Breadcrumbs

Create an Active Directory Account

Enable Audit Logon Events in Default Domain Controllers Policy

This section explains how to enable audit logon events in the Default Domain Controllers Policy on your Windows machine.

  1. In the lower left-hand corner of the Windows desktop, click the Start icon.

  2. Click Administrative Tools.
    The Administrative Tools window appears.

  3. In the Administrative Tools window, double-click Group Policy Management.
    The Group Policy Management window appears.

  4. In the left-side navigation pane of the Group Policy Management window, double-click Forest: sample.domain

  5. Double-click Domains, double-click sample.domain, and then double-click Domain Controllers. 

  6. Right-click Default Domain Controllers Policy.
    The Group Policy Management Editor window appears.

  7. In the left-side navigation pane of the Group Policy Management Editor window, double-click Computer Configuration.

  8. Double-click Policies, double-click Windows Settings, double-click Security Settings, and then double-click Local Policies.

  9. Under Local Policies, click Audit Policy.

  10. From the list of attributes displayed in the right-side pane, double-click Audit account logon events.
    The Audit account logon events Properties dialog box appears.

  11. In the Security Policy Setting tab, ensure all check boxes are selected.

  12. Click OK.

Update Group Policy

  1. In the lower-left corner of the Windows desktop, right click the Start icon, and then click Run. 
    The Run dialog box appears.

  2. In the text box to the right of Open, type cmd

  3. Click OK.
    The cmd window appears.

  4. Next to the C:\Users\Administrator prompt, type the command:

    gpupdate /force


  5. You will see the following messages:

    Updating policy...

    Computer Policy update has completed successfully.User Policy update has completed successfully.

Verify Logon/Logoff Events

  1. In the lower left-hand corner of the Windows desktop, click the Start icon.

  2. Click Administrative Tools.
    The Administrative Tools window appears.

  3. In the Administrative Tools window, double-click Event Viewer.
    The Event Viewer window appears.

  4. In the left-side navigation pane of the Event Viewer window, double-click Windows Logs, and then double-click Security
    You should see logon/logoff events in the middle pane under Security.

Create a Service Account in Active Directory

  1. Create a service account in the Active Directory, which will be utilized by the LogRhythm NDR NDR appliances. For more information, see Microsoft documentation.

  2. After you have created the service account, make sure it is part of the following groups:
    Distributed COM UsersEvent Log ReadersServer Operators

Modify CIMV2 Security Properties on the AD Server

NDR appliances require WMI authentication; therefore, the user must modify the CIMV2 security properties on the AD server that connects to the device.

  1. In the lower-left corner of the Windows desktop, right click the Start icon, and then click Command Prompt (Admin). 
    The Administrator: Command Prompt dialog box appears.

  2. Next to the C:\Windows\system32 prompt, type the command:

    wmimgmt.msc

    The WmiMgmt - [Console Root\WMI Control (Local)] window appears.

  3. Right-click WMI Control (Local), and then click Properties.
    The WMI Control (Local) Properties dialog box appears.

  4. Click the Security tab.

  5. In the navigation tree, double-click Root, and then click CIMV2 once so it is highlighted in blue.

  6. Near the bottom of the WMI Control (Local) Properties dialog box, click Security
    The Security for ROOT\CIMV2 dialog box appears.

  7. Click Add, and then navigate to and select the service account you just created in Active Directory.

  8. Click OK.

  9. In the Permissions section for this service account, ensure the check boxes in the Allow column are selected for the following attributes:
    Enable AccountRemote Enable

  10. Click Apply, then click OK.

Configure Active Directory Import from LogRhythm NDR UI

  1. At the top of the LogRhythm NDR UI page, click Settings.

  2. In the drop-down menu, click Active Directory.

  3. The Active Directory window appears.

  4. To add an Active Directory server, enter the information in the fields that appear:Server IP. Enter the IP Address.User. Enter the name of the service account you created (accepted format: DOMAIN\user).Password. Enter the password of the service account you created.

  5. Click Test to verify the configuration.

  6. If the configuration is verified, click Update to save the configuration.
    The configuration procedure is now complete.