Sinefa probes can be configured to connect to Active Directory Domain Controllers in order to determine what users are logged in with which IP addresses. This allows user names to be displayed on Sinefa reports.
Once configured, Since probes will connect to Active Directory Domain Controllers using Windows Management Instrumentation (wmi) and query the Windows Security Event Log for information about IP address and username associations.
By default, the Administrator user can perform these queries without any special permissions. However, for best practice and security reasons System Administrators should create a dedicated read-only, non administrator account for this purpose. The following steps should be performed on all domains that Sinefa will monitor.
Step 1: Create a new user account
Create a new user account on the Domain Controller. We assume in the remainder of these steps that this account is named sinefawmi but any valid account name can be used. By default, this new user should be a member of the 'Domain Users' group (do not place this new user in the Power Users or Administrators groups).
Step 2: Allow remote DCOM access
Windows Server 2008 (or later)
Add the sinefawmi user to the built-in 'Distributed COM Users' group. Skip ahead to step 3.
Windows Server 2003
Give the sinefawmi user DCOM access.
- Open the Component Services console under Administrative Tools.
- In the Component Services dialog box, expand Component Services, expand Computers, then right-click My Computer and click Properties.
- In the My Computer Properties dialog box, click the COM Security tab.
- Under Access Permissions, click Edit Limits. In the Access Permission dialog box, add the sinefawmi account to the list and ensure that the Remote Access checkbox is enabled, then click OK to close the dialog.
- Under Launch and Activation Permissions, click Edit Limits. In the Access Permission dialog box, add the sinefawmi account to the list and ensure that both the Remote Launch and Remote Activation checkboxes are enabled, then click OK to close the dialog.
- Click OK on the My Computer Properties dialog to save all the changes.
Step 3: Allow remote WMI access
Give the sinefawmi account permissions to read the WMI namespace. This step will need to be performed on all domain controllers in the domain (that Sinefa probes are configured to connect to).
- Open the Computer Management console under Administrative Tools.
- In the Computer Management dialog, expand the Services and Applications item, then right-click on WMI Control and select Properties.
- In the WMI Control Properties dialog, click the Security tab.
- Expand the Root namespace, select the CIMV2 namespace folder, then click Security.
- In the Security for ROOT\CIMV2 dialog, add the sinefawmi account to the list and ensure both the Enable Account and Remote Enable checkboxes are enabled, then click OK to close the dialog.
- In the WMI Control Properties dialog click OK to close the dialog and save all the changes.
Step 4: Allow access to the Security Event Log
Windows Server 2008 (and later)
Add the sinefawmi user to the built-in 'Event Log Readers' group, then skip the rest of this step.
Windows Server 2003
Give the sinefawmi account read-only permission to the Windows Security Event Log.
- Open a command prompt and type: wmic useraccount get name,sid
- Press enter and locate the sinefawmi account's security identifier (sid). Copy the entire SID for the sinefawmi account into notepad.
Access to the Windows Event Logs are controlled using the Security Description Definition Language (SDDL). This is the default SDDL for the Windows Security Event Log:
This translates into the following access:
(D;;0xf0007;;;AN) - (Deny) Anonymous: All Access
(D;;0xf0007;;;BG) - (Deny) Guests: All Access
(A;;0xf0007;;;SY) - (Allow) Local System: Full Access
(A;;0x7;;;BA) - (Allow) Administrators: Read, Write and Clear Access
In order to grant read-only access to a specific user, the following SDDL item needs to be appended to the default SDDL:
(A;;0x1;;;<USER SID>) - (Allow) sinefawmi: Read Access
Replace <USER ID> with the sinefawmi account SID. More information about SDDL and Windows Event Log permissions can be found here: http://support.microsoft.com/kb/323076
To update these permissions, the system registry needs to be updated.
- Open regedit and navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security
- If the CustomSD parameter is present, right-click on it and select Modify. Append (A;;0x1;;;<USER SID>) to the end of the existing value.
- If the CustomSD parameter is not present or it is blank, select Edit from the menu bar, then select New, then select String Value. Give the new value the name CustomSD, then right-click on it and select Modify. In the Value data field, put the following text: O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;<USER SID>)
- In both cases, remember to replace <USER SID> with the SID of the sinefawmi account. Click OK to save the changes.
That's it... Sinefa probes should now be able to retrieve username and IP address information from Active Directory Domain Controllers using the sinefawmi account, rather than the Administrator account.
Troubleshooting Active Directory Connectivity
Under Settings > Users > Active Directory there is an option to be able to run diagnostics on your setup to see if it's obtaining any logon events from the Security Logs. To complete this, do the following:
- Next to the server you have setup, under the 'Diagnostics' column, select 'Run'
- A pop-up box will appear, select the probe you want to run this connection test against and select 'Run'
- A text file will download with the last 5 query outputs that were ran with their outputs, if successful you should see a list of IP addresses with their respective users and groups (only if Groups are set to On)
If the Diagnostics return with no user output, check the logon events within the Security Logs on that AD server as well as any error message outputs that have been retrieved from the Diagnostics.
Tip: Run the Diagnostics at least 5 minutes post the completion of the Active Directory Setup
Diagnostics Output Explained
|No AD Server found. Check that the URL/ip address is correct.||The AD server that has been set up under Settings > Users > Active Directory is incorrect, double check the IP address entered and ensure this is the correct server with the Active Directory feature installed|
|Could not authenticate with AD Server. Check that the username and password are correct.||Check the credentials that are entered are correct and that the user listed has the correct permissions set as outlined in this document here.|
|No users found. Have any users logged in in the last 60 seconds?||Check that logon events are being captured in the security logs on that Active Directory server or if anyone has logged in within that time period allocated. Check whether the user configured on the probe has read-only access to the security logs as outlined in this document here.|
|No LDAPS Server found. Check that LDAPS is enabled on your AD Server. (Groups only)||Check whether LDAPS has been configured on your AD server to be able to obtain group information of the users within your AD environment|