Defender for IoT sensor access

Derk van der Woude
3 min readMay 3, 2024

--

The Microsoft Defender for IoT | OT Sensor is a virtual or physical appliance connected to the OT network via a SPAN port or TAP device to collect information about devices, network communication, vulnerabilities and alerts.

The OT sensor has a web interface for configuration, air-gapped or Cloud connected. If the sensor is connected to the (Azure) cloud, the most used settings can be configured in the Microsoft Defender for IoT portal in Azure (e.g. VLAN, Subnet, NTP, Active Directory, etc.)

Access to the local web interface of the OT sensor can configured via different access and authentication methods, each with their own pros and cons.

Stand-alone

Stand-alone access and authentication is the default method via username (admin, cyber, cyberx or custom) and (complex) password to the web portal [HTTPS].

Stand-alone

By default the deployment is air-gapped, meaning only accessible from the (on-premises) OT network via the network interface.

Active Directory

Stand-alone access and Active Directory authentication provides centralized and ‘secured’ access via the OT Active Directory (security boundary).

Active Directory

At least one local account needs to exist on the sensor for local access

Configure the following settings:

  • Domain Controller FQDN (or IP-address if the sensor DNS cannot resolve the FQDN)
  • Domain Controller port [389 LDAP | 636 LDAPS]
  • Primary Domain
  • Active Directory groups (lowercase only)

Use the username to logon without the NetBIOS prefix or Domain suffix

Entra ID | SSO

Entra ID access and authentication, SSO (Singel Sign-On) from an Entra ID joined device, provides seamless (Entra ID device) access the on-premises portal protected via the Entra ID | Conditional Access framework.

Entra ID | SSO

Configure the following settings:

  • Entra ID | App Registration
  • Redirect URI <>
  • Grant admin consent for <Directory Name>

Requires a public IP address or hostname and inbound port forwarding to the sensor on port 443 [HTTPS].

Outbound access can be restricted: iothub-prodweu-ad4iot.azure-devices.net,eventhubprodweueiotNameSpace.servicebus.windows.net,storprodweunotif.blob.core.windows.net,storprodweusenasts.blob.core.windows.net,westeurope.iot.security.azure.com,pipe.skype.com,api.mdiot.microsoft.com

Entra | Application Proxy

Microsoft Entra Application Proxy leverages Entra ID authentication and Conditional Access policies to secure access to on-premises web services on port 80/443 [HTTP(S)] without requiring a public IP-address and inbound port forwarding.

Microsoft Entra Application Proxy

Public certificate for the OT sensor is required for Application Proxy, all other options above can use the self-signed certificate.

Configure the following settings:

  • Download and deploy the Entra Private Network Connector on a Windows Server (2012 R2 or above) that has network access to the on-premises application.
  • Create an Enterprise Application > Add an on-premises application
  • <AppName>
  • Internal Url (https:// OT Sensor name included in the public certificate)
  • External URL https://<AppName>-<tenant>.msappproxy.net/
On-premises applications settings

Summary

The table below provides and overview of thee pros and cons for the different authentication models to access the OT sensor.

OT Sensor Authentication Overview

--

--