Deepnines Active Directory
User Services Guide
Version 1.0
Deepnines Active Directory User Services ii
Deepnines Active Directory User Services iii
Table of Contents
Chapter 1 - Introduction ... 1-1
1.1 Overview ... 1-1Chapter 2 - Installation Procedures ... 2-1
2.1 Installation Procedures ... 2-1Chapter 3 - Log Information ... 3-1
3.1 Deepnines AD User Group Poller/User DB Updater Service Log Information ... 3-1 3.2 SEP Log Information ... 3-1Chapter 4 - Active Directory Logon Script ... 4-1
4.1 Deepnines Active Directory Logon Script ... 4-1 4.2 When to Use the Logon Script ... 4-1 4.2.1 Installation Procedure for Logon Script ... 4-1 4.2.2 Using the LogParser Executable ... 4-7Chapter 5 - Setting Up MAC OS on Active Directory User Services ... 5-1
5.1 MacOS X Client ... 5-1 5.2 Windows 2003 Server ... 5-3Deepnines Active Directory User Services 1-1
Introduction
1.1 Overview
Microsoft Active Directory (AD) is a service for centrally managing access to network resources. End users authenticate to AD when access is needed to a network resource. End users are typically members of one or more groups, which are used to ease access management. Deepnines Active Directory User Services transparently integrates with AD by querying the AD servers for logon information and group membership information and providing this information to Deepnines iTrust, enabling user-based reporting and group-based policy controls.
Deepnines Active Directory User Services consists of four Microsoft Windows-based services; the Deepnines Active Directory Group Poller, Deepnines Active Directory Host Poller, Deepnines Active Directory Login Watcher, and Deepnines Active Directory User DB Updater. Each service is run on a Windows-based system in order to access the relevant AD information on behalf of SEP.
The Deepnines Active Directory Login Watcher service periodically queries the AD servers (every minute by default) to determine all of the IPv4 addresses a user has used to log on.
The Deepnines Active Directory Group Poller service periodically retrieves user group membership (every 30 minutes by default) from the AD servers. Both polling intervals are configurable with resolution of up to one second.
The Deepnines Active Directory Host Poller service actually queries the user PC to determine who is logged into it. The default polling rate is 30 minutes. The following information is collected from the AD servers:
Active Directory Name of each user: unique identifier of the user (i.e. testdomain.Deepnines.com/user1).
Active Directory Name of each group: unique identifier of the group (i.e. testdomain.Deepnines.com/group1).
IP address: the IP addresses each user is logged on from.
Group membership: a list of users that are members of each group.
The Deepnines Active User DB Updater periodically reads the files written by the Deepnines AD User Group Poller and uploads this data to SEP using an SSL protected TCP connection. The update period is configurable to a resolution of up to one second. It can also be configured to only upload only deltas of the information to reduce network traffic and load on SEP.
Deepnines Active Directory User Services 2-1
Installation Procedures
2.1 Installation Procedures
The Deepnines Active Directory User Services needs to be installed on the Windows domain controllers in the network. Deepnines Active Directory User Services has been certified on Windows 2000, 2003 and Windows XP.
1. Insert the D9BaseOS CD in the CDROM drive and select by clicking DeepNines Active Directory User Services - 1.0 - Setup.
2. Select a language (this will only affect the language of the installation program) and click <OK>.
3. Click <YES> to continue with installation of Deepnines Active Directory User Services.
4. The Welcome screen for Deepnines Active Directory User Services screen appears. Click <NEXT> to continue with installation.
Deepnines Active Directory User Services 2-2 5. The Choose Destination Location screen appears. Select folder to install Deepnines
Deepnines Active Directory User Services 2-3 6. The sleuth9 Security Edge Platform Management IP Address screen appears. Enter the
IP address of the management interface of your SEP. If you have more than one SEP, enter all the IP addresses separated by commas. Click <NEXT> to continue.
Deepnines Active Directory User Services 2-4 The installation process begins and continues until the Deepnines Active Directory User Services have been installed.
Deepnines Active Directory User Services 3-1
Log Information
3.1 Deepnines AD User Group Poller/Deepnines User DB
Updater Service Log Information
After the installation is complete, all the Deepnines servers are started and set to start automatically on reboot. To start without rebooting, go to
To modify the polling periods, modify the file
<install directory>\ad\config\defaults.cfg then run
<install directory>\ad\bin\d9config -file ..\config\defaults.cfg to import the configuration. The services will need to be restarted either using the
services control panel item or by using the scripts stopall.bat and startall.bat in the bin directory.
3.2 SEP Log Information
/var/log/messages will contain the following messages indicating connection status: D9 User Services Agent (IP of address server) is connected This message indicates that information is being received from the D9 User Services agent named “aName”. The name can be set in the defaults.cfg file with the parameter srcName. This message will only be shown if no previous connection from the agent was detected or if the connection had failed.
D9 User Services Agent (IP of address server) is not connected This message indicates that expected information from an agent has not been transmitted. This message will not be repeated on successive failures.
