Active Directory Assessment Setup

SolCyber will perform a bi-annual assessment of your Active Directory environment(s) and provide a report and analysis of critical findings. This documentation covers running the assessment tool for on-premise Active Directory. If you have an Azure Active Directory environment that you would like assessed, please see the Azure Active Directory Assessment Setup.

System Requirements#

To facilitate assessment of Active Directory, the SentinelOne Identity Agent must be installed on a single domain-joined device that can communicate with the Domain Controller(s). The device is referred to as the “AD Connector”. It is not advised to install the Identity Agent on the Domain Controller itself. The system requirements for the AD Connector are listed below:

• An AD-joined endpoint on Windows 10 64-bit or higher or Windows Server 2012 R2 or higher.
• CPU: 4 core
• RAM: 16 GB
• Hard disk free space: 1 GB
• Internet bandwidth: 5 Mbps

The device you select to serve as the AD Connector should be stable and always up. We do not recommend using a device that is regularly powered down or not continually connected to the network.

Network Requirements#

Ensure your network and security settings allow these protocols between the AD Connector and the Domain Controller(s):

• DNS (53) - Make sure the AD Connector endpoint can resolve the forest and domain names.
• Kerberos - UDP (88) and TCP (88)
• LDAP (389/636)
• SMB (445)
• WinRM (5985/5986)

Ensure the AD Connector can access the following destinations on tcp 443:

• https://usea1-identity.sentinelone.net
• https://usea1-api-identity.sentinelone.net
• https://mgmt-file-upload-us-east-1-prod.sentinelone.net
• https://us-east-1-prod-auto-deploy.s3.us-east-1.amazonaws.com

At the time of assessment, there can be up to 11% CPU usage on the AD Connector endpoint. This maximum CPU usage lasts only a few seconds. Normal CPU usage is around 4%.

Identity Agent Installation#

SolCyber will provide you with the Identity Agent binary. You will need local administrative privileges to install the agent on the endpoint.

• Open Windows Command Prompt or Windows PowerShell in administrator mode and change the directory to the one that contains Windowssetup.exe.
• Run Windowssetup.exe /ia /service
  • Both /ia and /service parameters are required. AD Connector does not function for current user (/i) or in non-service mode.
  • If the traffic to the Internet is sent through a HTTP proxy server, then pass the proxy details using the command-line parameters.

    • Use /proxyaddr<IP address:port number> to pass the IP address and port number of the HTTP proxy. For example: Windowssetup.exe /ia /service /proxyaddr 192.0.2.10:8421

      If authentication is mandatory, pass the user name and password as well using the /proxycred

      <Username:Password> parameter. For example: Windowssetup.exe /ia /service /proxyaddr 192.0.2.10:8421 /proxycredampleUserName:SamplePassword.

      • Only HTTP proxy is supported (not HTTPS). However, the traffic between AD Connector and Identity Console is encrypted.
  • Verify if Installation for all users completed successfully is displayed in Windows CMD.

AD Read-Only Service Account#

Please create a read-only domain service account to perform the assessment. You will need to provide SolCyber with the account credentials via onetimesecret.com or an encrypted email.

• The account must have access to WinRM on all Domain Controllers.
• It is recommend to use an unmanaged service account. This prevents settings such as password expiry that may apply to an user account.
• To assess a forest, provide an account in the root domain. This account should have read access to all the objects and containers in the root domain and sub-domains. This includes parent and child OUs, Users, Computers, and GPO.
• To detect the Dangerous control paths expose MicrosoftDNS servers vulnerability, the account must have read permissions for the MicrosoftDNS container in the AD.