Symantec Security Expressions Server Active Directory Active Directory Connection Monitor only

Page 56

SecurityExpressions Server User Guide

Active Directory (Active Directory Connection Monitor only)

Set the Active Directory (event log) monitoring options.

IncludeAllDomainControllers

Retrieves names of all Domain Controllers on the Domain system where the monitor resides and monitors the event logs of all Domain Controllers. One (1) is the default setting. If IncludeAllDomainControllers=0 you must add the Include key and identify the device to monitor.

Exclude

Comma-separated list of device names to omit from monitoring.

Include

Comma-separated list of device names to monitor.

Processing the Configuration File

When the Connection Monitor recognizes a new device on the network, it compares the device IP address to the IP ranges defined in the configuration file, excluding the Default settings, starting with the first range in the file and proceeding in order. If the address falls in one of the IP ranges, that group's audit server list and distribution method determine where to connect.

If the IP address does not fall within any of the specified ranges, a group whose IPRange=Default accesses the audit server list and distribution method.

You do not have to specify a Default IP range. However, if a Default range does not exist and the IP address does not correspond to any of the defined ranges, the monitor does not contact the audit server and the device remains unaudited.

Configuration File Syntax

To specify configuration data, you manually edit the dmconfig.txt file and include the required information about the IP ranges. After editing the configuration file, you must stop and restart the service through the Service Management Console, which is accessible through Administrative Tools.

Tip: If you are using more than one connection monitor on the same computer, use the same configuration file to configure them.

Be aware that if you're using the DHCP Plug-In Connection Monitor, it's Microsoft's DHCP Server Service that you have to stop. Since this service controls other functions on the

network, stopping it might have other temporary effects on the network.

Tip: Use the # character at the beginning of all comment lines to ensure they get ignored when the file processes.

The configuration file syntax is similar to .ini file syntax, such as:

[IP_RANGE_1]

IPRange=10.0.3.0:254

AuditServers=server1,server2

48

Image 56

Contents SecurityExpressions Server User Guide Page Table Of Contents Page Table Of Contents Page Vii Page Contacting Us Page Technical Support Contacting Technical SupportPage Other Products SecurityExpressions ConsolePage Overview About SecurityExpressions Audit & Compliance ServerPage Self-Service Audit What is Self-Service Auditing?Self-Service Audit Agreement How to Audit your Local ComputerDisplays on the page. No detailed audit results appear Configure Servers About Server ConfigurationLocal Server Settings Pages with Role SettingsDatabase Connection SetupViewing Audit Results Secure Connection Windows 2000 ServersCreating Credential Stores Click OK on the Default Web Site Properties windowCredential Store User Enable Web Services SecurityExpressions Console Credential StoresSoftware Registration Site PreferencesAccess Global Machine List Access User Roles Item RightsCheck the Synchronize with a policy file library box Policy File LibraryLibrary Synchronization About Policy Files How System Scores are CalculatedTarget Options Agent & Service ConfigurationDefault method for remote execution on Windows SSH Agent Authentication Database Cleanup Update Task CancelPolicies Add TaskClick Use the Following Agreement Agent DownloadsSite Preferences Allow Remediation Page What is Audit-on-Connect? Audit-On-ConnectPolicies Policies TablePage Adding Policies Editing Policies Configuring with Run-Time Policy Variables Deleting PoliciesPage Add a New Scope ScopesScopes Page Edit a Scope Scopes Table Deleting Scopes DNS Domain Name ScopesExpression Scopes Supported OperatorsDetection Method Scopes Supported FunctionsOrg Unit Scopes Notifications Creating New Command Notifications Creating New Email NotificationsClick Add New Editing NotificationsClick Add New Creating New Command Notifications Deleting Notifications Notification VariablesExceptions ExceptionsExceptions Table Column Description Adding ExceptionsSpecify Password and Encrypted Password Connection MonitorsDeleting Exceptions Connection MonitorsEnabling Connection Monitors Configuring Connection MonitorsRemove Connection Monitor Configuration File IP Range SectionDefault OptionsActive Directory Active Directory Connection Monitor only Processing the Configuration FileConfiguration File Syntax Network Slow LinksTrace Route Information Network Admissions ControlUnmanaged Systems Initial TokenHealthy Quarantined/UnknownReaudit if quarantined Redirection WebAudit on Connect Tracing Audit on Connect TracingRedirection Web Page Behavior Page Page What is Audit-on-Schedule? Audit-On-SchedulePage Adding Policies Editing Policies Deleting Policies Page Notifications Click Add New Click Add New Deleting Notifications My Machine Lists My Machine ListsAdding Machine Lists Editing Machine ListsScheduled Tasks Deleting Machine ListsEditing Global Machine Lists Scheduled TasksBasic Settings Adding Scheduled TasksSchedule Settings Hosts Not Connected Settings Other Options Settings Credentials SettingsWindows Group Access Editing Scheduled TasksSchedule Settings Notifications Other Options Settings Deleting Scheduled Tasks Page View Audit-On-Connect Activity Browse Audit-On-Connect ActivityAudit-On-Connect Activity Table Column Description Adding a New Audit-On-Connect Report ProfileEditing Report Profiles Deleting Report ProfilesAudit-On-Connect Error Log Report Audit-On-Connect Exceptions ReportPage Adding a New Audit Results Report Profile View Audit ResultsBrowse Audit Results Page Scheduled Audits Log Report Adding Custom Reports to the Server ApplicationEditing Audit Report Results Profiles Deleting Audit Report Results ProfilesPage Glossary Page Configure IndexIP address 33, 44, 45 Rule weights