If you want to run Active Directory (AD) Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. scans in USM Anywhere, you need to configure your AD server assets to grant access to the USM Anywhere Sensor. You also need to configure credentials in USM Anywhere to make an authenticated connection.
This process contains three tasks:
- Create a dedicated administrator account in AD on all the hosts you want to scan. This is used by USM Anywhere to log in to that host system to perform a scan.
- Activate Windows Remote Management (WinRM) in the domain controller and in all the hosts you want to scan.
- Apply the AD account credentials for those assets An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. in USM Anywhere.
Note: See Microsoft's guide on authentication for remote connections for more information on Microsoft Windows authentication permissions.
Create a Dedicated AD Account
When configuring your VMware Sensor, Hyper-V Sensor, or Azure Sensor, you can define AD credentials that USM Anywhere uses to perform an AD scan through the sensor. These are the credentials that you define in the Credentials page and assign to the asset to support a scheduled Active Directory scan job. It is a best practice to use a dedicated account for this purpose.
To create a new dedicated account in AD
- Log in to your domain controller administrator account.
- Open Active Directory Users and Computers.
- Create a new user called alienvault_usm_anywhere or any other name that's easy to associate with USM Anywhere.
- Add the user you’ve just created to the Domain Admins group.
Note: The AD module requires administrator account credentials to perform scans using an elevated PowerShell prompt. Assigning a lower credential level may result in AD scans that fail or return incomplete information.
Activate WinRM to Enable Windows PowerShell Remoting
For Microsoft Windows systems, USM Anywhere uses the WinRM framework to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows system through the account credentials, USM Anywhere won't be able to connect. You must satisfy the following requirements:
- WinRM version 2.0 or later.
-
PowerShell version 5.1 or later. The Active Directory Scanner runs a PowerShell command through WinRM, which requires PowerShell 5.1 or later to be installed on your machine.
To activate WinRM, you can use a group policy to combine the domain controller and all the hosts in your AD. (For reference, see this How to enable PowerShell Remoting via Group Policy article.)
Alternatively, if you prefer to activate WinRM manually in each system you want to scan, use this procedure to activate a WinRM listener on port 5985.
To start the WinRM service
-
Open the Windows Command Prompt using administrator privledges and run the command winrm qc.
Important: Only the members of the Remote Management Users and Administrators groups can log in through WS-Management.
-
Accept the default settings.
The command starts the WinRM service and configures a listener for port 5985.
-
Create a firewall rule to allow incoming connections to port 5985.
For more information about WinRM, you can refer to these Microsoft articles:
- Installation and configuration for Windows Remote Management
- WinRM (Windows Remote Management) Troubleshooting
Manage Credentials for Your AD Servers
Before you run an AD scan from USM Anywhere, you should make sure that each of the assets has assigned credentials that are able to connect to the system. In USM Anywhere, you can assign credentials for an individual asset or for an asset group Asset groups are administratively created objects that group similar assets for specific purposes.. See Creating Credentials and Assigning Credentials to Assets on how to create credentials and assign them to assets.
Note: Credentials assigned directly to an asset have higher priority than those assigned to an asset group.
When USM Anywhere runs a scan or executes a system-level action, it uses the credential set assigned directly to the asset, if there is one. If those credentials don't connect or the asset doesn't have an assigned credential set, it uses the credential set assigned to the group where the asset is a member, if that asset is a member of an asset group.