafe permissions on the DnsAdmins group
  • Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated"
  • Change password of krbtgt account
  • Change password of built-in domain Administrator account

Additionally, we are updating the existing recommendation of "Modify unsecure Kerberos delegations to prevent impersonation" to include indication of Kerberos Constrained Delegation with Protocol Transition to a privileged service.

These new identity recommendations are new security posture reports related to Active Directory and Group policy objects and will be available by default to customers who have installed a Defender for Identity sensor.

These recommendations are on by default.

What you need to do to prepare:

We recommend reviewing the improvement actions listed in Microsoft Secure Score. We will continue to add suggested security improvement actions on an ongoing basis.

Learn more: Security posture assessments - Microsoft Defender for Identity | Microsoft Learn (article will be updated before rollout begins)

This rollout will happen automatically by the specified date with no admin action required before the rollout. You may want to notify your admins about this change and update any relevant documentation.