Solved: ISE Passive ID Agent

paul · ‎09-21-2017

There is one part of passive ID that I am unclear on. I know the following options:

Have PSNs pull security events directly from the DCs using a service account with sufficient privileges and run the Config WMI script on the DCs.
Push an agent to the DCs using credentials that rights to install the service on the DCs and have the DCs send the security event to the PSN.

The one scenario I am unclear of is pushing the agent to a member server and have that member server poll the DCs. Just pushing an agent to a member server doesn't give it rights to poll the DCs. That member server would need a service account with sufficient privileges and the DCs would have to have the Config WMI run on them right?

Timothy Abbott · ‎09-21-2017

Paul,

The agent uses native Windows APIs so the controllers don't need to have the WMI configuration changes.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎09-21-2017

Paul,

The agent uses native Windows APIs so the controllers don't need to have the WMI configuration changes.

Regards,

-Tim

paul · ‎09-21-2017

So once the agent is installed on a member server there are no special permissions/accounts needed to make those API calls.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

paul · ‎09-21-2017

Tim,

I am testing this in my lab. When I install the DC agent on my DCs I have no issues getting passive ID information. When I remove the DC agent from the DCs and install it on a member server and assign that member server to monitor my DCs I don’t seem to be getting any information. When I wireshark the member server I see a lot of Kerberos auth required and RPC access denied messages coming from my DCs. There is nothing extra I am supposed to need to allow the member server to pull security logs?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hslai · ‎09-21-2017

Please use the DC pages (in ISE/ISE-PIC admin web UI) and set the user credentials used to monitor them.

paul · ‎09-21-2017

I shouldn’t need to set any credentials. I am using the DC agent which is my original question. I know how to monitor the DCs with WMI and credentials and I know that installing the DC agent on the DCs themselves works just fine. What I am unclear of is exactly how just installing the DC agent on a member server and telling it to poll a DC is supposed to work if there are no credentials.

I have customers that don’t want to install the service on a DC which makes sense. I am trying to understand how the DC agent running on a member server is able to communicate with the DCs.

I am sure I am missing something obvious, but other solutions that install on member servers require credentials to poll the domain controller security logs.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

hslai · ‎09-21-2017

I did a similar test a couple of months ago and found it needed to set the credentials.

If you checked the event viewer of the DC being monitored, you would likely find the agent attempts from the member server using "administrator" as the username.

paul · ‎09-21-2017

Okay looks like you are right. When I set the credentials on the DC object in ISE and stop and start the service on the member server running the agent I see a bind request being made with the username I specified on the DC in ISE. So installing the agent on a member server still requires a special account with a decent amount of access. So all you are really saving is the PSNs using that account and doing direct WMI calls. Installing the agent on the DCs directly doesn’t require any special account.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250