About Alsid service account:
Alsid for Active Directory needs to authenticate to the monitored infrastructure to access the replication flow. In accordance to its non-intrusive approach, the platform only requires a non-administrative account. All the collected data is accessible by a simple user, no secret attribute (credentials, password hashes or Kerberos keys) is accessed by Alsid’s platform. In this way, Alsid encourages to create a service account that will be a member of the group “Domain Users” (at least) with the following specifications:
- Created on the main monitored domain
- Created in any Organizational Unit (preferably where other security service accounts are usually created)
- Standard user group membership (e.g., member of the Domain Users AD built-in group)
Alsid currently only supports explicit authentication based on a login and password. Therefore, it is recommended to use a predefined password with the PasswordNeverExpires attribute set, or with password renewal policies not being enforced. A strong and unpredictable password must be used. About his container access:
Alsid’s platform achieves its security monitoring without the need of administrative privileges. Despite its many advantages (operation safety, limited attack surface, etc.), this approach relies on the ability of the user account used by the platform to read all the Active Directory objects stored in a domain (including user accounts, organizational units, groups, etc.). By default, most of the objects natively benefit from a default read access for the group Domain Users used by Alsid’s service account. However, some containers need to be manually configured to allow read access to Alsid’s user account: Active Directory objects or containers requiring manual read access setup:
How to do:
- Location of the container : CN=Deleted Objects,DC=,DC=
- Description: Container hosting deleted objects
For each of the below containers, Alsid requires to grant access to the service account used by the platform via the following command line:
dsacls "<__CONTAINER__>" /takeownership
dsacls "<__CONTAINER__>" /g <__SERVICE_ACCOUNT__>:LCRP
In the previous table, <__CONTAINER__> refers to the container to grant access to. <__SERVICE_ACCOUNT__> refers to the service account used by Alsid’s platform. This command needs to be run on every domain monitored by Alsid’s platform.
Why this Setup
Alsid for AD updates the information related to AD objects according to their modifications appearing in the replication flow. When an object is deleted, Alsid for AD can only update its state if it can read the deleted object container. If a deviance was present on an object being deleted, and the application is not able to access this information, the state of the object can never be updated, and the deviance will never be resolved.