Enterprise 3 Build 3 (E3B3) - SDP and Microsegmentation - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides

Enterprise 3 Build 3 (E3B3) - SDP and Microsegmentation - Microsoft Azure AD Conditional Access (later renamed Entra Conditional Access), Microsoft Intune, Microsoft Sentinel, Forescout eyeControl, and Forescout eyeExtend as PEs Product Guides#

Note

This page is supplementary material for the NIST SP 1800-35 publication.

This section of the practice guide contains detailed instructions for installing, configuring, and integrating all the products used to implement E3B3. For additional details on E3B3’s logical and physical architectures, please refer to Architecture and Builds. Build 3 was built on top of Build 2 and all the components in Build 2 were used in this build. For E3B2’s configuration, please refer to Enterprise 3 Build 2. Below are the additional components added to Build 3.

Microsoft Defender for Identity#

Microsoft Defender for Identity is a cloud-based solution that detects identity-based threats in hybrid environments. Using signals collected from AD, it will discover compromised identities and alert on suspicious user actions. To deploy Defender for Identity, use the following steps:

  1. Review the prerequisites before deploying Defender for Identity.

  2. Configure the necessary Windows event logs to enable appropriate detections.

  3. Create a directory service account that will be used by Defender for Identity in the domain.

  4. Download and install the Defender for Identity sensor.

  5. Configure sensor settings and validate installation.

Microsoft Defender for Office#

Microsoft Defender for Office 365 provides protection from malware, phishing, spam, unsafe links and attachments, and other related threats. To configure Defender for Office 365, use the following steps:

  1. Configure the Standard Preset Security Policy for Defender for Office 365.

  2. Configure anti-phishing policies.

  3. Configure anti-malware policies.

  4. Configure safe attachment protections in Microsoft 365.

  5. Set up safe links protections.

Microsoft Purview Information Protection#

Purview Information Protection discovers, labels, classifies, and protects data in the cloud and on-premises. It aims to provide data governance and protection throughout the enterprise.

Discover your sensitive data using the examples shown here. To discover sensitive data on-premises, you will need to deploy the Information Protection Scanner.

Information Protection Scanner#

Information Protection Scanner is used to discover sensitive data in an on-premises environment.

Use the information here to install and configure the Information Protection Scanner.

Purview DLP#

Purview Data Loss Prevention (DLP) reduces the risk of unauthorized information disclosure and reduces the likelihood that sensitive data will be shared inappropriately. Data loss prevention policies specify the category of data to protect and the type of restrictions that are applicable.

Use the information here to create and deploy DLP policies.

Microsoft Entra Permissions Management#

Entra Permissions Management provides visibility and control of an identity’s permissions in Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). It identifies a user’s permissions across all three cloud platforms, determines which permissions are not required based on usage, and can be configured to reduce the permissions to only those being used.

  1. Enable Entra Permissions Management.

  2. Onboard an AWS Account.

  3. Onboard an Azure Subscription.

  4. Onboard a GCP Project.

  5. Add an AWS Account, Azure Subscription, and GCP Project after onboarding is complete.

  6. To view inactive users or users with overprovisioned permissions, click here.

  7. To revoke unused permissions, click here.

Microsoft Azure Virtual Desktop#

Azure Virtual Desktop is a desktop and application virtualization service that delivers the full Windows experience over HTTPS to a connecting client. Use the following steps to set up Azure Virtual Desktop:

  1. Understand prerequisites prior to deployment.

  2. Create and connect to an Azure Virtual Desktop.

Microsoft Intune VPN Tunnel#

The Intune VPN Tunnel is a VPN solution that provides access to internal network resources from iOS/iPad and Android devices using modern authentication and conditional access. Use the following steps to set up the Intune VPN Tunnel:

  1. Understand the prerequisites prior to deployment.

  2. Install and configure Intune VPN Tunnel.

Microsoft Azure Arc#

Azure Arc is an Azure cloud platform that provides governance and management of on-premises servers, containers, and other related infrastructure components using Azure policies and management tools. It essentially extends governance to resources existing in on-premises environments. Use the following steps to set up Azure Arc:

  1. Understand network requirements.

  2. Understand Azure Arc-enabled servers.

  3. Onboard a Windows server.

  4. Onboard a Linux server.

Microsoft Azure Automanage#

Azure Automanage automatically configures onboarded servers with Azure best practices, monitors those servers, and remediates them when any configuration drift occurs. With Automanage, you must create a configuration profile for the server.

Enable Azure Automanage for VMs in Azure portal.

Microsoft Sentinel Playbooks#

Playbooks in SOAR systems enable automated responses to address detected threats in an environment. In this build, a Sentinel playbook was created to revoke or terminate sessions of users when the risk evaluated for that session was deemed high. You can create playbooks with the information found at the create a playbook link.

Microsoft Privileged Access Workstation#

A privileged access workstation is a hardened workstation that includes security controls that lock down local administrative access and tools to only what is required for performing sensitive tasks. Use the information at configure a privileged access workstation to do so.

Microsoft Azure Application Gateway#

Azure Application Gateway is a layer seven load balancer and can be configured to provide Web Application Firewall functionality. Use the instructions at Create and Configure an Application Gateway to setup and configure an Azure Application Gateway. To configure the Web Application Firewall functionality, use the information at Enable Web Application Firewall Feature on an Azure Application Gateway.

Contents