Active Directory

Feature Description

Vectra integration with your Active Directory service will assist in the identification of Hosts and Accounts on your network. Enabling this feature will also provide Active Directory context, such as group membership, organization, and password-expiry status for Accounts; and owner, operating system, and machine information for Hosts. Active Directory Context can be found under individual Account and Host detail tabs and is configured on the External Connectors tab under Settings. In addition, enabling AD integration will also allow you to enable Account Lockdown for AD.

Support for multiple Active Directory instances:

As of version 8.2 of Vectra software, up to 20 AD instances can be configured as sources for Vectra to interact with for context retrieval or Account Lockdown use. This is useful for large customers who may have several sub organizations that have their own AD implementations but share a common security team. This also comes into play with many companies during acquisition of other companies where they will operate separate AD infrastructures for some period of time, or indefinitely.

Please keep the following in mind when working with multiple AD sources:

• When you configure more than one AD integration, each integration will required the same setup steps below to be executed in each AD and in Vectra.

  • Once one source has been configured, simply click "+ Add Active Directory" in Vectra to add more ADs:

• A maximum of 20 ADs can be configured.

• If an account exists in multiple ADs, an Account Lockdown will lock the account in any configured AD that it is present in.

• If you choose to enable dirsync as per the #Sync_Options section below, it will apply to all configured ADs.

• Additional account or host context data is shown by AD source it is found in. See example below:

Additional Resources:

• Account LockDown FAQ - See this for additional details about Account Lockdown.

  • Account Lockdown Custom Configuration Options (available in v8.2+)

• Release Notes for AD Integration from v5.2: Link to Article

• Automatic Account Linking with AD Context

AD Configuration Instructions

Requirements

• the brain should be able to reach your LDAP server (default tcp/389) to check network connectivity from the brain to the server:

• Service account with password to be input into Vectra

  • Account needs to be created as a DN (distinguishedNname) and not a UPN (userPrincipalName)

  • Password should not be required to be changed by Vectra on initial logon.

  • Account should have top of forest view or as high as possible base to see all necessary accounts.

  • Account requires ability to read all properties for descendent user and computer objects.

  • Account requires "Write userAccountControl" permission if you plan to enable Account Lockdown.

  • Optional and only required if you will be configuring Dirsync as your sync option:

    • Dirsync is described in more detail at the end of this article in the #Sync_Options section.

    • Account will also require "Replicating Directory Changes".

• When using AD integration in conjunction with Lockdown functionality, we assume a standard AD deployment with inheritance for permissions enabled.

  • In order to lock down an account, your bind user must be able to update the User Account Control of the account you want to lockdown.

• PLEASE NOTE: If an AD account does not have a UPN (User Principal Name) configured, the account cannot be locked down.

  • Please ensure all accounts that you may to lock down have a UPN configured.

Steps

Create a service account on Active Directory using "Active Directory Users and Computers."

Go to your container of choice, right-click/New/User.

Our account will be called "svc vectra."

Enter a strong password and untick "User must change password at next logon" as the type of login Vectra will make is non-interactive. Depending on your security policy, you might or might not want to select "Password never expires." If your security policy won't allow for a password that never expires, make sure to update the user password in your Vectra UI when the password is updated on AD. Click on "Next" then "Finish."

Now that the account is created one needs to assign this account to the top of the Forest, or as high as possible to give us visibility to all users and computer accounts, and give the svc vectra access to read several attributes and to write to one attribute. On "Active Directory Users and Computers" click on view, Advanced Features.

Right-click on your forest, and click properties. On the Forest's properties window, got to the security tab, then click on Add.

Type the name of the user account created on the previous steps and click on search. Click OK.

Select the account that we just added and click on Advanced

Select the same account as in the previous step and click on edit.

On "Applies to:" scroll all the way to the end and select "Descendant User Object"

Under the Permissions and Properties sections "Read all Properties" should be selected by default. If not, you are going to have to give permission to the individual attributes listed at the table at the beginning of this article.

Under "Properties" Scroll down until you find "Write userAccountControl" and check the box next to it. This is only required if you will be enabling Account Lockdown. Click OK.

Under "Applies to" select "Descendant Computer Object" and make sure that "Read all properties" is ticket under Permissions and Properties.

!! Required when using Dirsync : The next step is optional and only required if you will be configuring Dirsync as your sync option. Dirsync is described in more detail in the #Sync_Options section near the end of this article.

• Click on "Ok" twice.

• While still editing the security options for your "svc vectra" account, find the "Replicating Directory Changes" permission and check the "Allow" option.

• Click "Ok".

• If you are NOT using Dirsync, just click "OK" 3 times to exit the dialog.

Vectra Configuration Instructions

• After logging into your Vectra UI, go to Settings > External Connectors > Active Directory and Lockdown.

