Deepnines Active Directory User Services Guide. Version 1.0

Deepnines Active Directory User Services Guide Version 1.0 October 22, 2008

2008 Deepnines, Inc., all rights reserved. Deepnines Technologies, Security Edge Platform, Security Edge System, Sleuth9 Security System, Sleuth9, ForensiX Capture System, Holistic Management Console, and Zero Footprint Technology are trademarks and/or registered trademarks of Deep Nines Inc. All other brands and products are trademarks and/or registered trademarks of their respective owners. Protected by US Patents 6,930,978 and 7,058,976 Deepnines Active Directory User Services ii

Table of Contents ToC Chapter 1 - Introduction... 1-1 1.1 Overview... 1-1 Chapter 2 - Installation Procedures... 2-1 2.1 Installation Procedures... 2-1 Chapter 3 - Log Information... 3-1 3.1 Deepnines AD User Group Poller/User DB Updater Service Log Information... 3-1 3.2 SEP Log Information... 3-1 Chapter 4 - Active Directory Logon Script... 4-1 4.1 Deepnines Active Directory Logon Script... 4-1 4.2 When to Use the Logon Script... 4-1 4.2.1 Installation Procedure for Logon Script... 4-1 4.2.2 Using the LogParser Executable... 4-7 Chapter 5 - Setting Up MAC OS on Active Directory User Services... 5-1 5.1 MacOS X Client... 5-1 5.2 Windows 2003 Server... 5-3 Deepnines Active Directory User Services iii

Introduction 1 1.1 Overview Microsoft Active Directory (AD) is a service for centrally managing access to network resources. End users authenticate to AD when access is needed to a network resource. End users are typically members of one or more groups, which are used to ease access management. Deepnines Active Directory User Services transparently integrates with AD by querying the AD servers for logon information and group membership information and providing this information to Deepnines itrust, enabling user-based reporting and group-based policy controls. Deepnines Active Directory User Services consists of four Microsoft Windows-based services; the Deepnines Active Directory Group Poller, Deepnines Active Directory Host Poller, Deepnines Active Directory Login Watcher, and Deepnines Active Directory User DB Updater. Each service is run on a Windows-based system in order to access the relevant AD information on behalf of SEP. The Deepnines Active Directory Login Watcher service periodically queries the AD servers (every minute by default) to determine all of the IPv4 addresses a user has used to log on. The Deepnines Active Directory Group Poller service periodically retrieves user group membership (every 30 minutes by default) from the AD servers. Both polling intervals are configurable with resolution of up to one second. The Deepnines Active Directory Host Poller service actually queries the user PC to determine who is logged into it. The default polling rate is 30 minutes. The following information is collected from the AD servers: Active Directory Name of each user: unique identifier of the user (i.e. testdomain.deepnines.com/user1). Active Directory Name of each group: unique identifier of the group (i.e. testdomain.deepnines.com/group1). IP address: the IP addresses each user is logged on from. Group membership: a list of users that are members of each group. The Deepnines Active User DB Updater periodically reads the files written by the Deepnines AD User Group Poller and uploads this data to SEP using an SSL protected TCP connection. The update period is configurable to a resolution of up to one second. It can also be configured to only upload only deltas of the information to reduce network traffic and load on SEP. Deepnines Active Directory User Services 1-1

Installation Procedures 2 2.1 Installation Procedures The Deepnines Active Directory User Services needs to be installed on the Windows domain controllers in the network. Deepnines Active Directory User Services has been certified on Windows 2000, 2003 and Windows XP. 1. Insert the D9BaseOS CD in the CDROM drive and select by clicking DeepNines Active Directory User Services - 1.0 - Setup. 2. Select a language (this will only affect the language of the installation program) and click <OK>. 3. Click <YES> to continue with installation of Deepnines Active Directory User Services. 4. The Welcome screen for Deepnines Active Directory User Services screen appears. Click <NEXT> to continue with installation. Deepnines Active Directory User Services 2-1

5. The Choose Destination Location screen appears. Select folder to install Deepnines Active Directory Users Services and click <NEXT>. Deepnines Active Directory User Services 2-2

6. The sleuth9 Security Edge Platform Management IP Address screen appears. Enter the IP address of the management interface of your SEP. If you have more than one SEP, enter all the IP addresses separated by commas. Click <NEXT> to continue. 7. The Start Copying Files screen appears. The Start Copying Files screen appears. The program files will be copied to the destination location. Click <NEXT> to begin this process. Deepnines Active Directory User Services 2-3

The installation process begins and continues until the Deepnines Active Directory User Services have been installed. After the installation is complete, the services are registered on the computer and set to start automatically on reboot. Deepnines Active Directory User Services 2-4

Log Information 3 3.1 Deepnines AD User Group Poller/Deepnines User DB Updater Service Log Information After the installation is complete, all the Deepnines servers are started and set to start automatically on reboot. To start without rebooting, go to To modify the polling periods, modify the file <install directory>\ad\config\defaults.cfg then run <install directory>\ad\bin\d9config -file..\config\defaults.cfg to import the configuration. The services will need to be restarted either using the services control panel item or by using the scripts stopall.bat and startall.bat in the bin directory. 3.2 SEP Log Information /var/log/messages will contain the following messages indicating connection status: D9 User Services Agent (IP of address server) is connected This message indicates that information is being received from the D9 User Services agent named aname. The name can be set in the defaults.cfg file with the parameter srcname. This message will only be shown if no previous connection from the agent was detected or if the connection had failed. D9 User Services Agent (IP of address server) is not connected This message indicates that expected information from an agent has not been transmitted. This message will not be repeated on successive failures. Deepnines Active Directory User Services 3-1

