Connect Microsoft Active Directory

 

Installation Prerequisites

The Elisity AD Connector should be installed on a Windows machine (Windows 10/Windows Server 2016/2019) that is a member of the root domain of the enterprise. It can also be installed on the Domain Controller running Windows 2016/2019 server.

This guide is for installing the Elisity Active Directory agent on any member server or domain controller. 

 

NOTE:

  • Minimum requirements are:
    • Microsoft .Net Framework v4.7.1. Please use the link here for guidance on determining the framework version
    • 4GB RAM
    • 1 GB free disk space
  • Outbound Port 443 is required to send Event Logs to Elisity CCC.
  • Agent must be installed with Administrator Privileges
  • A service account for the Elisity Connector Service
  • Ensure to run the following command on all servers to be monitored and the machine on which the Agent is installed. (From the command console Running As Administrator) This commands enable the event source computer, whether it is a member server or your domain controller, to respond affirmatively to source initiated subscriptions. The following commands enable Windows Event Collector Utility quick config (with the /q switch allowing source initiated subscriptions.)
wecutil qc /q
Note; The Elisity AD Agent locally works with MSFT Windows Event Collector Library (WEC). Windows Event Collector internally uses Standard Windows Recommended RPC ports to communicate with Domain Controllers for logon events. The DC Firewall should have incoming access to Standard Dynamic Ports for the Member Computer where the agent is running.
Windows Remote Management is NOT required for event collection. Polling of AD Events will proceed as normal without enabling winRM.

TIP:

Elisity Active Directory (AD) Connector is required for customers with an on-premise Active Directory (AD) environment. Elisity AD connector will keep the user login data synchronized with the Elisity Cloud Control Center (CCC) and provide the means of defining policies through User Identity.

Go through this installation process on each domain controller or member server you want to onboard, but you should only SYNC from ONE domain controller. More details are found in the following steps.

Passwords are never synced to the Elisity Cloud Control Center.

 

Create a Service Account for the Elisity AD Connector

  1. Create a new user in the appropriate domain to act as the Elisity AD Service Account
  2. Give the user a unique name to identify it as the Elisity AD Service Account
  3. Protect the user from accidental deletion
  4. Add the user to the group 'Event Log Readers'

 

Update Group Policy Settings

Go To: Server manager > Tools > Group Policy Management

  • Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows (figure 1)


Figure 1 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon

  • Enable Success (figure 2) for 'Kerberos Authentication Service'
  • Enable Success (figure 2) for Audit Kerberos Service Ticket Operations


Figure 2 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management

Enable Success for Audit Computer Account Management, Audit Security Group Management, and Audit User Account Management (figure 3)


Figure 3 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

  • Enable Success for Audit Directory Service Changes (figure 4)


Figure 4 (click image to enlarge)

Go To: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff

  • Enable Success for Audit Account Lockout, Audit Group Membership, and Audit Logon


Figure 5 (click image to enlarge)

 

Modifying User Auditing Settings in ADSI Edit

Go To: Server Manager > Tools > ADSI Edit

  • In ADSI Edit, click Action > Connect to… > 'Default Naming Context'
  • Hit OK

Right Click Users and select Properties (figure 6)

Figure 6 (click image to enlarge)

Select Security tab > click Advanced > select Auditing tab (figure 7)


Figure 7 (click image to enlarge)

Click Add (figure 8) > click select principal (figure 9)


Figure 8 (click image to enlarge)


Figure 9 (click image to enlarge)

Check the full control box (figure 10), then deselect the following four checkboxes: Full control, List contents, Read all properties, Read permissions


Figure 10 (click image to enlarge)

Click OK and exit

 

Note: 
The purpose of these permissions is to enable the system to audit all writes and modifications in the AD database for "Everyone."
These permissions allow the Elisity Connector to audit user/group attribute changes in real time. It is critical that the system get attribute changes to maintain accurate identification of users and assets. Without the permissions above, Active Directory will not generate audit events for attribute changes.
These permissions DO NOT give write access or permissions to perform any actions, they simply allow auditing of writing, creating, deleting, etc.

 

After completing everything above, go to the command prompt and execute the command:

gpupdate/force

This will update all the policy changes without needing any reboots.

 

Elisity AD Connector Installation instructions

  • From your domain controller, navigate to Elisity Cloud Control Center
  • Navigate to the Connectors section in Cloud Control Center
  • Click on +IDP/Connectors in the top right corner (figure 11)


Figure 11 (click image to enlarge)

  • Click DOWNLOAD on the Active Directory connector
  • Save the file to your local laptop/desktop or the machine where the Connector will be run


Figure 12 (click image to enlarge)

  • Copy the ElisityADConnectorInstaller.zip file into a TMP directory in the target machine (Windows 2016/2019 Server) to host the Elisity AD Connector Service.
  • Extract the files after copying them into the target machine.
  • Run setup.exe as an administrator (figure 13). Leave all options as default.