• Click the pencil icon or "Edit" button to edit the settings for the feature.

• Click the slider to toggle the integration on and then click "+Add Active Directory" to add an AD server.

• Fill out the configuration information required for your deployment using the information from the "Field Descriptions" below.

• Repeat this process if you are adding multiple ADs.

  • You will also need to repeat the earlier #AD_Configuration_Instructions when adding multiple ADs to create a service account in each AD you are adding.

• If you are configuring AD Account Lockdown or Automatic Account Linking, see the following KBs for more detail:

  • Account LockDown FAQ

  • Automatic Account Linking with AD Context

Field Descriptions:

Vectra Account Bind DN:

Object inside AD that you bind to for permissions to perform queries.

If you don't know how to retrieve the bindDN, go to "Active Directory Users and Computers. Find the service account and go to its properties. Find the "Attribute Editor" tab and look for the attribute "distinguishedName." Select the "distinguishedName" attribute and click on view. You can now copy the attribute value and paste it into Vectra's UI. Else, open powershell in a terminal window and give the command get-ADUser -Identity <username>, it should provide an output with the DistinguishedName.

Example1: &#xNAN;Vectra Account Bind Dn: CN=svc vectra,CN=Users,DC=CSForest,DC=com

Example2: &#xNAN;Vectra Account Bind Dn: CN=Vectra User,OU=some OU,OU=Domain,DC=DOMAIN,DC=LOCAL

Active Directory Password:

Password associated with the above object

USE TLS(STARTTLS)

• When selecting this option, TLS will be used to secure communications between Vectra and the AD server, and additional choices will appear:

• The Autobind options will control the order of binding (authenticating) and starting TLS

  • No auto-bind: This should be the default choice for all customers unless you have a specific need. With this selected, Vectra starts TLS first and then uses the credentials to bind to the directory.

  • Bind first, then start TLS: Some customers may have a specific configuration that requires binding before starting TLS. Only select this option if you require it.

  • Start TLS, then bind: If the normal "No auto-bind" setting doesn't work but you still would like to start TLS before binding, try this option as it may allow TLS to work with some servers that do not support the normal option.

**URI: **

The URI of your AD server. Examples: ldap.mydomain.org or ``ldap://domain.local

**Base DN: **

Location from where a server will search for objects. Make sure that you enter a base high enough that will allow us to see all computers and user objects. If allowing to search the whole forest, please enter the full domain. ie Enter "dc=CSForest,dc=com", and not "**dc=com" **only otherwise, AD will reply with a referral error and you will see a generic error message on the UI.

Example1: &#xNAN;BaseDn:`` ``DC=CSForest,DC=com

Example2: &#xNAN;BaseDn: OU=Domain,DC=DOMAIN,DC=LOCAL

Query Timeout:

Set the amount of time (in seconds) to wait before timing out a query.

**Connection Timeout: **

Set the amount of time (in seconds) to wait before timing out an idle connection to AD.

Sync Options:

Vectra normally syncs with your Active Directory in chunks at varying intervals over the course of 24 hours. Queries are paginated to reduce the load on your AD server. Larger environments may need to sync more frequently to successfully gather all directory information. If the load on your AD server you have chosen to use for AD Integration with Vectra becomes too much, you can change to a Dirsync method that only syncs changes hourly after an initial full sync.

• In general, in large environments, normal AD sync will use more memory on the AD server than Dirsync.

• Dirsync may cause more network load than normal AD sync though if there are frequent object changes in the environment.

• Unless there are issues with AD server load, Vectra recommends using normal AD sync.

Dirsync details:

Dirsync is available in version 7.8 and higher of Vectra Brain appliance code. Dirsync in an option for a sync method that changes only the sync method, not the configuration in the UI that was described above. Dirsync is configured separately using the CLI of your Brain with these commands:

• To enable Dirsync, configure Settings > External Connectors > Active Directory and Lockdown with your Bind DN, password, and other options.

• Once the GUI configuration is done, normal sync using LDAP will commence over a 24 hour period.

• Go to the CLI of your Brain and "set dirsync enable" to enable Dirsync.

• A full sync will start and then subsequent syncs will be much smaller and based on how many changes have occurred in your directory.

  • When Dirsync is enabled, your Brain appliance will query AD for changes hourly.

Please note that the option to force a full sync will delete everything in the cache and start over. This should only be done at the direction of Vectra support.

LDAP vs LDAPs

LDAPS (default on port tcp/636) is deprecated and is not supported. more on LDAPS deprecation

LDAP over TLS, kown as STARTTLS (same LDAP port, by default tcp/389) is supported. This method allow to negotiate a TLS tunnel on top of the tcp connection, once established. ref: https://docs.ldap.com/specs/rfc4511.txt #4.12 extended operation The server/network environment should be configured accordingly to support STARTTLS.