We're planning to enable HIP checks; with on of the checks is domain membership.
However there are cases where a computer will not yet have the domain setup.
We're thinking of creating a device group in AD where those computers can be added.
How do we allow access to systems that are part of that group? I was first thinking of a User-ID check, but this is for validating computer names and not user-id's membership in a group?
I was also looking at a custom HIP check, but not sure how to pull that off?
Thanks all for your time.
Things get a bit trickier when you have machines that aren't joined to the domain, because I'm assuming here that these are greenfield machines and you don't have the ability to pre-add a registry key of any sort correct? In that case, you could utilize Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
and look at the value of ComputerName and build out a just HIP-Object for each expected node. Combine those objects into a HIP-Profile and you could at least use the profile to allow enough communication to your DCs to get it joined to the domain.
@BPryThanks for you response.
However we're looking for a more dynamic solution, where we won't have to update the HIP-object every time we need to make an exception. Therefore we were looking at AD domain groups, where the customer can add computer names to this AD group, when access is needed for a non-domain system. This way they won't need to go through a formal change process, which takes a long time (relative to fixing a system's access).
I don't think you're going to come across a truly dynamic option for this unfortunately. Since the machine isn't joined to the domain you wouldn't be able to use group policy to pre-create any sort of registry key that you could trigger off of that is unique to the systems you want to function. Since you're looking to validate at the machine level, you either use certificates or the name of the device to manage that generally.
You can't check AD membership for a device that isn't joined to the domain unless you were using machine certificates for authentication, but in your case the device isn't joined to AD yet and therefore likely doesn't have a machine certificate.
Honestly, the only way I can think of checking for something like this would require creating a new HIP-Object entry and checking the host name. To do that securely, you would need to create a new entry for every single device. You could create a generic Host Name contains 'naming convention' to have a more broad HIP object capture these hosts and use that to build out your HIP-Profile, but I wouldn't really say that's a safe solution.
The HIP-Profile would end up looking something like this depending on what you actually named things to identify hosts that match Hostname-Check but don't actually pass the Domain-Check validation:
"Hostname-Check" and not "Domain-Check"
@BPry , Thanks for your time.
I'm thinking the best solution is to create a custom check for a registry key.
We can have a custom registry key added for those devices that need access, while not being part of the domain.
With regular key rotation, security should not be compromised in a significant matter.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!