Decrypt traffic with a Windows domain controller

By connecting the ExtraHop system to a domain controller, you can decrypt protocol traffic (such as LDAP and MSRPC) observed on clients and servers joined to the Windows domain.

When the ExtraHop system is configured with an Administrator account that can synchronize Kerberos and NTLM decryption keys for all user and service principals on the domain, the system can decrypt traffic for protocols such as Kerberos and LDAP. Decrypting this traffic can provide deeper insight for security detections. The configured Administrator account will only synchronize Kerberos and NTLM decryption keys and not modify any other properties in the domain.

The following requirements must be met for decryption:

  • You must have an Active Directory domain controller (DC) that is not configured as a Read-only Domain Controller (RODC).
  • The ExtraHop system synchronizes keys for up to 50,000 accounts in a configured domain. If your DC has more than 50,000 accounts, some traffic will not be decrypted.
  • The ExtraHop system must observe the network traffic between the DC and connected clients and servers.
  • The ExtraHop system must be able to access the domain controller over the following ports: TCP 88 (Kerberos), TCP 445 (SMB), TCP 135 (RPC) and TCP ports 49152-65535 (RPC dynamic range).

Add domain controller settings to the ExtraHop system

Warning:If you enable these settings, the ExtraHop system is granted access to all of the account keys in a Windows domain. The ExtraHop system should be deployed at the same security level as the domain controller. Here are some best practices to consider:
  • Strictly limit end-user access to sensors that are configured with access to the domain controller. Ideally, only permit end-user access to a connected Command appliance or Reveal(x) 360.
  • Configure sensors with an identity provider that has strong authentication features such as two-factor or multi-factor authentication.
  • Restrict inbound and outbound traffic to and from the sensor to the minimum necessary.
  1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the System Configuration section, click Capture.
  3. Click Domain Controller.
  4. Select the Enable connection to the domain controller checkbox.
  5. Complete the following fields:

    Hostname: The fully qualified domain name of the Windows server.

    Computer Name (sAMAccountName): The name of the Windows server.

    Realm Name: The Kerberos realm name of the Windows server.

    User Name: The name of a user who is a member of the built-in Administrators group for the domain. To prevent possible connection errors, specify a user account created after the domain controller was established.

    Password: The password of the privileged user.

  6. Click Test Connection to confirm that the sensor can communicate with the Windows server.
  7. Click Save.

Validate the configuration settings

To validate that the ExtraHop system is able to decrypt traffic with the domain controller, create a dashboard that identifies successful decryption attempts.

  1. Create a new dashboard.
  2. Click the chart widget to add the metric source.
  3. Click Add Source.
  4. In the Sources field, type Discover in the search field and then select Discover Appliance.
  5. In the Metrics field, type DC in the search field and then select DC-Assisted Decryption Health - Successful Kerberos Decryption Attempts by SPN.
  6. Click Save.
The chart appears with a count of successful decryption attempts.

Additional system health metrics

The ExtraHop system provides metrics that you can add to a dashboard to monitor DC-assisted decryption health and functionality.

To view a list of available metrics, click the System Settings icon and then click Metric Catalog. Type DC-Assisted in the filter field to display all available DC-assisted decryption metrics.

Published 2021-07-26 21:08