Open-AudIT

What's on your network?
It is currently Wed Dec 13, 2017 9:36 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
 Post subject: How To: Audit a domain.
PostPosted: Fri Oct 06, 2006 12:43 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
There are several things you need to consider when trying to audit a domain.

1) Do you have sufficient access rights to list the Active Directory.
Open Audit requires that the auditing account (that is the account running the audit script, rather than the account running the web server) has enough rights to enumerate all of the machines in the domain.

2) Do you have sufficent access rights to connect to WMI on all of the machines you require to audit.
Open Audit's audit script also needs to be able to connect to the WMI on each machine.

You can test this by using the "Manage Computer" option from the machine doing the audit. Right Click on your own "My Computer" icon and select "Manage Computer" or "Manage"

This should bring up the local "Windows Management Console"

Now Click "Action>Connect to another computer" and select on of your domain machines. You should now see the MMC information for that machine.

If this works, click "Services and Applications" then WMI control.

Now Right Click and select "Properties"

You are in trouble if you see any errors on the lines of "Failed to initialize all required WMI classes"

If you see "Successfully connected to //{Computer Name}" you should be OK.

Now obviously you cant do this for every computer in the domain, but if you can see one, then the chances are you will be able to see the rest.

If you can't then three possibilities exist, either you have insufficient access right, or a firewall on the machine is blocking your access, OR WMI is not working correctly on the machine in question.

To fix the first one, obviously obtain the necessary rights.
For the second, allow WMI remote management exception through the firewall. There is a script in the 'scripts' directory called firewall_allow.vbs - you can run this locally on each PC (maybe as a login script). It MUST be run locally - ie, at the console on the PC in question. Alternatively, you could set Group Policy to allow remote WMI connections.
The third one will require a lot of head scratching and Googling to fix. Good Luck. Tell me how you did it when you get it working.

Once you are happy that your domain audit is going to yield at least one set of results, it is time to set up the audit.config.

Fore this use the following as a guide.

Code:
audit_location = "r" ( or "l" if the machine doing the auditing is also the web server for OA)
verbose = "y"
online = "yesxml"
strComputer = ""
ie_visible = "n"
ie_auto_submit = "y"
ie_submit_verbose = "n"
ie_form_page = "http://support.mydomain.local/openaudit/admin_pc_add_1.php"
non_ie_page = "http://support.mydomain.local/openaudit/admin_pc_add_2.php"
nmap_subnet = "192.168.10."            ' The subnet you wish to scan
nmap_subnet_formatted = "192.168.010."    ' The subnet padded with 0's
nmap_ie_form_page = "http://support.mydomain.local/openaudit/admin_nmap_input.php"
nmap_ie_visible = "n"
nmap_ie_auto_close = "y"
nmap_ip_start = 1
nmap_ip_end = 254
nmap_syn_scan = "n"      ' Tcp Syn scan
nmap_udp_scan = "n"      ' UDP scan
nmap_srv_ver_scan = "n"  ' Service version detection.
nmap_srv_ver_int = 0     ' Service version detection intensity level. Values 0-9, 0=fast
input_file = ""
email_to = ""
email_from = ""
email_server = ""
audit_local_domain = "y"
local_domain = "LDAP://mydomain.local"
hfnet = "n"
Count = 0
number_of_audits = 20
script_name = "audit.vbs"
monitor_detect = "y"
printer_detect = "y"
software_audit = "y"
uuid_type = "uuid"


Alter the settings to suit your domain and the URL to your web host. You can set the email options later, they are not requred for basic auditing.

A fuller explanation of what all of the options do is contained in another of these FAQs here.
http://www.open-audit.org/phpbb2/viewtopic.php?t=1393

Note that the local_domain can also be in the following format, to allow auditing of just a sub OU if the main domain.
Code:
local_domain="LDAP://ou=thisou,dc=mydomain,dc=local"

This would audit the ou "thisou" in the domain "mydomain.local"

Note also that if you set the strComputer = "" line to anything other than strComputer = "" for example strComputer = "." which is the default, you will only ever audit the single PC pointed to by strComputer no matter what you do with the domain audit settings.

Once you are happy with the settings, save the audit.config file to the same folder as audit.vbs and run ad a command prompt...

Code:
C:> CSCRIPT AUDIT.VBS


After a moment or two you should see the list of computers in your domain, followed by a number of other command boxes, each busy auditing a machine!

Happy auditing. :roll:

:idea:
Hope this helps. if you have any suggestions for any of these FAQs, post them in the main forum under feature request, and mark them FAQ. We will include all of the best suggestions in the FAQ forum.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group