Figure 13 (click image to enlarge)

Note: this machine should be a member of the Root AD Domain.

The Connector is configured as a Windows Service as LocalService and will need further configurations (via another tabbed window, 'Elisity AD Connector Config App'). 

At this point, you can click on [Close] to dispose of the installer window.

After successfully installing the Agent, open Windows Explorer, go to the installation folder, click on Security and provide full-control access to Service Account User for the default folder 'C:\Programs Files\Elisity Inc'


Figure 14 (click image to enlarge)

 

Connecting the Elisity AD Connector Config App to CCC

  • Go back to Cloud Control Center connectors page
  • Click the view configuration button on the Active Directory connector
  • Copy and save both the Gateway Server URL and Gateway Credential (figure 15)
    • You can click the Copy icon to save the Credential to Clipboard

Figure 15 (click image to enlarge)

Paste these credentials into the Elisity AD Connector. Click on Register Software.


Figure 16 (click image to enlarge)

Now we will enter the credentials of the service account that we created earlier.

  • Navigate to the Eada Service tab on the Elisity AD Connector Config App. Enter the service user credentials in the format domain\userid and enter the service user password. Click Save Service Config.


Figure 17 (click image to enlarge)

Here the Application will configure the Connector Service to run as the user you have provided. 

The status of the Service will be in a 'Stopped' state.

 

 

Final Configuration Steps

Next, we need to configure which domain controllers we will use to collect data and monitor events. To do this, we need to modify a configuration file and insert the FQDN for each Domain Controller we wish to monitor.

Note: If the agent is being installed on the ONLY Domain Controller that will be used for both initial sync and continuous monitoring of events, this step is not necessary and no configuration is required. 

Go to the Elisity AD Connector folder, usually found at:

     C:\Program Files\Elisity Inc\ElisityADConnector

Open the EuaConfGlobal.json file (pictured below)

There are two primary configurations that we are concerned with in this file: DEHostsEV and DCHostGC in lines two and three. The rest of the configurations in this file can be left as the default, except in unique cases. 

{
    "DisableCV": false,
    "DCHostGC": "",
    "DCHostsEV": "",
    "CustomUserAttrs": "",
    "CustomUserFilters-OR": [],
    "CustomLdapFilter": "",
    "DcLoginEnabled": false,
    "SubscriptionWatchMode": false,
    "SysAccountLoginsToIgnore": "",
    "IgnoreLoginOlderThanMinutes": 1440,
    "EventPollingIntervalMilliSeconds": 500
}

 

  • "DCHostGC" is the specified Domain Controller that will be used for the Initial Sync Process. Here we need to provide the HostName of a Domain Controller that we can make LDAP queries to do a full sync. This DC needs have performance and compute resources to handle LDAP queries during the sync process, typically one of your primary Domain Controllers.

  • 'DCHostsEV' is a list of domain controllers which we will use for regular monitoring. This list should be comprised of Domain Controllers where we are likely to see user authorization and attachments in environments where Elisity is deployed. 

  • You can monitor up to 20 additional servers (DCHostsEV) with a single Elisity AD agent. 

 

Config File Examples

Scenario 1: Installing on a member server with multiple DC's: 

{
'DisableCV': false,
'DCHostGC': "primarydc.company.com",
"DCHostsEV": "dc1.company.com,dc2.company.com,dc3.company.com",
"CustomUserAttrs": "",
"CustomUserFilters-OR": [],
"CustomLdapFilter": "",
"DcLoginEnabled": false,
"SubscriptionWatchMode": false,
"SysAccountLoginsToIgnore": "",
"IgnoreLoginOlderThanMinutes": 1440,
"EventPollingIntervalMilliSeconds": 500
}

Scenario 2: Installing on a primary Domain Controller

{
"DisableCV": false,
"DCHostGC": "localdc.company.com",
"DCHostsEV": "dc1.company.com,dc2.company.com,dc3.company.com",
"CustomUserAttrs": "",
"CustomUserFilters-OR": [],
"CustomLdapFilter": "",
"DcLoginEnabled": false,
"SubscriptionWatchMode": false,
"SysAccountLoginsToIgnore": "",
"IgnoreLoginOlderThanMinutes": 1440,
"EventPollingIntervalMilliSeconds": 500
}

Scenario 3: Installing on the Sole Domain Controller

No configuration needed.

Service will be in a 'Stopped' state.

 

Sync Process

After you have installed the connector on all of the relevant domain controllers, select a single domain controller to initiate your first sync. The Sync process will pick up all user/groups and data from the entire domain regardless of where you trigger the Sync from. Therefore you need to trigger a Sync from only ONE domain controller, and this DC should be a primary or  performant server.

To initiate the first full sync of the AD database with Elisity Cloud Control Center, you can click on [Resync] to sync all the AD Users/Groups and Computers.

