Microsoft Active Directory (AD)

Microsoft Active Directory (AD) is a directory service for Windows domain networks that authenticates and authorizes all users and computers.

About Microsoft Active Directory

Microsoft's Active Directory (AD) is a User and Asset management system. It is used by customers to provide authentication and authorization services for users, and access control to systems.

Use cases the adapter solves
Primarily user and device enumeration are obtained from AD. This populates assets in Axonius and brings valuable information about the respective assets such as Group / OU memberships, OS type, and distribution. These asset properties ultimately lead to informed decision-making. In addition, it helps identify unmanaged Windows systems, with secondary purposes of qualifying other categories of usage, such as the deployment of agents on Windows systems. You can discover users with too many permissions, or those not logged in for a specified time.

Data retrieved by Microsoft Active Directory

The Microsoft Active Directory Adapter fetches these distinct asset classes: devices, users and groups (requires Axonius SaaS Applications). Devices include fields such as the Hostname, Domain, OU, Trusts, Site, and Network information (interfaces, VLANs, IPs, MAC). User fields align with devices, including account, password, and logon details (all AD objects relating to the account).

'Last Seen in Domain'
Axonius shows you the 'Last Seen in Domain'. This value is calculated by Axonius by gathering all the information that indicates movement on that asset (for instance 'last password change', 'last logon', 'last logoff' and more). It is then sorted to get the value which is the most recent, and this is the value that populates the 'Last Seen in Domain' field.

Enforcements
Using Axonius to provide visibility and searchability into AD brings Enforcement Center to the fore. Devices can be 'decommissioned', moved/segmented based on non-configuration criteria; and user accounts can be modified, enabled, or disabled.

Related Enforcement Actions:

• Microsoft AD - Add/Remove Delegate Control Tasks to/from Assets
• Microsoft Active Directory (AD) - Change Assets OU
• Microsoft Active Directory (AD) - Add Assets to Group
• Microsoft Active Directory (AD) - Remove Assets from Group
• Microsoft Active Directory (AD) - Remove Assets from AD
• Microsoft Active Directory (AD) - Add or Update LDAP Attributes of Assets
• Microsoft Active Directory (AD) - Enable Assets
• Microsoft Active Directory (AD) - Reset Users' Passwords
• Active Directory - Create Users
• Active Directory - Update Users

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
• Users
• Groups
• Domains and URLs
• Organizational Units
• Compute Services
• Networks
• Accounts
• Permissions

Parameters

1. DC Address (required) - Specify the IP address of a single domain controller, or an FQDN that resolves to a single domain controller in an Active Directory Domain. It is recommended to enter a domain controller with DNS and Primary (PDC) roles. Ensure to enable the Get the most recent lastLogon by connecting to all DCs advanced configuration to contact all domain controllers in a Domain.

   • For more details about Global Catalog and LDAPS, refer to Required Ports.

2. Fallback DC Address, Fallback Port - Enter a secondary DC address and port as a secondary server to be connected if the first one fails.

3. SASL Mechanism (default: no SASL) - SASL authentication is supported. The default authentication method is no SASL. The following authentication methods are available: No SaSL, External, GSSAPI, Digest MD5 and Plain. Each method requires different authentication parameters:

   • No SASL - Authenticate using User Name and Password
   • External - Authenticate using User Name
   • GSSAPI - Optional authentication using UserName
   • Digest MD5 - Authenticate using Username, Password, Enable signing, and Realm (optional) Authorization ID (optional)
   • Plain - Authenticate using Username/Authentication ID and Password and Authorization ID (optional)

• Parameters depending on the SASL Mechanism selection
  a. Username and Password (required, depends on authentication method) - A user with regular LDAP query rights and its password. Enter the userPrincipalName (username@domain) OR domain\username. When connecting over SSL, the username must be in the format username@domain.

  Note

  For instuctions on how to configure an Axonius AD user account with all the required permissions, see Required Permissions.

  b. Authentication ID - Use for SASL Plain Mechanism.
  c. Realm (optional) - The LDAP Realm.
  d. Authorization ID (authzid) (optional) - The SASL authzid.
  e. Enable signing - Enable LDAP signing, refer to LDAP Signing for AD.

4. DNS Server Address (optional) - Axonius assumes that Domain Controller listed in each connection is also a DNS server. If your Domain Controller does not have the DNS role installed and you would like to use a different system for name resolution of discovered assets you can enter an alternate IP address here (even if it is installed, but you enter a field here, Axonius will use it). Please note that this setting is only used for discovered assets and will not affect resolution of the Domain Controller name entered in the connection configuration. This configuration value is used in conjunction with the Enable IP Resolving advanced setting.

5. Alternative DNS Suffix (optional) - Replace the device original DNS suffix for DNS resolving. For example, if the device name is windows8.acme.corp , and the Alternative DNS Suffix defined is 'acme-corp.lan', DNS resolving will be done for windows8.acme-corp.lan.

