Certificate Server Support Arrives in Defender for Identity

Active Directory Certificate Services (AD CS) servers can now be monitored by Microsoft Defender for Identity through recently released sensor software. AD CS servers issue digital certificates that identify users and other AD principals in an organization’s public key infrastructure (PKI). AD CS servers are often not secured properly, and a successful attack against AD CS servers can grant administrative privileges to the attacker or allow them to impersonate the organization. The new sensor capabilities can detect common attack tactics, such as disabling AD CS audit logs or deletion of the certificate database. Plans include detection of changes in AD CS access control lists (ACLs), a vector often used to take over AD in an attack. Defender for Identity previously monitored domain controllers and AD Federation Services (AD FS) servers, but not AD CS servers. More details about the addition of support for AD CS servers is at https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/microsoft-defender-for-identity-expands-its-coverage-with-new-ad/ba-p/3894215.