Windows AD

About This Document

To complete the integration of your Windows Active Directory (AD) data source into the Epiphany Intelligence Platform, you will need to complete a few prerequisites. This document contains information about:

• Creating a Windows AD service account for use by Epiphany.

• Implementing a group policy object (GPO) for Epiphany to gather your AD information.

• Configuring your AD data source to the Epiphany Intelligence Platform.

Allowing Epiphany to enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory within your organization's domain will provide you with a qualitative risk based on your permission boundaries and privilege use. In the past Windows allowed a standard user the ability to enumerate the SAM on servers and workstations, which identifies who is in the local admin group, the RDP group, and whether there are local users, but after Microsoft implemented security updates, we must apply a GPO to provide the aforementioned information in the most secure way possible.

After completing the account setup within your AD environment, you will finish by stitching everything together by configuring the data source within Epiphany.

Overview

The goal of integrating AD into the Epiphany Intelligence Platform is to leverage permission boundaries and privilege usage to provide a qualitative risk. Information such as domain names, usernames and role-based access can be analyzed by Epiphany. To do so, Epiphany requires:

• An AD service account to authenticate to AD environments.

• A Windows GPO applied.

• An Epiphany site collector deployed for the purpose of ingesting your data for analysis.

Version Compatibility

The document applies to the following software versions:​

• Epiphany: Epiphany Collector version 1.00.003 and later.

• Windows:

  • Windows 10, version 1607 and later

  • Windows 10, version 1511 with KB 4103198 installed

  • Windows 10, version 1507 with KB 4012606 installed

  • Windows 8.1 with KB 4102219 installed

  • Windows 7 with KB 4012218 installed

• Windows Server:

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2012 R2 with KB 4012219 installed

  • Windows Server 2012 with KB 4012220 installed

  • Windows Server 2008 R2 with KB 4012218 installed

Prerequisites

• Site Collector Prerequisites:

  • Platform: VMWare or Hyper-V

  • RAM: 16GB (expandable to 32GB)

  • Cores: 2 (expandable to 4)

  • Storage: 55GB (minimum)

• Outbound Firewall Rules/Exceptions. You must permit the following addresses within your firewall rules for the collector to communicate to the Epiphany Intelligence Platform:

  • fm1.epiphanysys.com:4505,4506

  • pv1.epiphanysys.com:443

  • client-eip-raw.s3.amazonaws.com:443

  • 045125109764.dkr.ecr.us-east-1.amazonaws.com:443

  • api.ecr.us-east-1.amazonaws.com:443

• Internal Communications. For the site collector to communicate to your internal systems effectively you must permit the following services/ports from the site collector within your firewall:

  • RPC endpoint mapper: port 135 TCP, UDP

  • NetBIOS name service: port 137 TCP, UDP

  • NetBIOS datagram service: port 138 UDP

  • NetBIOS session service: port 139 TCP

  • SMB over IP (Microsoft-DS): port 445 TCP, UDP

  • LDAP: port 389 TCP, UDP

  • LDAP over SSL: port 636 TCP

  • Global catalog LDAP: port 3268 TCP

  • Global catalog LDAP over SSL: port 3269 TCP

  • Kerberos: port 88 TCP, UDP

  • DNS: port 53 TCP, UDP

  • WINS resolution: port 1512 TCP, UDP

  • WINS replication: 42 TCP, UDP

  • RPC: Dynamically assigned ports TCP, unless restricted.

  • HTTPS: port 443 TCP, UDP

  • HTTP: port 80 TCP, UDP

What is Needed for Integration

• Data Source Name: The name for the Windows AD data source configuration.

• Data Source Owner: Your organizational stakeholder for this data source.

• Data Source Notes: Additional information about the data source.

• Username: Windows AD service account username.

• Password: Password for the username listed above.

• Domain: Fully qualified domain name (FQDN) of the Windows AD domain.

• Domain Controller: FQDN of the Windows AD domain controller.

• Global Catalog: FQDN of the Windows AD global catalog.

Legal Notice