Active Directory Integration

The integration of Active Directory technology, developed by Microsoft for Windows operating systems, enhances VMware NSX Network Detection and Response by providing additional information extracted from the Domain Controllers. This information details the Windows users that are logged in on hosts in the network. The system is thus able to associate events that occur in the monitored network with the Windows users logged in on the host. You can then immediately identify the users that have been exposed to a detected threat and take appropriate measures.

About Active Directory

Active Directory (AD) is a directory service developed by Microsoft. It uses their Distributed Component Object Model (DCOM) technology to allow communication between software components distributed across networked computers. An Active Directory environment contains one or more Domain Controller (DC) servers that implement the authentication controls. Security Event logs are some of the event logs on a Windows system. These logs are related to security events, for example, a login attempt or a request for a privileged operation. Windows Management Instrumentation (WMI) is an interface implemented in Windows operating systems through which instrumented components provide information and notifications about the system and its hardware.

Architecture

When using the Active Directory integration, the Sensor connects to one or more Domain Controller (DC) servers, extracts the log information from the Security Event logs and uses these data to correlate IP addresses and timestamps to the Active Directory users who were active on those hosts at the given time. The Sensor will then periodically upload this mapping to its Manager (for On-Premises installations) or to the VMware backend (for hosted installations).

The communication between the Sensor and a Domain Controller relies on the Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) technologies integrated into the operating system.

The following figure summarizes this infrastructure:

User A User B User C User D IP1 IP2 IP3 TS:<time> IP: IP1 Users: Event TS:<time> IP: IP3 Users: Event User A User C User D DC 1 DC 2 Lastline Sensor Lastline Manager

In this figure, the network of the company is represented by two Domain Controller servers (DC 1 and DC 2) and three workstations (IP1, IP2, and IP3). Some users are logged in on these workstations:

  • User A is on workstation IP1, which used the Domain Controller DC 1 to validate the authentication.

  • User B is on workstation IP2, which used the Domain Controller DC 1 to validate the authentication.

  • User C and User D are on workstation IP3, which used the Domain Controller DC 2 to validate the authentication.

The Sensor has been configured to query both DC 1 and DC 2. It is therefore aware of the users logged in on any of the three workstations.

Note:

You can configure the request polling interval used by the Sensor.

On the right of the Manager, two events are represented. Each event contains a timestamp (TS) and the IP address of the host that generated the event. With the Active Directory integration, the events will also include the list of users that were logged in on the system at this time.

Requirements

The following are required for integration:

  • At least one Sensor deployed in either a Hosted or On-Premises environment.

  • An infrastructure built on Domain Controllers running Windows Server 2016, 2012, or 2008.

    A Domain Controller running Windows Server 2000 or 2003 is not compatible with the Active Directory integration. Contact VMware Support if your network contains Domain Controllers with these versions.

    The configuration of a Domain Controller requires an account with the administrator privileges.

  • The Sensor and the Domain Controller can be in two different networks, however if any equipment is filtering the network streams between the two networks, the underlying protocols Windows uses to execute remote WMI queries require the following communications to be enabled:

    • TCP Sensor:* to Domain Controller:135

    • TCP Sensor:[>=1024] to Domain Controller:[>=1024]

    These port ranges come from the internal port mapping mechanism Windows uses to execute the RPC calls that support the WMI queries. The client (the Sensor) first connects to the Port Mapper service (port 135) on the server (the Domain Controller) and then requests the port number of the specific service it wants to query. The server replies with the port number (a port greater or equal to 1024) and the client opens a new connection to this port. Because this port number can vary, communication to any port greater or equal to 1024 must be allowed.

    Note:

    The range of dynamic ports for RPC services can be configured and restricted in Windows.

Configure the Domain Controller

The Sensor needs to have access to an account with the appropriate rights on the Domain Controller to be able to retrieve the security event log. While an account with full administrator rights could technically be used, it is strongly recommended that you instead create a dedicated account with the least required privileges.

The following steps show the procedure to create such account. The screenshots were taken on a Windows Server 2008 installation. The process is very similar on Windows Server 2012 and 2016.

  1. Create a new account

    Create a new Domain Controller user account using the Active Directory Users and Computers component. In the following example, add a new user logaccess to the domain LASTLINE2008:

  2. Add the user account to the Event Log Readers group
    • Open Active Directory Users and Computers and then select Users from the left sidebar.

    • Right-click the user account from the list and open the Properties.

    • From the Member Of tab, click the Add button.

    • Select the Event Log Readers group.