Chat now with support
Chat with Support

InTrust 11.4.1 - Technical Insight

Sites and Site Enumeration

InTrust Sites and Site Objects

Sites are collections of objects used as a target for InTrust operations (Gathering and Real-Time Monitoring). There are 2 types of sites:

  • Microsoft Windows Network
  • Unix Network

Site objects are resolved to computer names or IP Addresses. The sites are accessed through the MSNNSiteProvider (Windows sites) and SolarisSiteProvider (Unix sites) components

For Microsoft Windows Network sites, you can do the following:

  • Specify the security credentials which are used to access computers in the site
  • Prevent the automatic installation of agents
  • Specify the enumeration options (Active Directory, Browser service)

A list of objects you can include in a site of the certain type is provided below.

Objects Microsoft Windows Site Unix Site
Whole Network Yes No
Domains Yes No
Computers Yes Yes
IP address range Yes Yes
Computer list Yes Yes
Organizational unit Yes No
Active Directory site Yes No
All DCs in the domain Yes No
All DCs in AD site Yes No

Site Enumeration Process

Site enumeration can be initiated in the following ways:

  • Automatically—by a gathering job or scheduled enumeration for real-time monitoring (configured using site property)
  • Manually—by clicking the Refresh button in the Details pane of the site properties (on the Enumeration tab)

This process is executed using 2 threads running in parallel: one thread resolves computer names/IP addresses, and the other collects information from the resolved objects.

The enumeration process continues without waiting for the whole result set to be returned, so enumeration results are processed as soon as they are available, in the order they are returned.

This process uses various internal lists when determining the actual site membership (the individual computers and IP addresses). There is not one definitive list—real-time monitoring and each gathering job maintain their own lists.

Enumeration process determines the actual site membership in the following way:

  1. Reads the site objects from the configuration database
  2. Processes the object list, expanding site objects as necessary (see the table below for details)
  3. Checks if an agent is already installed on the computer:
    • If it is installed, enumeration process queries the agent for the default property set (OS, computer type)
    • If it is not installed, enumeration process queries the client directly for the default property set
  4. Verifies the site filters and, if necessary, retrieves additional information from the client computer, using the agent (if it is already installed) or directly querying the client (if the agent is not installed)
  5. If a computer matches the site filter, then it is added to the final site membership list.
  6. If a site filter cannot be checked (client is not available/accessible), it is still added to the final site membership list.
Site Object Enumeration
Whole Network First the domain list is obtained using the method selected for enumeration (Computer Browser or Active Directory). Active Directory domains are enumerated by the DsEnumerateDomainTrusts API function; the return value is a list of domains that trust the current domain. Next, each domain is enumerated individually.
Domains Enumerated according to the domain enumeration method.

Enumeration through Active Directory uses the following LDAP query:
"(objectCategory=computer)".

Important: Accounts are not filtered by age.

Computers

No enumeration required.

IP address range

Only expanded to individual IP addresses.

Computer list Computer names/IP addresses are read from the file.
Organizational Unit

Enumerated using the following LDAP query:
"(objectCategory=computer)"

The OU is the root of the search.

Active Directory Site
  1. Get a list of forest subnets that belong to the specified site.
  2. Enumerate the domains in the forest.
  3. Enumerate each domain as a domain object.
  4. For each resulting computer, get the IP address and check that it belongs to one of the subnets obtained on step 1. If the subnet list is empty, all computers in the forest are discovered.
All domain controllers in domain

Enumerated according to the domain enumeration method.

If enumeration through Active Directory is used, first all computers in the domain are discovered using the following LDAP query:
“(objectCategory=computer)”

Next, computers with an empty Server-Reference-BL attribute are filtered out. Domain controllers are discovered among the remaining computers.

All domain controllers in Active Directory site Always enumerated through Active Directory. The list of domain controllers in obtained from the configuration namespace by running the following LDAP query against the site:
"(objectClass=server)"

The final site membership list will contain the original object name (the name used when the object was added to the site) and the name that InTrust can use to connect to the client with. Gathering and real-time monitoring currently respond differently to the site filter check:

  • A gathering job will gather audit data, even if InTrust cannot check the site filters.
  • Real-time monitoring will not generate an alert on a computer if InTrust cannot check the site filters.

If a site is being enumerated for real-time monitoring, the Quest InTrust Real-Time Monitoring service does the following:

  1. Checks whether the computer was already in the site (against the previous version of its final site membership list). If it was not, then it pushes the real-time monitoring configuration to the agent.
  2. Checks whether the computer was removed from the site and if it was, then it removes the real-time monitoring configuration from the agent.

Site Enumeration Scripts

If you want to specify your own algorithm for the enumeration of objects in the site, you can use the Enumeration Script option, which prompts you for a script that will perform the enumeration. This option is available:

  • During site creation: on the Site Objects step
  • For an existing site: from the context menu, or in the site properties on the Objects tab

Selecting Enumeration Script prompts you for the script you want to use. The scripts are located in the Quest InTrust Manager | Configuration | Advanced | Scripts container node.

InTrust comes with the example “Enumeration script: LDAP query” script for this purpose. For your sites, you can use this script, copies of it, or your own scripts.

The “Enumeration script: LDAP query” script has the following parameters, which you can customize without modifying the script itself:

Parameter

Meaning

Attribute Name

Name of the attribute that will be used as the object name in the list of site objects.

Bind String

ADSI bind string; for example, “GC:” means that the entire AD forest will be searched, “LDAP:” specifies the current domain.

Filter LDAP filter, such as "(objectCategory=serviceConnectionPoint)"
Need Deep Search

What to do if the search in the entire forest finds objects whose names (specified by the Attribute Name parameter) cannot be read:

  • 0—do nothing; the matching object is not included in the site
  • 1—try searching in individual domains and reading the attributes again

This parameter is considered only if the Bind String begins with “GC:”.

Search Scope

Search scope in LDAP terms, with the following values:

  • 0—base
  • 1—one level
  • 2—subtree

Related Documents