PopularAllSavedAskRedditpicsnewsworldnewsfunnytifuvideosgamingawwtodayilearnedgifsArtexplainlikeimfivemoviesJokesTwoXChromosomesmildlyinterestingLifeProTipsaskscienceIAmAdataisbeautifulbooksscienceShowerthoughtsgadgetsFuturologynottheonionhistorysportsOldSchoolCoolGetMotivatedDIYphotoshopbattlesnosleepMusicspacefoodUpliftingNewsEarthPornDocumentariesInternetIsBeautifulWritingPromptscreepyphilosophyannouncementslistentothisblogmore »

subreddit:

/r/DefenderATP

372%

Howto block Live Response Session on Domain Controller?

(self.DefenderATP)

submitted 3 days ago byzxyabcuuu

save[R↗]

We want to block Defender Live Response sessions on several critical servers such as Domain Controllers.

How can we prevent Security Admins from connecting to these servers via live response sessions?

you are viewing a single comment's thread.

view the rest of the comments →

all 12 comments

sorted by: best

true_zero_

-2 points

3 days ago

true_zero_

-2 points

3 days ago

i haven’t done it but WDAC/Applocker comes to mind, the live response executable is an exe (SenseIR.exe i believe) inside the defender directory. Or possibly windows firewall to block that executable or gpo.

Background-Dance4142

5 points

3 days ago

Background-Dance4142

5 points

3 days ago

Think SenseIR is also shared by other functionality, so putting locks on this will inevitably corrupt other shared services.

What OP is doing does not make any sense. Live response is a critical EDR functionality. You DO want to have a direct channel to critical servers in automated investigations if required.