check computer name is part of a group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

check computer name is part of a group

L2 Linker

We're planning to enable HIP checks; with on of the checks is domain membership.

However there are cases where a computer will not yet have the domain setup.

We're thinking of creating a device group in AD where those computers can be added.

How do we allow access to systems that are part of that group? I was first thinking of a User-ID check, but this is for validating computer names and not user-id's membership in a group?

I was also looking at a custom HIP check, but not sure how to pull that off?

 

Thanks all for your time.

6 REPLIES 6

Cyber Elite
Cyber Elite

@CHKlomp,

Things get a bit trickier when you have machines that aren't joined to the domain, because I'm assuming here that these are greenfield machines and you don't have the ability to pre-add a registry key of any sort correct? In that case, you could utilize Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName

and look at the value of ComputerName and build out a just HIP-Object for each expected node. Combine those objects into a HIP-Profile and you could at least use the profile to allow enough communication to your DCs to get it joined to the domain.

L2 Linker

@BPryThanks for you response.

However we're looking for a more dynamic solution, where we won't have to update the HIP-object every time we need to make an exception. Therefore we were looking at AD domain groups, where the customer can add computer names to this AD group, when access is needed for a non-domain system. This way they won't need to go through a formal change process, which takes a long time (relative to fixing a system's access).

Cyber Elite
Cyber Elite

@CHKlomp,

I don't think you're going to come across a truly dynamic option for this unfortunately. Since the machine isn't joined to the domain you wouldn't be able to use group policy to pre-create any sort of registry key that you could trigger off of that is unique to the systems you want to function. Since you're looking to validate at the machine level, you either use certificates or the name of the device to manage that generally.

 

L2 Linker

@BPry ,

Yes, so if we want to use the name of the device, how would we go about validating it's membership of an AD group?

Or how else would we use the device name for validation?

 

Thank you for your time.

 

Cyber Elite
Cyber Elite

@CHKlomp,

You can't check AD membership for a device that isn't joined to the domain unless you were using machine certificates for authentication, but in your case the device isn't joined to AD yet and therefore likely doesn't have a machine certificate. 

Honestly, the only way I can think of checking for something like this would require creating a new HIP-Object entry and checking the host name. To do that securely, you would need to create a new entry for every single device. You could create a generic Host Name contains 'naming convention' to have a more broad HIP object capture these hosts and use that to build out your HIP-Profile, but I wouldn't really say that's a safe solution.

 

Effectively:

  • Create a HIP Object to capture the naming convention from the the host itself. ("Hostname-Check")
  • Create  a HIP Object to capture if the device is joined to the domain. ("Domain-Check")
  • Create a HIP-Profile that checks for devices that meet the Hostname-Check but not the domain check.
  • Use the HIP-Profile you created to allow enough access to join the device to the domain, but then also drop any and all other traffic from the host until it passes the Domain-Check you created.

The HIP-Profile would end up looking something like this depending on what you actually named things to identify hosts that match Hostname-Check but don't actually pass the Domain-Check validation:

"Hostname-Check" and not "Domain-Check"

 

L2 Linker

@BPry , Thanks for your time.

I'm thinking the best solution is to create a custom check for a registry key.

We can have a custom registry key added for those devices that need access, while not being part of the domain.

With regular key rotation, security should not be compromised in a significant matter.

  • 3511 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!