Last Updated on March 19, 2023 by Dishan M. Francis

This is the Part 04 of the Microsoft Defender for Identity blog series and so far in this series, we learned about following,

Part 01 – MDI Overview

Part 02 – Create Directory Service Account

Part 03 – Collect Windows Events

This is the last blog post which covering about MDI prerequisites. The rest of the blog posts in the series will cover the operation side of the MDI.

Microsoft Defender for Identity sensors are responsible for collecting data from devices in network and then reporting back to Microsoft Defender for Identity cloud service. If these sensors are in segmented network, we need to open certain TCP/UDP ports to allow this communication. Following table includes the ports that need to be open to allow the communication.

Protocol TCP/UDP Port From To
SSL TCP 443 Defender for Identity sensor Defender for Identity Cloud Service
DNS TCP & UDP 53 Defender for Identity sensor DNS Servers
Netlogon TCP/UDP 445 Defender for Identity sensor All devices on network
RADIUS UDP 1813 RADIUS Defender for Identity Sensor
SSL(localhost) TCP 444 Sensor Service Sensor Updater Service
NTLM over RPC* TCP 135 Defender for Identity sensor All devices on network
NetBIOS* UDP 137 Defender for Identity sensor All devices on network
RDP* TCP 3389, only the first packet of client hello Defender for Identity sensor All devices on network

*These ports will use for NNR https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy . Only one of these ports is required for NNR.

Source : https://docs.microsoft.com/en-us/defender-for-identity/prerequisites

If you are going to use Defender for Identity standalone sensor, following ports need to be open.

Protocol TCP/UDP Port From To
SSL TCP 443 Defender for Identity sensor Defender for Identity Cloud Service
LDAP TCP and UDP 389 Defender for Identity sensor Domain Controllers
Secure LDAP (LDAPS) TCP and UDP 636 Defender for Identity sensor Domain Controllers
LDAP to Global Catalog TCP 3268 Defender for Identity sensor Domain Controllers
LDAPS to Global Catalog TCP 3269 Defender for Identity sensor Domain Controllers
Kerberos TCP and UDP 88 Defender for Identity sensor Domain Controllers
DNS TCP & UDP 53 Defender for Identity sensor DNS Servers
Netlogon TCP/UDP 445 Defender for Identity sensor All devices on network
Windows Time UDP 123 Defender for Identity sensor Domain Controllers
RADIUS UDP 1813 RADIUS Defender for Identity Sensor
SSL(localhost) TCP 444 Sensor Service Sensor Updater Service
NTLM over RPC* TCP 135 Defender for Identity sensor All devices on network
NetBIOS* UDP 137 Defender for Identity sensor All devices on network
RDP* TCP 3389, only the first packet of client hello Defender for Identity sensor All devices on network

*These ports will use for NNR https://docs.microsoft.com/en-us/defender-for-identity/nnr-policy . Only one of these ports is required for NNR.

Source : https://docs.microsoft.com/en-us/defender-for-identity/prerequisites

Stand-alone sensors required high number of ports as those required to communicate with domain controllers.

Stand-alone sensor required at least two network adapters. One of those should be management adapter and other one should work as capture adapter. The above listed rules are for management adapter. This is the adapter MDI will use for communication on the corporate network. Capture adapter’s role is to capture in/out traffic from domain controllers.

******* Updates ***********

  1. NNR also can query DNS servers using reverse lookup of the IP addresses. This uses UDP 53. For this to work There must be a joined up DNS reverse namespace in place and PTRs must exist.
  2. If you try to install sensor on a machine with NIC teaming adapter you will receive error. To fix that you need to install Npcap driver Microsoft Defender for Identity frequently asked questions | Microsoft Docs . Also some switches also can create issues with this. Eg- Cisco blades, requiring Npcap OEM v1.0.0
  3. If you are using WinHTTP for proxy config, you must configure WinInet proxy browser proxy setting to allow communication between browser and MDI cloud service. Moe info about proxy config can be found on https://docs.microsoft.com/en-us/defender-for-identity/configure-proxy 

**** Special thanks to Ben Robinson – Microsoft Security Architecture for valuable feedback *****

This marks the end of this blog post. From next blog post let’s look in to MDI implementation. Meantime If you have any questions, feel free to contact me on rebeladm@live.com also follow me on Twitter @rebeladm to get updates about new blog posts.