User name reporting - Active Directory integration

Overview

The Active Directory integration provides lists of user names along with domain, datasource, first seen and last seen details. It also allows to search across all flows for user names.

Configuring a non-admin user to query the Domain Controller Event Logs in Windows 2008 or 2012

  1. Create a domain user for IPFIXify to use. Add the IPFIXify user to the Event Log Readers built-in group.

    User_Name_image1.jpg

  2. Provide WMI Permissions:

    1. Login to the Domain Controller as an administrator.

    2. Go to Start -> Run.

    3. Type wmimgmt.msc.

    4. Right click on WMI Control (Local) and select Properties.

      User_Name_image2.jpg

    1. Go to the Security tab, click on Root, then select Security.

      User_Name_image3.jpg

    2. In the next popup, select Advanced.

      User_Name_image4.jpg

    3. Press Add… and then enter the ipfixify user.

    4. Under the Apply to: section, make sure it is configured for This namespace and subnamespaces. Give the user Enable Account and Remote Enable Allow privileges. Apply these changes by pressing OK in each of the popup windows.

      User_Name_image5.jpg

Enabling Logon/Logoff Audit policies on the domain controller

  1. Modify the default domain policy for domain controllers and enable the following group policies:

    1. Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff and then enable success and failure for Audit Logoff and Audit Logon.

      User_Name_image6.jpg

    2. The advanced audit policies require that another group policy override setting is enabled under: Computer Configuration -> Policies -> Windows Settings -> Local Policies -> Security Options -> Audit: Force audit policy subcategory settings -> Define this policy setting and set to Enable

      User_Name_image7.jpg User_Name_image8.jpg

Setting up IPFIXify on a Windows computer

  1. Move /home/plixer/scrutinizer/files/conf/ipfixify-template.cfg to C:\ipfixify on a Windows computer that will run IPFIXify and also download the Windows IPFIXify executable to this Windows computer.
  2. Rename ipfixify-template.cfg to ipfixify.cfg, open the file in a text editor.

Enter the NetFlow collector’s IP and port:

collector=NetFlowIP:port

Enter the IP address of the domain controller. For each additional domain controller, add another member line:

member=DCip

Set this value to yes if the goal is to collect username data:

usernamesOnly=yes

  1. Configure the IPFIXify user credentials

    1. Open a command prompt and navigate to the directory that contains ipfixify.exe.

    2. Run the following command and enter the ipfixify user and password: ipfixify.exe --credentials ipfixify.cfg

      User_Name_image9.jpg

  2. Download PSTools.zip and move PsExec.exe to the same directory as ipfixify.exe and ipfixify.cfg.

Hint

PSTools.zip download: https://technet.microsoft.com/en-us/sysinternals/bb897553. Before PsExec.exe will function, the user must accept the agreement.

Hold down Shift and right-click on PsExec. In the menu, select “Run as different user”

User_Name_image10.jpg

Type in the IPFIXify user and password and press enter. If the user does not have access to the directory that PsExec.exe is in, this will fail. The IPFIXify user must be granted access to the directory that PsExec.exe and ipfixify.exe are in.

User_Name_image11.jpg

Agree to the PsExec EULA:

User_Name_image12.jpg
  1. From an Administrative command prompt, run the following command to verify that IPFIXify has all the permissions to poll the domain controller:
ipfixify.exe --sysmetrics --config “C:\ipfixify\ipfixify.cfg” –psexec=“C:\ipfixify\PsExec.exe” -permtest IPofDC
User_Name_image13.jpg
  1. If all the tests passed, set up IPFIXify to run as a service. In an administrative command prompt, execute the following command:
ipfixify.exe --install auto --name "Scrutinizer Username Collection" --config "C:\ipfixify\ipfixify.cfg" --sysmetrics --psexec="C:\ipfixify\PsExec.exe"
User_Name_image14.jpg

  1. Configure the IPFIXify service to log on as the IPFIXify user.

    1. Go to Start -> Run -> and type “services.msc”

    2. Find the service named “IPFIXIfy: Scrutinizer Username Collection”, right click on it and select Properties.

      User_Name_image15.jpg

    3. Click the Log On tab, select This account:, enter in the IPFIXify user and password, and then select Apply.

      User_Name_image16.jpg

    4. Click OK. A popup will say, “the user has been granted the log on as a service right.” It means that the user will not maintain the log on as a service permission across reboots. Permission can be granted as outlined in this Microsoft document https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx

  2. Wait a few minutes. You should start seeing user names in Plixer Scrutinizer.

Example IPFIXify configuration

[options]
; The IP Address/Hostname and port of the IPFIX Collector(s) multiple
; collectors can be specified on additional lines
; collector=IP:PORT (e.g. 10.1.4.19:4739)
collector=10.1.4.188:4739
; When accessing remote machines, use the supplied credentials this is
; encoded. So execute the following command to manage it
; ipfixify.exe --credentials=<PATH/TO/CFG>
credentials=6e6ff0a30ff3d13d0f9a38a753f52f44283f9a7dfd928511dbaf2f7af1446e57981dc4628c038553
; Number of minutes between ping and WMI test of all members. The default
; is 60 minutes.
testinterval=5
; The number of seconds to try and ping a host during the process of verifying
; a member is reachable. If 0 is used, then the ping test is ignored.
pingtimeout=2
; The number of threads to gather data from the members who responded. If there
; is only a small list of members, then this can be a small number (e.g. 1 - 3).
; The more threads used, the more memory will be consumed by IPFIXify.
pollthreads=5
; If vitals is a true value, then CPU, Memory, and Number of processes running
; data is collected. To disable these statistics, comment out the following
; line.
vitals=yes
; If storageAvailability is a true value, then disk availability is collected.
; To disable these statistics, comment out the following line.
storageAvailability=yes
; If eventlogs is a true value, then System, Security, and Application
; Eventlogs are collected. To disable these statistics, comment out the
; following line.
eventlogs=yes
; usernamesOnly is used in conjunction with the eventlogs option.  If username
; integration with Scrutinizer is the only goal, then this line should be un-commented
usernamesOnly=yes
; If processLists is a true value, then running processes data is collected.
; To disable these statistics, comment out the following line.
;processLists = yes
; If processListCPU is a true value, then CPU per process data is collected.
; To disable these statistics, comment out the following line.
;processListsCPU = yes
; If netstatDetails is a true value, then netstat details are collected.
; To disable these statistics, comment out the following line.
;netstatDetails = yes
; The list below contains the current hosts being polled by the IPFIXify
; Agent. One host or IP Address per line. It is recommended to use IP
; Addresses in case there are DNS issues.
member=10.1.5.1
member=10.1.5.2