Active Directory

Vulnerability ProtectionDeep Security Manager supports the discovery of computers using Microsoft Active Directory. Computers are imported to the Vulnerability ProtectionDeep Security Manager and are grouped and displayed according to the structure of the Active Directory.

To import a Microsoft Active Directory:

1. Right-click Computers in the navigation panel and select Add Directory...
2. Type a name and description for your imported directory (it doesn't have to match that of the Active Directory), the IP and port of the Active Directory server, and finally your access method and credentials.
   You must include your domain name with your username in the User Name field.
   Click Next to continue.
3. The second page of the New Directory wizard asks for schema details. (The default values can be left.)
   The Details window of each computer in the Vulnerability ProtectionDeep Security Manager has a "Description" field. To use an attribute of the "Computer" object class from your Active Directory to populate the "Description" field, type the attribute name in the Computer Description Attribute text box.
   Set the Create a Scheduled Task to Synchronize this Directory checkbox if you want to automatically keep this structure in the Vulnerability ProtectionDeep Security Manager synchronized with your Active Directory Server. If this checkbox is selected, the Scheduled Task wizard will appear when you are finished adding the directory. (You can set this up later using the Scheduled Tasks wizard: Administration > Scheduled Tasks.) Click Next to continue.
4. When the Manager is finished importing your directory, you will be shown a list of computers that were added. Click Finish.

The directory structure now appears on the Computers page.

Additional Active Directory Options

Right-clicking an Active Directory structure gives you the following options that are not available for ordinary computer groups listed under Computers.

• Remove Directory
• Synchronize Now

Remove Directory

When you remove a directory from the Vulnerability ProtectionDeep Security Manager, you have the following options:

• Remove directory and all subordinate computers/groups from DSMVPM: removes all traces of the directory.
• Remove directory, but retain computer data and computer group hierarchy: turns the imported directory structure into identically organized regular computer groups, no longer linked with the Active Directory server.
• Remove directory, retain computer data, but flatten hierarchy: removes links to the Active Directory server, discards directory structure, and places all the computers into the same computer group.

Synchronize Now

Synchronizes the directory structure in the Vulnerability ProtectionDeep Security Manager with the Active Directory Server.

Vulnerability ProtectionDeep Security can leverage Active Directory information for computer discovery and User account and Contact creation.

Port Requirements

Depending on the nature of Active Directory integration, the following ports may be required:

• Port 389: Used for non-SSL based access methods
• Port 636: Used for SSL-based access methods

Server Certificate Usage

Computer discovery can use both SSL-based and clear text methods, while users and contacts are restricted to non-anonymous SSL methods. The latter restriction ensures that user account and usage is protected. SSL-based access methods will only work with SSL-enabled Active Directory servers, so users and contacts can only be imported from suitably configured servers.

SSL-enabled Active Directory servers must have a server certificate installed. This may either be self-signed, or created by a third-party certificate authority.

To verify the presence of a certificate, open the Internet Information Services (IIS) Manager on the Active Directory server, and select Server Certificates.

Filtering Active Directory Objects

When importing Active Directory objects, search filters are available to manage the objects that will be returned. By default the wizard will only show groups. You can add additional parameters to the filter to further refine the selections. For additional information about search filter syntax, refer to http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

Importing Users and Contacts

Vulnerability ProtectionDeep Security can import user account information from Active Directory and create corresponding Vulnerability ProtectionDeep Security Users or Contacts. This offers the following advantages:

• Users can use their network passwords as defined in Active Directory.
• Administrators can centrally disable accounts from within Active Directory.
• Maintenance of contact information is simplified (e.g., email, phone numbers, etc.) by leveraging information already in Active Directory.

Both Users and Contacts can be imported from Active Directory. Users have configuration rights on the Vulnerability ProtectionDeep Security Manager. Contacts can only receive Vulnerability ProtectionDeep Security Manager notifications. The synchronization wizard allows you to choose which Active Directory objects to import as users and which to import as contacts.

To import Users or Contacts:

1. In the navigation panel, click on Administration > User Management > Users or Administration > User Management and go to the Users or Contacts screen.
2. Click Synchronize with Directory. If this is the first time User or Contact information is imported, the wizard displays the server information page. (For information about how to set the options on this page, see the section above on importing computers.) Otherwise, the Synchronize with Directory wizard is displayed.
3. Select the appropriate access options and provide logon credentials. Click Next.
4. On the Select Groups to Synchronize page, specify the synchronization option for each Group. The default option is "Do not synchronize". To synchronize a group with Vulnerability ProtectionDeep Security Manager, select "Sync as Users" or "Synch as Contacts".
5. On the Select Options for New users/Contacts page, define the default User Roles given to imported accounts. Choose the Role with the least access rights to avoid inadvertently giving individuals inappropriate privileges. Click Next.
6. After synchronization, the wizard generates a report, indicating the number of objects imported. Click Finish.

Once imported, these accounts can be differentiated from organic Vulnerability ProtectionDeep Security accounts by the inability to change General Information for the account.

Keeping Active Directory Objects Synchronized

Once imported, Active Directory objects must be continually synchronized with their Active Directory servers to reflect the latest updates for these objects. This ensures, for example, that Computers that have been deleted in Active Directory are also deleted in Vulnerability ProtectionDeep Security Manager. To keep the Active Directory objects that have been imported to the Vulnerability ProtectionDeep Security Manager synchronized with Active Directory, it is essential to set up a scheduled task that synchronizes Directory data. The host importation wizard includes the option to create these scheduled tasks.

It is also possible to create this task using the Scheduled Task wizard. On-demand synchronization can be performed using the Synchronize Now option for hosts and Synchronize with Directory button for users and contacts.

Removing an Active Directory from the Manager

You can remove a Vulnerability ProtectionDeep Security Manager-Active Directory integration for both computer discovery and users and contacts.

Removing Active Directory from the Computers List

When a Directory is removed from the Computers list, you are presented with the following options:

• Remove Directory and all subordinate computers/groups from Vulnerability ProtectionDeep Security Manager: All host records will be removed from the Computer list
• Remove Directory but retain computer data and group hierarchy: The existing Active Directory structure will be retained, but this will no longer be synchronized with Active Directory. Since the structure is unaffected, User and Role access to folders and hosts will be retained
• Remove Directory, retain computer data, but flatten hierarchy: Host records will be stripped of their original hierarchy, but will all be stored in a group named after the former Directory. User and Role access to the Directory will be transferred to the group, thus maintaining access to all of the hosts.

To remove a directory:

1. On the Computers page, right-click the Directory, and select Remove Directory.
2. Select a removal option in the Remove Directory dialog box.
3. Confirm the action in the dialog box that follows. This completes directory removal.

Removing Active Directory Users and Contacts

Unlike Directory removal, which provides an option to retain certain types of information, removal of users and contacts deletes all of these records. This action, therefore, cannot be performed while logged on to the Vulnerability ProtectionDeep Security Manager console with an imported user account. Doing so will result in an error.

To remove users and contacts:

1. On either the Users or Contacts page, click Synchronize with Directory.
2. Select Discontinue Synchronization then click OK. The wizard displays a summary page of the changes that will be made.
3. Click Finish.