You are viewing limited content. For full access, please sign in.

Question

Question

Feature Request - AD Attempted Logons - Netwrix

asked on May 26

Hi All,

 

One of our customer uses Netwrix to monitor network security and AD.

 

The system in question is configured with Laserfiche repository groups, which are linked to AD groups. The users are members of the AD groups, which then inherit the access within the repository. This way, repository security can be more or less totally managed outside LF via group membership.

 

When running an Effective Access rights report, this causes the Netwrix solution to record thousands of failed logon attempts as Laserfiche iterates through the security assumingly 'impersonating' the logons in the background.

 

Can this behaviour be changed so the logons aren't attempted? Thus meaning the Netwrix solution won't record all the failed logon attempts?

 

Cheers!

Chris

0 0

Replies

replied on June 22

Please can someone from Laserfiche reply to this? Thanks!

0 0
replied on June 23

The Laserfiche server needs to interact with AD when performing the rights calculations, because AD has the best information about things like group memberships. In order to do this, LFS does call LsaLogonUser, but in a mode that doesn't require it to also supply the user's credentials (which it doesn't have, to be clear). I believe this can fail based on whether the Laserfiche server has been granted appropriate delegation rights. It's a dense read, but the technique and required configuration is covered in https://docs.microsoft.com/en-us/archive/msdn-magazine/2003/april/exploring-s4u-kerberos-extensions-in-windows-server-2003.

0 0
replied on June 24

Thanks Brian this is really helpful,

 

One comment from the customer:-

 

The majority of solutions do an AD sync to get the information from AD and store it locally.

If you do a change in AD, then the sync must be executed again.

 

On the LF reporting, the problem is that all AD actions are done live and constantly repeated which isn’t bearable.

By using a local copy of the AD information, there would be much less requests and the reporting process would be much faster.

 

Could you please ask Laserfiche why this AD sync isn’t cached and done locally instead of “on-demand”?

 

Thanks!

0 0
replied on June 28

Hi Brian,

 

Please can you let me know if there are any plans to change the way this works in the future to accommodate the below request.

 

Cheers!

Chris

0 0
replied on July 1

Having a scheduled sync or a local cache would not really work well with the functionality that this feature is trying to provide. It is giving the admin the answer to the question, "if user A logged in right now, what rights would they have to entry X". If user A actually did log in that question would be answered by AD, so the answer to the hypothetical is also best answered by AD. Answering it based on a non-authoritative source like a cache or a synched snapshot risks giving the wrong answer. This would be especially problematic if the admin is trying to confirm the effects of making changes, such as changing group membership.

Further, the effective rights report is an important administrative tool, but I wouldn't expect it to be used much once the repository is set up and the initial access controls are configured. I could see some troubleshooting/spot-checking/auditing, but would that be of the scale that the customer is concerned about? Is there a use case where you expect to be using this regularly for large sets of entries and trustees?

Third, is there a measurable performance impact associated with this? They describe it as "not bearable", but I'd be curious what sort of effect this operation really has. Of course it's additional work that the AD server has to do, but they are read-only lookups (hence low contention) that should be parallelizable with the server's normal operation.  And these queries are serialized on the LFS end, so it's not making more than 1 such request at a time.

1 0
replied on July 5

Hello,

I am the Head of IT for the customer side.

Laserfiche is the product selected to replace a file server used by the company for several years.
With a basic file server, you have ACL granting access to AD users or AD groups to certain folders, subfolders or files and with the "hierarchy" principle.

Every auditing solution or even small "permissions reporter" tool is able to scan through the whole file server structure and report on the ACL rights configured "AT THE TIME OF THE REPORT".

None of these small tools is generating any AD requests as they simply take the information for granted.

As a side comment, we aren't using a typical Windows File Server but a NetApp filer (with CIFS features) and the same ACL reports are possible with that solution.

 

For various reasons (security, legal, client requirements...etc...) we have to report on the ACL:

* every month for IT reviews

* every 6 months for Global Company reviews

* every year for Legal / Certification requirements

* ad-hoc for client requests

At the moment, all these requests can be done in a few minutes with a small tool and with the file server structure.

By relocating all the data over to Laserfiche, we have asked to obtain the same reporting options and deliver the same reporting capacity than with our current NetApp filer / CIFS structure / Permissions Reports.

However, as of today, this is possible because we are facing performances issues, reporting issues, unnecessary AD requests...etc...

Similar to a file server, all the information exists in Laserfiche and there is NO NEED to query anything with any other component as we only want to report at the time of the execution.

At worst, I could see an option from Laserfiche saying: do you want to query for group members/nested group members, like other tools are offering, but without that choice, only the name of users/groups per folder would be required.

We are therefore asking LF to simply provide an ACL report from the data configured inside LF and nothing else.

With a small tool, the reports gets generated in a few minutes for the entire folders structure (and a limit to a hierarchy of 3 levels), if the report is possible, we would then also like to compare the performances with LF to generate such report.

Thanks.

Regards.

Eric

0 0
replied on July 7

Thanks for clarifying. We don't have an official tool like that, but there is something on the Solution Exchange that does what you are looking for: https://www.laserfiche.com/solutionexchange/report-access-rights-for-an-entry-or-set-of-entries/

0 0
replied on July 11

Unfortunately, my colleague tried that tool (from 2007) and it doesn't work for Laserfiche v11.

Are you able to provide a more recent version of this tool?

0 0
replied on July 20

I don't see a newer version on the site there. I haven't run it myself, but the server is pretty backwards-compatible and I can't think of any fundamental reason the tool wouldn't still work. What you might be running into is just a technical problem of not having required dependencies - the sdk that the tool uses is COM-based, and so needs to be registered and have its dependencies present. Did the error sound like it was related to loading dependencies?

There is a redistributable SDK installer available. I don't recall off-hand where it is. Perhaps your SP can assist.

0 0
replied on July 21

Hi Brian

 

There is no visible error in the UI, it just launches and then disappears.

The recorded error in the event viewer is this:-

 

 

Cheers!

Chris Douglas

0 0
replied on July 25

Chris, have you tried what Brian suggested and run the SDK redistributable installer first? And do you have the Laserfiche Windows Client installed on the machine you're trying to run the utility from? It requires the Windows Client.

I am able to run the utility on my test servers with Laserfiche Server and Windows Client 11.

0 0
replied on July 26

Thanks Sam, I'm just waiting for confirmation from the customer. Very useful points though. Thanks!

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.