Active Directory Logon Script 4 4.1 Deepnines Active Directory Logon Script Deepnines Active Directory User Services provides a logon script that can be used to increase the accuracy of logon and logoff detection. The logon script can be added to the domain controller so that every user that authenticates with the domain controller will execute the script at logon and logoff. The logon script mounts a network drive, writes the user's name and IP to a file on the network drive, then it unmounts the network drive. The files in the network drive are read by the Deepnines services running on the domain controller. The logon script is located in <install directory>\ad\bin\logon.vbs. 4.2 When to Use the Logon Script The Logon script can be used if all users are allowed to access network drives. NOTE If you are using a logon script, you can disable the logon watcher by setting ADPollEnabled to False 4.2.1 Installation Procedure for Logon Script 1. Set the network log directory. To install the logon script, you must first decide on which directory to use for logon/logoff logs and make sure that this directory is mountable. This is done by setting the directory's share properties and giving the directory a share name. Domain Users should be given permissions to read and write from this directory. Once complete, the logon.vbs script must GHJ be modified to correctly indicate the share name. Perform this by editing the logon.vbs script with a text editor such as notepad. Change the line: strremotepath = "\\10.9.200.177\logshare" to GHGH strremotepath = "<machine name of share>\<share name>" Deepnines Active Directory User Services 4-1

This directory name should also be set in the defaults.cfg file. Modify the line: updatedir../updatedir to updatedir <directory name> and import the file using D9Config.bat. 2. Set the logon script in the domain controller. First open the active directory domains and trusts management tool. 3. Then select the domain and perform the action Manage. This will bring up the Active Directory Users and Computers. Deepnines Active Directory User Services 4-2

4. Right click on the domain and select Properties. This will bring up the domain properties. Click the Group Policy tab. 5. Click <EDIT> to edit the group policy. Deepnines Active Directory User Services 4-3

6. Open up User Configuration->Windows Settings->Scripts (Logon/Logoff) 7. Double click on Logon to bring up the Logon Properties dialog box. Deepnines Active Directory User Services 4-4

8. Click on Show Files. This will bring up the files that are accessible by the group policy object. Copy the modified logon.vbs file to folder which opens by copying the file using Windows Explorer and pasting the file into the folder which opens. Note that if you modify logon.vbs, you will need to recopy the script. Deepnines Active Directory User Services 4-5

9. Close the Logon folder, on the Logon Properties dialog box, click on Add to add the script. Click on Browse... to select logon.vbs. 10. Click <OK> on the Add a Script dialog box and then click <OK> on the Logon Properties dialog box. In the Group Policy window, double click on Logoff. 11. Click on <SHOW FILES> and again copy logon.vbs to the folder that opens. Note that if you modify logon.vbs, you will need to recopy the script. Deepnines Active Directory User Services 4-6

12. Close the folder and click on Add to add the script. Click on Browse... to select logon.vbs. In the Script Parameters field, enter logoff to let the script know that it is being called during logoff. 13. Click <OK> on the Add a Script dialog box and OK on the Logoff Properties dialog box. The logon script has been successfully installed. 4.2.2 Using the LogParser Executable DeepNines Active Directory User Services can use the security event log to track logons and logoffs. To enable this feature: 1. Download and install Microsoft's LogParser utility (version 2.2 or later). 2. Copy the logparser.exe from the installed directory to <D9 AD install>\ad\bin. 3. Turn on the option to Audit Account Logon events in the group security policy. Refer to the Information on how to turn on the Audit Account Logon Events option. Deepnines Active Directory User Services 4-7

Instructions are under Activating Audit Policy section of the article: http://technet.microsoft/com/en-us/library/bb742436.aspx#eeaa 4. Restart User Services. Deepnines Active Directory User Services 4-8

Setting Up MAC OS on Deepnines Active Directory User Services 5 For a Mac OS X client to be recognized by the Deepnine Active Directory User Services (DADS), it needs to have a persistent network resource mounted. The user s home directory should be considered. The following configuration changes are needed in order to have the client mount the home directory for a given user. These changes would allow it to be recognized correctly. Ensure that the Mac OS X user logs into the network account. Note: For SMB sharing of home folders to work correctly, the following steps need to be performed on both the MacOS X client and on the Windows 2003 Server. 5.1 MacOS X Client For MacOS X Client, perform the following steps: 1. Select Finder. 2. Select Applications. 3. Select Utilities. 4. Select Directory Access. The Directory Access Screen Appears as follows: 5. Click <Services> on top menu bar, highlight and check off Active Directory. Deepnines Active Directory User Services 5-1

6. Click <Configure>. The Authenticate screen appears as follows: 7. Enter your User ID and Password and click <OK>. The Directory Access Screen appears as follows: 8. Place a check mark in Use UNC path from Active Directory to derive network home location and click <OK>. Deepnines Active Directory User Services 5-2

5.2 Windows 2003 Server You will need to set the home directory in the Active Directory user object on the Windows 2003 Server. Perform the following steps: 1. Click Start>Admin Tools>Active Directory 2. Highlight and select Users as shown in the following display. The Users properties screen appears. 3. Enter local path in Home Folder and click <OK>. Deepnines Active Directory User Services 5-3

4. Make changes to the Default Domain Controller Security Settings by highlighting and selecting Domain Security Policy as shown in the following display. 5. Highlight and click Local Policies and Security Options. 6. Highlight and select Microsoft network server: Digitally sign communications (always) as shown in display below. Deepnines Active Directory User Services 5-4

7. To change the security option from Enabled to Disabled, Click on Security Policy Setting on top menu bar, place a check mark in Define the policy setting and select Disabled. 8. Click <OK>. Deepnines Active Directory User Services 5-5