Sinefa probes can be configured to connect to Active Directory Domain Controllers in order to determine what users are logged in with which IP addresses. This allows user names to be displayed on Sinefa reports.
Once configured, Since probes will connect to Active Directory Domain Controllers using Windows Management Instrumentation (wmi) and query the Windows Security Event Log for information about IP address and username associations.
By default, the Administrator user can perform these queries without any special permissions. However, for best practice and security reasons System Administrators should create a dedicated read-only, non administrator account for this purpose. The following steps should be performed on all domains that Sinefa will monitor.
Step 1: Create a new user account
Create a new user account on the Domain Controller. We assume in the remainder of these steps that this account is named sinefawmi but any valid account name can be used. By default, this new user should be a member of the 'Domain Users' group (do not place this new user in the Power Users or Administrators groups).
Step 2: Allow remote DCOM access
Windows Server 2008 (or later)
Add the sinefawmi user to the built-in 'Distributed COM Users' group. Skip ahead to step 3.
Windows Server 2003
Give the sinefawmi user DCOM access.
- Open the Component Services console under Administrative Tools.
- In the Component Services dialog box, expand Component Services, expand Computers, then right-click My Computer and click Properties.
- In the My Computer Properties dialog box, click the COM Security tab.
- Under Access Permissions, click Edit Limits. In the Access Permission dialog box, add the sinefawmi account to the list and ensure that the Remote Access checkbox is enabled, then click OK to close the dialog.
- Under Launch and Activation Permissions, click Edit Limits. In the Access Permission dialog box, add the sinefawmi account to the list and ensure that both the Remote Launch and Remote Activation checkboxes are enabled, then click OK to close the dialog.
- Click OK on the My Computer Properties dialog to save all the changes.
Step 3: Allow remote WMI access
Give the sinefawmi account permissions to read the WMI namespace. This step will need to be performed on all domain controllers in the domain (that Sinefa probes are configured to connect to).
- Open the Computer Management console under Administrative Tools.
- In the Computer Management dialog, expand the Services and Applications item, then right-click on WMI Control and select Properties.
- In the WMI Control Properties dialog, click the Security tab.
- Expand the Root namespace, select the CIMV2 namespace folder, then click Security.
- In the Security for ROOT\CIMV2 dialog, add the sinefawmi account to the list and ensure both the Enable Account and Remote Enable checkboxes are enabled, then click OK to close the dialog.
- In the WMI Control Properties dialog click OK to close the dialog and save all the changes.
Step 4: Allow access to the Security Event Log
Windows Server 2008 (and later)
Add the sinefawmi user to the built-in 'Event Log Readers' group, then skip the rest of this step.
Windows Server 2003
Give the sinefawmi account read-only permission to the Windows Security Event Log.
- Open a command prompt and type: wmic useraccount get name,sid
- Press enter and locate the sinefawmi account's security identifier (sid). Copy the entire SID for the sinefawmi account into notepad.
Access to the Windows Event Logs are controlled using the Security Description Definition Language (SDDL). This is the default SDDL for the Windows Security Event Log:
This translates into the following access:
(D;;0xf0007;;;AN) - (Deny) Anonymous: All Access
(D;;0xf0007;;;BG) - (Deny) Guests: All Access
(A;;0xf0007;;;SY) - (Allow) Local System: Full Access
(A;;0x7;;;BA) - (Allow) Administrators: Read, Write and Clear Access
In order to grant read-only access to a specific user, the following SDDL item needs to be appended to the default SDDL:
(A;;0x1;;;<USER SID>) - (Allow) sinefawmi: Read Access
Replace <USER ID> with the sinefawmi account SID. More information about SDDL and Windows Event Log permissions can be found here: http://support.microsoft.com/kb/323076
To update these permissions, the system registry needs to be updated.
- Open regedit and navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security
- If the CustomSD parameter is present, right-click on it and select Modify. Append (A;;0x1;;;<USER SID>) to the end of the existing value.
- If the CustomSD parameter is not present or it is blank, select Edit from the menu bar, then select New, then select String Value. Give the new value the name CustomSD, then right-click on it and select Modify. In the Value data field, put the following text: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;<USER SID>)
- In both cases, remember to replace <USER SID> with the SID of the sinefawmi account. Click OK to save the changes.
That's it... Sinefa probes should now be able to retrieve username and IP address information from Active Directory Domain Controllers using the sinefawmi account, rather than the Administrator account.