User Name Reporting - Active Directory Integration

Upgrade Scrutinizer

First, it’s recommended to upgrade to the latest version of Scrutinizer. Please contact Plixer support at 207-324-8805 x4 for assistance.

Configure a non-admin user to query the Domain Controller Event Logs in Windows 2008 or 2012

  1. Create a domain user for IPFIXify to use.

    1. Add the IPFIXify user to the “Event Log Readers” Built-in group.

      User_Name_image1.jpg
  2. Provide WMI Permissions:

    1. Login to the Domain Controller as an administrator.

    2. Go to “Start -> Run”

    3. Type “wmimgmt.msc”

    4. Right click on “WMI Control (Local)” and select “Properties”.

      User_Name_image2.jpg
    1. Go to the “Security” tab, click on “Root”, and then select “Security”.

      User_Name_image3.jpg
    2. In the next popup, select “Advanced”.

      User_Name_image4.jpg
    3. Press “Add…” and then enter the ipfixify user.

    4. Under the “Apply to:” section, make sure it is configured for “This namespace and subnamespaces”.

    5. Give the user “Enable Account” and “Remote Enable” Allow privileges. Apply these changes by pressing OK in each of the popup windows.

      User_Name_image5.jpg

Enable Logon/Logoff Audit Policies on the domain controller

  1. Modify the default domain policy for domain controllers and enable the following group policies:

    1. Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff and then enable success and failure for “Audit Logoff” and “Audit Logon”.

      User_Name_image6.jpg
    2. The advanced audit policies require that another group policy override setting is enabled under: Computer Configuration -> Policies -> Windows Settings -> Local Policies -> Security Options -> Audit: Force audit policy subcategory settings -> Define this policy setting and set to Enable

      User_Name_image7.jpg User_Name_image8.jpg

Setup IPFIXify on a Windows computer

  1. Move /home/plixer/scrutinizer/files/conf/ipfixify-template.cfg to C:\ipfixify on a Windows computer that will run IPFIXify and also download the Windows IPFIXify executable to this Windows computer.

  2. Rename ipfixify-template.cfg to ipfixify.cfg, open the file in a text editor, and then edit the following lines:

    • collector=NetFlowIP:port
      • Enter the NetFlow collector’s IP and port.
    • member=DCip
      • Enter the IP address of the domain controller. For each additional domain controller, add another member line.
    • usernamesOnly=yes
      • Set this value to yes if the goal is to collect username data.
  3. Configure the IPFIXify user credentials

    1. Open a command prompt and navigate to the directory that contains ipfixify.exe

    2. Run the following command and enter the ipfixify user and password: ipfixify.exe --credentials ipfixify.cfg

      User_Name_image9.jpg
  4. Download PSTools.zip and move PsExec.exe to the same directory as ipfixify.exe and ipfixify.cfg.

    1. PSTools.zip download: https://technet.microsoft.com/en-us/sysinternals/bb897553

    2. Before PsExec.exe will function, the user must accept the agreement by doing the following:

      1. Hold down shift and then right click on PsExec. In the menu, select “Run as different user”

        User_Name_image10.jpg
      2. Type in the IPFIXify user and password and press enter.

        1. If the user does not have access to the directory that PsExec.exe is in, this will fail. The ipfixify user must be granted access to the directory that PsExec.exe and ipfixify.exe are in.

          User_Name_image11.jpg
      3. Agree to the PsExec EULA:

        User_Name_image12.jpg
  5. From an Administrative command prompt, run the following command to verify that IPFIXify has all the permissions to poll the domain controller (screenshot below):

    ipfixify.exe --sysmetrics --config “C:\ipfixify\ipfixify.cfg” –psexec=“C:\ipfixify\PsExec.exe” -permtest IPofDC

    User_Name_image13.jpg
  6. If all the tests passed, it is time to set up IPFIXify to run as a service. In an administrative command prompt, execute the following command:

    ipfixify.exe --install auto --name "Scrutinizer Username Collection" --config "C:\ipfixify\ipfixify.cfg" --sysmetrics --psexec="C:\ipfixify\PsExec.exe"

    User_Name_image14.jpg
  7. Lastly, the IPFIXify service has to be configured to log on as the IPFIXify user.

    1. Go to Start -> Run -> and type “services.msc”

    2. Find the service named “IPFIXIfy: Scrutinizer Username Collection”, right click on it and select “Properties”

      User_Name_image15.jpg
    3. Click the “Log On” tab, select “This account:”, enter in the IPFIXify user and password, and then select “Apply”

      User_Name_image16.jpg
    4. When OK is clicked, a popup appears that displays, “the user has been granted the log on as a service right”, it means that the user will not maintain the log on as a service permission across reboots. Permission can be granted as outlined in this Microsoft document https://technet.microsoft.com/en-us/library/cc794944(v=ws.10).aspx

  8. Wait a few minutes and then start checking user names in Scrutinizer.

Example IPFIXify Config

[options]
; The IP Address/Hostname and port of the IPFIX Collector(s) multiple
; collectors can be specified on additional lines
; collector=IP:PORT (e.g. 10.1.4.19:4739)
collector=10.1.4.188:4739
; When accessing remote machines, use the supplied credentials this is
; encoded. So execute the following command to manage it
; ipfixify.exe --credentials=<PATH/TO/CFG>
credentials=6e6ff0a30ff3d13d0f9a38a753f52f44283f9a7dfd928511dbaf2f7af1446e57981dc4628c038553
; Number of minutes between ping and WMI test of all members. The default
; is 60 minutes.
testinterval=5
; The number of seconds to try and ping a host during the process of verifying
; a member is reachable. If 0 is used, then the ping test is ignored.
pingtimeout=2
; The number of threads to gather data from the members who responded. If there
; is only a small list of members, then this can be a small number (e.g. 1 - 3).
; The more threads used, the more memory will be consumed by IPFIXify.
pollthreads=5
; If vitals is a true value, then CPU, Memory, and Number of processes running
; data is collected. To disable these statistics, comment out the following
; line.
vitals=yes
; If storageAvailability is a true value, then disk availability is collected.
; To disable these statistics, comment out the following line.
storageAvailability=yes
; If eventlogs is a true value, then System, Security, and Application
; Eventlogs are collected. To disable these statistics, comment out the
; following line.
eventlogs=yes
; usernamesOnly is used in conjunction with the eventlogs option.  If username
; integration with Scrutinizer is the only goal, then this line should be un-commented
usernamesOnly=yes
; If processLists is a true value, then running processes data is collected.
; To disable these statistics, comment out the following line.
;processLists = yes
; If processListCPU is a true value, then CPU per process data is collected.
; To disable these statistics, comment out the following line.
;processListsCPU = yes
; If netstatDetails is a true value, then netstat details are collected.
; To disable these statistics, comment out the following line.
;netstatDetails = yes
; The list below contains the current hosts being polled by the IPFIXify
; Agent. One host or IP Address per line. It is recommended to use IP
; Addresses in case there are DNS issues.
member=10.1.5.1
member=10.1.5.2