6. Use SSL for connection (optional, default: Unencrypted) - Select either Unencrypted (LDAP) or Verified / Unverified to use LDAPS (LDAP over SSL). Note that the DC Address in the adapter configuration must be the FQDN provided by the certificate.

7. CA File (optional) - If you choose the Verified option to use LDAPS (LDAP over SSL), you need to add SSL certificates (PEM format CA file) to the credentials.

8. SSL cipher (optional) - Enter an SSL cipher to use for the TLS object of the connection. Using a stronger cipher can solve connection failures when using the default cipher. Examples of OpenSSl ciphers.

9. Do Not Fetch Users (optional, default: False) - Select this option if you do not want to fetch users.

10. Fetch Disabled Devices and Fetch Disabled Users (optional) - Select to fetch disabled devices or users. By default, Axonius fetches only enabled devices and users.

11. Filter Deleted Devices - By default Axonius fetches deleted devices. Select this option to not fetch deleted devices.

12. Filter Deleted Users by default Axonius fetches deleted users. Select this option to not fetch deleted users.

13. Connect to Global Catalog (GC) - Select this option if the configured DC has a Global Catalog role.

14. Organizational units include list (optional) - Set one or more OUs so Axonius will fetch entities that reside only in the listed organizational units. Each item in the list should represent an 'OU' value of the desired OU DN. For example, for OU DN (“Ireland Office/acme/corp , New York Office/acme/corp”), specify the organizational units of Acme corporation of the Ireland Office and New York Office.

15. Organizational units to exclude (optional) - Set one or more OUs so that Axonius will not fetch entities that belong to the specified organizational units. Each item in the list should represent an 'OU' value of the OU DN that should be excluded. For example, for OU DN (“Ireland Office/acme/corp , New York Office/acme/corp”), specify the organizational units of Acme corporation of the Ireland Office and New York Office.

16. Search Base (optional) - When you enter a path, a search only happens under the path configured. This option should not generally be configured and fetch should normally be for the complete domain. It can be useful in a case where there might be more than one AD subdomain, and you only want to fetch resources for a specific subdomain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

1. Enable IP Resolving (required, default: true) - Select this option so that adapter will try to find the IP of the fetched AD entities using three entities (the DNS configured on the machine, the DNS supplied in the creds, and the AD DC itself). Otherwise this adapter will try to find the IP of the fetched AD entities using only AD DC itself.
2. Max parallel DNS queries (optional, default: 1000) - This field limits the number of parallel DNS queries.
3. Fetch Users Image (required, default: true) - Select this option to fetch users images.
4. Fetch Trusted Domains information (default: False) - Select this option to fetch information about the domains that are trusted by the user/device domain. The data will be displayed in the Domains & URLs assets page.
5. Enrich group members for each group - Select this option to enrich group members with their SID.
6. Get nested group membership for each user (required, default: true) - Select this option to fetch the group membership for each user.
7. Get the most recent lastLogon by connecting to all DCs - By default, the "LastLogonTimestamp" value is replicated only once every 2 weeks in the domain, and the "LastLogon" value shows the value of the last logon per each Domain Controller. If this option is selected, Axonius will connect to each domain controller to pull the "LastLogon" value for each user, to show this value accurately in Axonius.

8. LDAP pagination (entries per page) (required, default: 900) - Set the number of entities to fetch in each LDAP request.

9. LDAP socket connection timeout (seconds) (required, default: 10) - Set the maximum socket connection timeout.

10. LDAP socket receive timeout (seconds) (required, default: 120) - Set the maximum socket receive timeout.

11. Devices to exclude by objectCategory (optional)

    • If supplied, all connections for this adapter will exclude devices with the specified AD objectCategory.
    • If not supplied, all connections for this adapter will not exclude any devices.
      This field allows you to add input in order to exclude devices that have a specific AD objectCategory.

12. LDAP fields to exclude (optional) - Specify a comma-separated list one or more LDAP fields to exclude from the data. For example, "employeeID, givenName". This will exclude both of these from the raw and parsed data from the adapter.

    • If supplied, all connections for this adapter will not fetch the specified LDAP fields. The specified fields will not be part of the assets data in Axonius.
    • If not supplied, all connections for this adapter will fetch all asset LDAP fields.

13. Exclude ms-Msc-AdmPwd field (default: true) - This setting removes the ms-Msc-AdmPwd field from the raw data fetched by Axonius. Clear this setting to include this field. In order to completely prevent this field being fetched from the API, remove 'All Extended rights' from Active Directory permissions.

14. Parse all LDAP attributes to basic view - Select to show all fields/values from the Advanced view in Basic view on the Device Profile page.

15. Parse User Customized Attributes With Prefix - Enter prefixes of custom AD fields you want mapped into Axonius fields in the Users asset page.

16. Fetch Specops password expiration date - Select whether to fetch the number of days left to password expiration from Specops for systems that manage passwords using Specops, and calculate a password expiration date.

17. Use msDS-UserPasswordExpiryTimeComputed to calculate user password expiration time - Select to calculate the 'User > Password Expiration Date' field using the Active Directory LDAP value of the "msDS-UserPasswordExpiryTimeComputed" attribute.

