This is the Part 04 of the Microsoft Defender for Identity blog series and so far in this series, we learned about following,
Part 01 – MDI Overview
Part 02 – Create Directory Service Account
Part 03 – Collect Windows Events
This is the last blog post which covering about MDI prerequisites. The rest of the blog posts in the series will cover the operation side of the MDI.
Microsoft Defender for Identity sensors are responsible for collecting data from devices in network and then reporting back to Microsoft Defender for Identity cloud service. If these sensors are in segmented network, we need to open certain TCP/UDP ports to allow this communication. Following table includes the ports that need to be open to allow the communication.
Microsoft Defender for Identity Connectivity
| Protocol | TCP/UDP | Port | From | To |
| SSL | TCP | 443 | Defender for Identity sensor | Defender for Identity Cloud Service |
| DNS | TCP & UDP | 53 | Defender for Identity sensor | DNS Servers |
| Netlogon | TCP/UDP | 445 | Defender for Identity sensor | All devices on network |
| RADIUS | UDP | 1813 | RADIUS | Defender for Identity Sensor |
| SSL(localhost) | TCP | 444 | Sensor Service | Sensor Updater Service |
| NTLM over RPC* | TCP | 135 | Defender for Identity sensor | All devices on network |
| NetBIOS* | UDP | 137 | Defender for Identity sensor | All devices on network |
| RDP* | TCP | 3389, only the first packet of client hello | Defender for Identity sensor | All devices on network |
*These ports will use for NNR https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy . Only one of these ports is required for NNR.
Source : https://docs.microsoft.com/en-us/defender-for-identity/prerequisites
If you are going to use Defender for Identity standalone sensor, following ports need to be open.
| Protocol | TCP/UDP | Port | From | To |
| SSL | TCP | 443 | Defender for Identity sensor | Defender for Identity Cloud Service |
| LDAP | TCP and UDP | 389 | Defender for Identity sensor | Domain Controllers |
| Secure LDAP (LDAPS) | TCP and UDP | 636 | Defender for Identity sensor | Domain Controllers |
| LDAP to Global Catalog | TCP | 3268 | Defender for Identity sensor | Domain Controllers |
| LDAPS to Global Catalog | TCP | 3269 | Defender for Identity sensor | Domain Controllers |
| Kerberos | TCP and UDP | 88 | Defender for Identity sensor | Domain Controllers |
| DNS | TCP & UDP | 53 | Defender for Identity sensor | DNS Servers |
| Netlogon | TCP/UDP | 445 | Defender for Identity sensor | All devices on network |
| Windows Time | UDP | 123 | Defender for Identity sensor | Domain Controllers |
| RADIUS | UDP | 1813 | RADIUS | Defender for Identity Sensor |
| SSL(localhost) | TCP | 444 | Sensor Service | Sensor Updater Service |
| NTLM over RPC* | TCP | 135 | Defender for Identity sensor | All devices on network |
| NetBIOS* | UDP | 137 | Defender for Identity sensor | All devices on network |
| RDP* | TCP | 3389, only the first packet of client hello | Defender for Identity sensor | All devices on network |
*These ports will use for NNR https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy . Only one of these ports is required for NNR.
Source : https://docs.microsoft.com/en-us/defender-for-identity/prerequisites
Stand-alone sensors required high number of ports as those required to communicate with domain controllers.
Stand-alone sensor required at least two network adapters. One of those should be management adapter and other one should work as capture adapter. The above listed rules are for management adapter. This is the adapter MDI will use for communication on the corporate network. Capture adapter’s role is to capture in/out traffic from domain controllers.
******* Updates ***********
- NNR also can query DNS servers using reverse lookup of the IP addresses. This uses UDP 53. For this to work There must be a joined up DNS reverse namespace in place and PTRs must exist.
- If you try to install sensor on a machine with NIC teaming adapter you will receive error. To fix that you need to install Npcap driver Microsoft Defender for Identity frequently asked questions | Microsoft Docs . Also some switches also can create issues with this. Eg- Cisco blades, requiring Npcap OEM v1.0.0
- If you are using WinHTTP for proxy config, you must configure WinInet proxy browser proxy setting to allow communication between browser and MDI cloud service. Moe info about proxy config can be found on https://docs.microsoft.com/en-us/defender-for-identity/configure-proxy
**** Special thanks to Ben Robinson – Microsoft Security Architecture for valuable feedback *****
This marks the end of this blog post. From next blog post let’s look in to MDI implementation. Meantime If you have any questions, feel free to contact me on rebeladm@live.com also follow me on Twitter @rebeladm to get updates about new blog posts.
