check sensitive windows groups

Question

In our previous life, we had written a Nagios plugin to check whether a sensitive Windows group had changed (e.g., Domain Admins).&nbsp; I created a replacement for this within LM, but since we can't really keep track of deltas without a key/value store, we use a property for each group that specifies the expected members, which should be updated when membership changes intentionally.&nbsp; We also use a property to list the groups for AD so we can store useful ILPs, but since those ILPs are not passed to the collection script (they could be, just are not currently passed for Powershell), the list of groups that can be checked is restricted to what is builtin to the collection script.

For one or more AD controllers then, you would specify (for example):

windows.groupcheck.list: Domain Admins
	windows.groupcheck.spec.Domain_Admins: administrator,alice,bob

If the list diverges, the datapoint for that group will alert.&nbsp; There is also a total count of members that is tracked, and can be used to set an alert if needed (e.g., some groups like Schema Admins should normally be empty, but that can be handled by the spec).

2Y9FM6

mhashemi · Answer

If your script wrote the members to a file, you could detect changes by comparing current membership to the content of that file.

anonymous · Answer

43 minutes ago, mhashemi said:

If your script wrote the members to a file, you could detect changes by comparing current membership to the content of that file.

+1 for LM Config

mnagel · Answer

Writing to a file is more or less how we used to do it with Nagios (technically, it was a File::Cache object) but that was with a central Nagios server + gearman and those checks always ran on the central server.&nbsp; With LM, this would be suboptimal in the face of collector pools (coming, one day) or collector failover.&nbsp;IMO, the right for that is a distributed key/value store.

As for LMConfig -- it&nbsp;is a premium feature that we don't by default push our clients to have to add to their cost structure to achieve things that should be possible without it.&nbsp; In this case, you could get away with one per domain, so the cost increase is defensible.&nbsp; Will see what I can do...

mnagel · Answer

Just now, mnagel said:

Writing to a file is more or less how we used to do it with Nagios (technically, it was a File::Cache object) but that was with a central Nagios server + gearman and those checks always ran on the central server.&nbsp; With LM, this would be suboptimal in the face of collector pools (coming, one day) or collector failover.&nbsp;IMO, the right for that is a distributed key/value store.

As for LMConfig -- it&nbsp;is a premium feature that we don't by default push our clients to have to add to their cost structure to achieve things that should be possible without it.&nbsp; In this case, you could get away with one per domain, so the cost increase is defensible.&nbsp; Will see what I can do...

Oh yes, now I recall why I did not consider LMConfig. Changes can not be sent (unless you use an external API script), so you just get the red light alert ("something changed").&nbsp; My current alert message includes the current and expected list.&nbsp; The alert communication channel in general is fairly small and I hate to constrain it further.

anonymous · Answer

17 minutes ago, mnagel said:

Changes can not be sent (unless you use an external API script), so you just get the red light alert ("something changed").&nbsp;

Yes that is a bummer, hopefully they'll improve that soon.

Forum Discussion

check sensitive windows groups

Related Content

Windows ProcessMonitoring

Event Sources SNMP and Windows collectors?

Windows service datasource error

Auto Balanced Collector Group vs Failover?

Does anyone have any experience with monitoring Windows Processes?

Recent Discussions

LM Logs ingestion alerting

Datapoints configuration Discussion

Freqency of Alerts

SQL CERTIFICATE MONITORING

CERTIFICATES - GET ALL CERTIFICATES FROM SERVER