  • After the Sync is complete, the Connector Windows Service will be started
  • The status will show as 'running' if the workflow is completed

Note: It will take a few minutes to pull all the users. During the full sync process, Eada.Service will be paused (No events will be processed) for a few minutes until the sync has completed. 

In Cloud Control Center, you should see that the AD Connector now shows an 'Active' status. You will begin to see devices and users populating into Cloud Control Center.

The connector onboarding is complete.

 

Checking Connector Status from Cloud Control Center

Several tools are available from the AD Connector Overview in Cloud Control Center. 

  • View Details
    • View details about the AD connector agent, agent host machine, and status of all Domain Controllers monitored by the agent. Check the status of your connector, and when the last status change for the connector occurred. This gives customers a quick way to view important information about all Elisity AD connectors deployed throughout their network. 
  • Sync Domain (Active Directory)
    • This allows users to initiate the resync process from Cloud Control Center without needing to access the Agent. This is the same process as clicking [Resync] in the agent.
  • Troubleshoot (request log collection)
    • Allows downloading relevant logs from the server for troubleshooting and review.

Upgrading the Elisity Active Directory Connector

Follow these steps to ensure that your AD Connector Config App is upgraded correctly to the latest recommended version.

Step 1: Download the package on the windows machine

Step 2: Stop Eada.service and close the Connector application.

Step 3: Uninstall the AD agent app. You can run the installer for the current version AD connector installed, and select uninstall. Optionally you can use Windows uninstaller.

Screenshot 2023-09-11 145338.png

 

Step 4: Perform a cursory check the exe/dll files are gone after uninstall.

After uninstalling, the folder at C:\Program Files\Elisity Inc\ElisityADConnector should look similar to the image below, with no .exe or .dll files. 

Screenshot 2023-09-11 145630.png

 

Step 5: Extract the downloaded zip package, right click on setup.exe and ‘Run as administrator’. Follow the installer prompts to install the new connector app.

Screenshot 2023-09-11 150142.png

 

Step 6: Select the Gateway Settings tab in the APP, and provide the registration credentials found in the Cloud Control Center AD connector details.

Note: You can find the correct credentials by clicking "Add Connector" in Cloud Control Center and clicking "Configure" on the Active Directory Connector.

 

Click "Register Software" and you will receive a notification on screen to ensure that the connector has registers successfully with Cloud Control Center, or if an error has occurred.

Screenshot 2023-09-11 141922.png

 

Step 7: Make sure your agent credentials are set in the EADA Service tab, and start the EADA.service.

In Cloud Control Center, you should see the new connector version reflected in the Connector details tab for Active Directory. If the version does not change, re-register the connector using the steps above. 
Screenshot 2023-09-11 152848.png

Locating and Managing Users After AD Connection

Once you have successfully connected your Elisity platform to Active Directory (AD), navigating to and managing users is straightforward. This ensures seamless integration and management of users, leveraging the robust capabilities of Elisity's cybersecurity solutions.

Screenshot 2024-03-12 at 10.28.33 AM.png

Finding the Users Page

To locate the Users page after connecting AD, follow these steps:

Step 1: Navigate to the Settings Menu: From the Elisity dashboard, click on the "Settings" tab located on the left-hand sidebar. This section allows you to configure and manage various aspects of the Elisity platform.

Step 2: Access the Active Directory Section: Within the Settings menu, click on the "Connectors" dropdown. Here, select "Active Directory" to view the AD-specific configurations and options.

Step 3: View Users: Under the Active Directory section, you will find the "Users" tab prominently displayed. Clicking on this tab will bring you to the Users page, which has been seamlessly integrated into the Elisity platform from AD.

Overview of the Users Page

The Users page is designed to provide a comprehensive overview of all users within the organization, directly pulled from Active Directory. Here's what you can expect:

User Information: The page lists essential details for each user, including Name, Account ID, Status (Active or Inactive), AD Membership (such as Users/Contractors, Users/Domain Users), Department, Company, IP Addresses, Title, and Last Activity date.

Status Indicators: Each user's current status is clearly indicated, allowing administrators to quickly ascertain which users are active or inactive within the system.

Search and Filter: A search bar is provided at the top of the page, enabling administrators to quickly locate specific users based on their name or account ID. This is particularly useful in larger organizations with many users.

Robust Analytics Data: Beyond simple user information, the Elisity platform offers robust analytics on user behavior, including insights into the devices associated with each user, the policies governing their access, and the protection groups (PGs) they are part of. This analytics data aids in identifying usage patterns, potential security vulnerabilities, and compliance with established policies.

Integration and Consistency: It's important to note that this page maintains all the functionalities of the original Users page, with the added benefit of being directly integrated with Active Directory. This ensures that user management is streamlined and efficient, leveraging the centralized user information from AD.

By following the above steps, administrators can easily locate and manage users within the Elisity platform after connecting to Active Directory. This integration enhances the platform's usability and simplifies the management of user access and permissions, reinforcing the organization's cybersecurity posture.

Was this article helpful?
1 out of 1 found this helpful