Deepnines Active Directory User Services 4-1
Active Directory Logon Script
4.1 Deepnines Active Directory Logon Script
Deepnines Active Directory User Services provides a logon script that can be used to increase the accuracy of logon and logoff detection. The logon script can be added to the domain controller so that every user that authenticates with the domain controller will execute the script at logon and logoff. The logon script mounts a network drive, writes the user's name and IP to a file on the network drive, then it unmounts the network drive. The files in the network drive are read by the Deepnines services running on the domain controller.
The logon script is located in <install directory>\ad\bin\logon.vbs.
4.2 When to Use the Logon Script
The Logon script can be used if all users are allowed to access network drives.
4.2.1 Installation Procedure for Logon Script
1. Set the network log directory.To install the logon script, you must first decide on which directory to use for logon/logoff logs and make sure that this directory is mountable. This is done by setting the directory's share properties and giving the directory a share name. Domain Users should be given permissions to read and write from this directory. Once complete, the logon.vbs script must be modified to correctly indicate the share name. Perform this by editing the logon.vbs script with a text editor such as notepad. Change the line:
strRemotePath = "\\10.9.200.177\logshare" to
strRemotePath = "<machine name of share>\<share name>"
4
If you are using a logon script, you can disable the logon watcher by setting ADPollEnabled to False
GHGH
GHJ
Deepnines Active Directory User Services 4-2 This directory name should also be set in the defaults.cfg file. Modify the line:
updateDir ../updateDir to
updateDir <directory name> and import the file using D9Config.bat.
2. Set the logon script in the domain controller. First open the active directory domains and trusts management tool.
Deepnines Active Directory User Services 4-3 4. Right click on the domain and select “Properties”. This will bring up the domain
properties. Click the “Group Policy” tab.
Deepnines Active Directory User Services 4-4 6. Open up User Configuration->Windows Settings->Scripts (Logon/Logoff)
Deepnines Active Directory User Services 4-5 8. Click on “Show Files”. This will bring up the files that are accessible by the group
Deepnines Active Directory User Services 4-6 9. Close the Logon folder, on the Logon Properties dialog box, click on “Add” to add
the script. Click on “Browse...” to select logon.vbs.
10. Click <OK> on the “Add a Script” dialog box and then click <OK> on the Logon Properties dialog box. In the Group Policy window, double click on Logoff.
Deepnines Active Directory User Services 4-7 12. Close the folder and click on Add to add the script. Click on “Browse...” to select
logon.vbs. In the “Script Parameters” field, enter “logoff” to let the script know that it is being called during logoff.
13. Click <OK> on the “Add a Script” dialog box and OK on the Logoff Properties dialog box. The logon script has been successfully installed.
4.2.2 Using the LogParser Executable
DeepNines Active Directory User Services can use the security event log to track logons and logoffs. To enable this feature:
1. Download and install Microsoft's LogParser utility (version 2.2 or later). 2. Copy the logparser.exe from the installed directory to <D9 AD install>\ad\bin. 3. Turn on the option to Audit Account Logon events in the group security policy.
Deepnines Active Directory User Services 4-8 Instructions are under “Activating Audit Policy” section of the article:
http://technet.microsoft/com/en-us/library/bb742436.aspx#EEAA
Deepnines Active Directory User Services 5-1
Setting Up MAC OS on Deepnines
Active Directory User Services
For a Mac OS X client to be recognized by the Deepnine Active Directory User Services (DADS), it needs to have a persistent network resource mounted. The user’s home directory should be considered. The following configuration changes are needed in order to have the client mount the home directory for a given user. These changes would allow it to be recognized correctly. Ensure that the Mac OS X user logs into the network account.
Note: For SMB sharing of home folders to work correctly, the following steps need to be
performed on both the MacOS X client and on the Windows 2003 Server.
5.1 MacOS X Client
For MacOS X Client, perform the following steps: 1. Select Finder.
2. Select Applications. 3. Select Utilities.
4. Select Directory Access. The Directory Access Screen Appears as follows:
5. Click <Services> on top menu bar, highlight and check off Active Directory.
Deepnines Active Directory User Services 5-2 6. Click <Configure>. The Authenticate screen appears as follows:
7. Enter your User ID and Password and click <OK>. The Directory Access Screen appears as follows:
Deepnines Active Directory User Services 5-3
5.2 Windows 2003 Server
You will need to set the home directory in the Active Directory user object on the Windows 2003 Server. Perform the following steps:
1. Click Start>Admin Tools>Active Directory
2. Highlight and select Users as shown in the following display. The Users properties screen appears.
Deepnines Active Directory User Services 5-4 4. Make changes to the “Default Domain Controller Security Settings” by
highlighting and selecting “Domain Security Policy” as shown in the following display.
5. Highlight and click “Local Policies” and “Security Options.
Deepnines Active Directory User Services 5-5 7. To change the security option from “Enabled” to “Disabled”, Click on “Security
Policy Setting” on top menu bar, place a check mark in “Define the policy setting” and select “Disabled”.
