locked
Create a user with no network activities? RRS feed

  • Question

  • ATA Prerequisites, Before You Start:

    "Optional: A user account of a user who has no network activities. This account will be configured as the ATA Honeytoken user."

    What does this mean exactly? Is there a special way to configure this new user in Active Directory, or is it just referring to a standard User account that no-one ever uses?

    Thursday, May 25, 2017 10:57 AM

Answers

  • Hello,

    Honeytoken account is a non-interactive account, or dummy account. You should create these accounts in Active Directory, and grant Domain Admins permissions to these accounts. 

    There is no special way to create these accounts, just create them as normally in Active Directory.

    Since the attacker usually try to hack the account with administrator permissions, Honeytoken account is helpful for detecting malicious activities.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by R___B Friday, May 26, 2017 10:51 AM
    Friday, May 26, 2017 10:11 AM

All replies

  • Hello,

    Honeytoken account is a non-interactive account, or dummy account. You should create these accounts in Active Directory, and grant Domain Admins permissions to these accounts. 

    There is no special way to create these accounts, just create them as normally in Active Directory.

    Since the attacker usually try to hack the account with administrator permissions, Honeytoken account is helpful for detecting malicious activities.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by R___B Friday, May 26, 2017 10:51 AM
    Friday, May 26, 2017 10:11 AM
  • Hi Andy,

    Thanks for the response. Whilst I can see making the honeytoken account attractive to an attacker by giving it Domain Admin permissions, doesn't this mean the attacker would have Domain Admin privileges if they got control of the account? Does ATA detect and then stop the malicious activity, or just detect and report on it?

    Thanks.

    Friday, May 26, 2017 10:51 AM
  • I am very curious about the reasoning for this as well, why assign the honeytoken account the Domain Admin privileges?

    I guess this is to detect if someone is trying to hack an account that has Domain Admin privileges (a special designated account that will NEVER be used by anyone) and the only way to do this is by assigning the "honeytoken" account this level of access?

    Please can you detail the intent on honeytoken accounts.



    • Edited by techy86_ Tuesday, May 30, 2017 1:52 PM
    Monday, May 29, 2017 8:42 PM
  • Hello,

    ATA can detect and report on the malicious activity, but can't stop it.

    Without honeytoken account, you still have accounts which have Domain Admin permissions. Creating a honeytoken account is not meant to be attractive to an attacker. It's just a method to detect the malicious activity.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 2, 2017 9:55 AM
  • One could also add all their Domain Admin accounts in there to pick up on activity on those accounts, which would be useful as well.
    Friday, June 2, 2017 4:18 PM
  • Here's how I do it:

    1. Create an account in Active Directory where you would normally place your domain admin accounts, call it something like Company admin, something enticing
    2. Add this user to the domain admin accounts
    3. In the description field, set the password (yes, you are giving everyone the domain admin password!)
    4. Configure logon times so that the account can never log on, like this:

    Note, this whole process is useless UNLESS you can select honeytoken account activity.  If you have Azure ATP, configure this acount in the Configuration > Entity Tags > Honey Token account.  Then try to logon anywhere using this account.  You will see it will be denied because of the logon hours you specified.  Within a few minutes, ATP should show an alert in your timeline that loos like this:

    <svg class="SnapLinksHighlighter" xmlns="http://www.w3.org/2000/svg"><rect height="0" width="0"></rect> </svg>
    Thursday, January 17, 2019 6:07 PM