AlienVault® USM Anywhere™

Granting Access to Active Directory for USM Anywhere

If you want to run Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for Windows domain networks. scans in USM Anywhere, you need to configure your Active Directory (AD) server assets to grant access to the USM Anywhere Sensor. You also need to have the needed credentials configured in USM Anywhere to make an authenticated connection.

This consists of three tasks:

Create a Dedicated AD Account

When you configure your VMware sensor, Hyper-V sensor, or Azure sensor, you can define AD credentials that USM Anywhere can use to perform an Active Directory scan through the Sensor. These are the credentials that you define in the Credentials page and assign the credential set to the asset to support a scheduled Active Directory scan job for the asset. It is a best practice to use a dedicated account for this purpose.

To create a new dedicated account in AD

  1. Log in to your domain controller administrator account.
  2. Open Active Directory Users and Computers.
  3. Create a new user called either alienvault_usm_anywhere or any other name that's easy to associate with USM Anywhere.
  4. Add the user you’ve just created to the Domain Admins group.

Activate WinRM to Enable Windows PowerShell Remoting

For Windows systems, USM Anywhere uses WinRM framework (version 2.0 or higher) to execute the corresponding commands. Therefore, if WinRM is unavailable on a target Windows system through the account credentials, USM Anywhere will be unable to connect.

Important: Only the members of the Remote Management Users and Administrators groups can log in through WS-Management.

To activate WinRM, you can use a group policy to combine the domain controller and all the hosts in your Active Directory. (For reference, see this How to enable PowerShell Remoting via Group Policy article.)

Alternatively, if you prefer to activate WinRM manually in each system you want to scan, use this procedure to activate a Windows RM listener on port 5985.

To start the Windows RM service

  1. Open the Windows Command Prompt using administrator privledges and run the command winrm qc.

  2. Accept the default settings.

    The command starts the WinRM service and configures a listener for the port 5985.

  3. Create a windows firewall rule to allow incoming connections to port 5985.

For more information about WinRM, you can refer to these articles:

Manage Credentials for Your AD Servers

Before you run an Active Directory scan from USM Anywhere, you should make sure that each of the AD server assets has assigned credentials that are able to connect to the system. In USM Anywhere, you can assign credentials for an individual asset or for an asset groupAsset groups are administratively created objects that group similar assets for specific purposes..

Note: Credentials assigned directly to an asset have higher priority than those assigned to an asset group.

When USM Anywhere runs a scan or executes a system-level action, it uses the credential set assigned directly to the asset, if there is one. If those credentials do not connect or the asset does not have an assigned credential set, it uses the credential set assigned to the group where the asset is a member, if that asset is a member of an asset group.

To add a new credential

  1. Go to Settings > Credentials.
  2. Click New Credentials.
  3. Add a new credential set for system-level access to USM Anywhere assets

  4. Enter a name for the credential in the Name field and, if desired, a description to clarify its use in the Description field.
  5. In Credential Type, select SSH or Windows RM based on the operating systemSoftware that manages computer hardware resources and provides common services for computer programs. Examples include Microsoft Windows, Macintosh OS X, UNIX, and Linux. of the asset.

  6. Click Save.

In USM Anywhere, you assign a defined credential set to an individual asset in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on the host. You can assign assets to a credential set in the Credentials page, or you can perform this task from the Assets page.

To assign a credential on the Credentials page

  1. Go to Settings > Credentials.
  2. In the line of the credential you want to assign, click the icon.

    Click the Usage icon to manage the asset assignments for the credential set

  3. At the bottom of the dialog box, enter part of the asset name in the field.
  4. This displays the matching items below the field. You can enter more text to filter the list further.

  5. Select the asset to assign to the credential set.
  6. Enter part of the asset name and select it from the list of matching items

    After you select the asset, the dialog box displays the item at the top. If needed, you can enter text for another asset name and select it to assign multiple assets for the credential set.

  7. Next to the displayed asset name, click Test to execute a test connection to the asset using the credentials.

    If the test detects any warnings, a Permissions Warnings section displays. This section contains a Warning column that lists the individual warnings and a Remediation that provides a suggested solution to resolve each warning. A permissions error doesn't prevent the scan from running, but it can result in the incomplete information being detailed in the scan results.

  8. Click the icon to close the dialog box.

To assign a credential on the Assets page

  1. Go to Environment > Assets and locate the asset.
  2. Next to the asset name, click the icon and select Assign Credentials.
  3. In the Choose Credentials drop-down list, select the credentials to use.
  4. Select Assign Credentials to use credentials for system-level access to the asset

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere. Use the information in the earlier procedure to create the new credential set. Select Edit Credentials if you want to modify any information.

  5. (Optional.) Set the Jump Box option if you want to authenticate through another asset.

    Select the checkbox and use the field to search for the asset you want to use as an authentication server.

  6. Click Test to execute a test connection to the asset using the selected credentials.

    If the test detects any warnings, a Permissions Warnings section displays. This section contains a Warning column that lists the individual warnings and a Remediation that provides a suggested solution to resolve each warning. A permissions error doesn't prevent the scan from running, but it can result in the incomplete information being detailed in the scan results.

  7. Click Save.

In USM Anywhere, you assign a defined credential set to an asset group in order to use the credentials for authenticated scans, Active Directory scans, and AlienApp for Forensics and Response actions on members of the group. You can assign asset groups to a credential set in the Credentials page, or you can perform this task from the Asset Groups page.

Important: When you assign a credential to an asset group, USM Anywhere will assign the credential to the asset group instead of assigning it to all of its members.

To assign a credential on the Credentials page

  1. Go to Settings > Credentials.
  2. In the line of the credential you want to assign, click the icon.

    Click the Usage icon to manage the asset assignments for the credential set

  3. Click the Asset Groups tab in the dialog box.
  4. At the bottom of the dialog box, enter part of the asset group name in the field.
  5. This displays the matching items below the field. You can enter more text to filter the list further.

  6. Select the asset group to assign to the credential set.
  7. Enter part of the asset group name and select it from the list of matching items

    After you select the asset group, the dialog displays the item at the top. If needed, you can enter text for another asset group name and select it to assign multiple asset groups for the credential set.

  8. Click the icon to close the dialog box.

To assign a credential on the Asset Groups page

  1. Go to Environment > Asset Groups
  2. Next to the asset group name, click the icon and select Assign Credentials.
  3. In the Choose Credentials drop-down list, select the credentials to use.
  4. Select Assign Credentials to use credentials for system-level access to the assets in the group

    Note: If the needed credentials do not already exist, you can select Create New Credentials to define them in USM Anywhere. Select Edit Credentials if you want to modify any information.

  5. Click Save.