18. Distinguish standalone managed service accounts as users - Select to to fetch standalone managed service accounts as Users.

19. Distinguish group managed service accounts as users (optional) - Select to distinguish group Managed Service Accounts as users. When cleared, group Managed Service Accounts are considered devices.

20. Hostnames to resolve - Add a semi-colon separated list to specify a list of hostnames that the AD adapter will resolve to a specific IP address once, and cache the resolution for subsequent usage of the hostname.

21. Admin Groups - Enter one or more AD Groups to specify AD groups which consist of administrators (press Enter between groups). All the members of the specified groups will be marked as admin meaning “IsAdmin” attribute will be set to Yes. This list is in addition to the default 'Domain Admins' group.

21. Parse patch information from AD memberof entries - Select this option to parse the AD 'member of' field for entries beginning with 'Patch_" to add that data to the 'AD Patch MemberOf Information' field.
22. Parse user mail as specific field - Select this option to parse the user mail as a specific field, and not an aggregated field. Use this field only after direction from Axonius support.
23. Ignore inactive users that were not seen for the last X days - Do not fetch users that are inactive (as defined by AD UserAccountControl), and have not been seen for the last x days. If the last seen date is unknown, the users are not ignored.
24. Fetch Subnets from Sites - Select this option to fetch data from Active Directory Sites.
25. Custom hosts map - A custom host map to use when advanced configurations are required, for instance SASL authentication. Each entry should be in the format of "ip:hostname", separated by a semicolon ";".
26. Username alternative parsing - Select the value that will be displayed in the Username field in the Users table. You can choose between displayName and userPrincipalName. If no value is selected, the default Username value will be sAMAccountName.
27. Fetch and Parse Group Customized Attributes - Enter custom AD fields you want mapped into Axonius fields in the Groups asset page.
28. Fetch Interactive Logon for Users - Select this option to fetch the 'Is Interactive' field for the Users asset.
29. Fetch Protect from accidental deletion information for Users - Select this option to fetch the 'Fetch Protect from accidental deletion information for Users' field for the Users asset. This field is boolean (True/False). This setting uses Powershell commands instead of LDAP, and requires to enable WinRM service in the hostname. See Required Ports and Required Permissions for more information.
30. Fetch Permissions - Select this option to fetch Permissions (of users and groups) as assets. This setting uses Powershell commands instead of LDAP, and requires to enable WinRM service in the hostname. See Required Ports and Required Permissions for more information.

Required Ports

Axonius must be able to communicate with the value supplied in DC Address via the following ports:

• TCP port 88 - when using Kerberos authorization.
• TCP/UDP port 389 when LDAP - SSL unencrypted is selected.
• TCP port 636 - when the LDAPS - SSL encrypted or unverified is selected.
• TCP port 3268 - when the insecure Global Catalog - SSL unencrypted is selected.
• TCP port 3269 - when both SSL encrypted or unverified is selected and Secure Global Catalog is enabled.
• Custom Port - when you set a custom port in DC Address, this must be available.
• TCP port 5986 - when the Fetch Permissions advanced setting is enabled.
  
  

Required Permissions

The value supplied in User Name must be a service account with Read permissions to all assets and users in the AD tree. In addition, the user must have permission to run the Get-Acl powershell command to fetch Permissions.
To configure an Axonius AD user account, run the following PowerShell script:

param (
    [string]$User  # Accepts the user as a parameter
)
# Validate input
if (-not $User) {
    Write-Host "Usage: .\set_ad_user_permissions.ps1 -User DOMAIN\username" -ForegroundColor Yellow
    exit
}
# Define the user who needs read access
# $User = "DOMAIN\username"  # Change to the target user
# Get the domain root distinguished name
$DomainDN = (Get-ADDomain).DistinguishedName
# Get the current ACL (Access Control List) for the domain
$ACL = Get-Acl "AD:$DomainDN"
# Create a new access rule for the user
$Identity = New-Object System.Security.Principal.NTAccount($User)
$Rights = [System.DirectoryServices.ActiveDirectoryRights]::GenericRead
$Type = [System.Security.AccessControl.AccessControlType]::Allow
$Rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, $Rights, $Type)
# Apply the new rule to the ACL
$ACL.AddAccessRule($Rule)
# Set the modified ACL back to AD
Set-Acl -Path "AD:$DomainDN" -AclObject $ACL
Write-Host "Read permissions granted to $User for all Active Directory objects."
# Split DOMAIN\username into domain and username
$Domain, $SamAccountName = $User -split '\\'
# Get user information from Active Directory
$ADUser = Get-ADUser -Filter { SamAccountName -eq $SamAccountName } -Properties DistinguishedName
Add-ADGroupMember -Identity "Remote Management Users" -Members $ADUser
Add-ADGroupMember -Identity "Account Operators" -Members $ADUser

In addition, View BitLocker Information permission is required for Axonius to obtain BitLocker data managed by Microsoft AD. Note that BitLocker keys are not fetched.