Special Configurations

The following are a couple of configurations that may be needed:

Excluding Domain Controllers Below Windows 2008

If there are domain controllers installed on an operating system older than Windows 2008, the system displays an error message in the Activity Monitor log, indicating that the Activity Monitor cannot connect to the Domain Controllers.

To exclude these Domain Controllers, perform the following steps:

  1. Open the Activity Monitor service installation folder.

  2. Edit the bamframework.exe.config.

  3. Under <appSettings>, locate the key called “ExcludedDCs”:<add key= “ExcludedDCs” value=”” />

  4. Add the FQDN of the domain controllers to be excluded, separated by the |character:

  5. <add key= “ExcludedDCs” value=”old-dc1.deprecated.com|old-dc2.10.years.old.os.com” />

  6. Restart the Activity Monitoring service.

Monitoring Logon Events

To add monitoring of Logon events, perform the following steps:

  1. Open the Activity Monitor service installation folder.

  2. Edit the bamframework.exe.config.

  3. Under <appSettings>, locate the key called “readLogonEvents”, and set it to true:

    <add key= “readLogonEvents” value= “true” />

  4. Restart the Activity Monitor service.

Excluding Objects from Monitoring

By default, SecurityIQ Activity Monitor excludes the dnsNode and msExchActiveSyncDevice object classes from monitoring.

To exclude additional object classes from monitoring, perform the following steps:

  1. Open the Activity Monitor service installation folder.

  2. Edit the bamframework.exe.config.

  3. Under <appSettings>, locate the key called “excludedObjectClasses”, and set its value to the object classes to exclude:

    <add key="excludedObjectClasses" value="dnsNode|msExchActiveSyncDevice"/>

    The value must contain a list of object classes separated by the ‘|’ character.

Crawling

By default, SecurityIQ crawls and creates business resources for the following object types in the domain:

  • User

  • Group

  • Organizational Unit (OU)

  • Domain

  • Computer

  • Container

Overriding the default object types is not recommended, since they are the most common, and serve to exclude irrelevant object types (such as DNS records or Exchange Active Sync objects).

To override the default behavior, perform the following steps:

  1. Open the Permissions Collector configured for the Active Directory Application installation folder.

  2. Edit the RoleAnalyticsServiceHost.exe.config file.

  3. Under the <appSettings> section, add the following key:

    <add key=”relevantTypes” value=”objectClass|objectClass|...|objectClass” />

    The value must contain a list of object classes separated by the |character and the domain object class must be one of the object classes in the defined list.

  4. Restart the Permissions Collector service.