Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1375 Views 9 Replies Latest reply: Jan 28, 2013 5:06 AM by itsec RSS
hudsy Newcomer 13 posts since
Sep 6, 2012
Currently Being Moderated

Jan 24, 2013 10:05 AM

Using AD groups as criteria for rules

I may have missed something but is there a way to use AD groups within MWG for criteria?

  • itsec Apprentice 65 posts since
    Oct 24, 2012
    Currently Being Moderated
    1. Jan 24, 2013 11:11 AM (in response to hudsy)
    Re: Using AD groups as criteria for rules

    Hi, presuming you have joined MWG to your domain and authentication is working correctly, simply create a rule (perhaps under URL filtering) that uses critieria of Property =  authentication.usergroups, operator =  contains and operand = use a value string of the group name.

     

    As an example:

    Block users in student group access to urls categorised as Drugs.... ;-)

     

    1) authentication.usergroups contains value-string of "Students" [ad user group]

    AND

    2) url.categories at least one in list --> select category = Drugs

     

    Action = block

    Events = statistics.counter.increment ("blockedbyurlfilter",1)<default>  

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Jan 24, 2013 11:31 AM (in response to hudsy)
    Re: Using AD groups as criteria for rules
  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    3. Jan 24, 2013 12:17 PM (in response to itsec)
    Re: Using AD groups as criteria for rules

    One thing I'll add here is something I learned by doing.... not all things you'd think of as AD groups are created equal.

     

    The only AD groups the web gateway seems to "see"  are security groups.    Things defined as distribution lists, for instance... are a non-starter for use on the web gateway.  

     

    If your view of various AD groups is most familiar via looking through Outlook addressbooks and the like, outlook doesn't tell you any differences, but the web gateway does.

     

    To see what groups a given user is in, if you have that users id and password,  click  into your authentication rule,  and the    definition of the call to Authentication.Authenticate.     In that edit settings window that results,   hidden under teh settings content: sub-pane,  under "Authentication Method"  you'll see a drop down arrow for "Authentication Test"    Click that drop down arrow and you can specify a user and password,  click the authenticate user buttonand in the "Test Result" field, you'll see what groups the MWG thinks that user could be a part of. 

     

    This is helpful in separating   security groups from distribution lists.

     

     

    I'd LOVE to have someone give me an equivalent   linux ldapsearch command line to  reconstruct the ldap query this Authentication Test is doing here. 

  • itsec Apprentice 65 posts since
    Oct 24, 2012
    Currently Being Moderated
    4. Jan 25, 2013 3:40 AM (in response to Regis)
    Re: Using AD groups as criteria for rules

    Somewhat easier to find, the same authentication test is also available in Policy > Settings > Authentication > [your auth method settings e.g ntlm] > Authentication Test.

     

    Re your point on distribution and security groups...I don't mean to be picky but in AD there are essentially two types of groups - security and distribution - so they are not 'equal' by design.  

    You can't use distribution groups as security groups in AD as they do not have security descriptors thus no way of authenticating.  You can mail-enable a security group but that's not (technically) a distribution group....

    So it's not just MWG that will not see distribution groups (for security purposes) but any app/ function that uses security groups e.g NTFS/ shares/ sharepoint etc etc

    My advice is to never use Outlook as a basis for finding a user's group membership as you will only see mail relevant objects.  If you want to see a user's (security) group membership then either use ADUC/ powershell or from windows cmd line:

     

    net user <usernam> /dom

     

    If you *really* want to use linux ldap then google is your friend :-) tho it seems to me a rather complicated way of going about getting group membership when there are easier alternatives!

  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    6. Jan 25, 2013 9:02 AM (in response to itsec)
    Re: Using AD groups as criteria for rules

    Thanks itsec,

     

    net user <usernam> /dom  is very helpful.        

     

    Thanks for the clarification about the AD goodies.   It makes my anecdotal pains in the butt trying to use different ... what people experience as  "groups"...  in DLP and MWG  clearer.   In the orgs I've worked with, AD administration is in a separate group than security engineering.

     

    'Google is your friend' made me laugh of course, having googled on the subject at least an hour trying different incantations and consulting AD admins.    If you can point out ldap  syntax for giving what net user <usernam> /dom does   and where I missed it, I'm all ears.  It's likely what the linux based mwg is doing under the covers.   Do you know the field names or descriptors for the attributes that distinguish a distribution list and a security group?

     

    At any rate, having a net user command that does it quickly is as you say quite a bit easier.  (Once you're aware of it).  8-P

  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    7. Jan 25, 2013 9:10 AM (in response to hudsy)
    Re: Using AD groups as criteria for rules

    hudsy wrote:

     

    Thanks for the input.  I guess I didn't elaborate enough on what my thoughts were and what I was attempting to do.

     

    I am able to use the domain group names in rules, however is there a way to populate/pull/pick the actual AD groups from within the web gateway.  At this point in time I have to type the names in manually or copy/paste the group names into the rule.

     

    Coming from SmartFilter I was able to choose the AD group names from a list that was pulled from AD.

     

    I am trying to build a rule that will allow only those workstations that have Google Chrome installed perform updates to Chrome.  I want the desktop group to be able to add workstations to this group in AD and those workstations be able to get out for the updates.

     

    Is there any reason you couldn't -- instead of relying on desktop group to back annotate an AD security group based on software inventory -- directly determine what workstations have Chrome on them by looking ath the user agent string header in the request?       Granted that can be spoofed, but I'm not sure why anyone who didn't have Chrome installed   would want to try to get Chrome updates anyway?   Or is there another piece to the puzzle?

     

     

    Regardless,  your gripe about not having AD groups to pick from a pick list is duly noted.   It doesn't exist today in MWG to my knowledge.   A product enhancement request would get that requirement to the product manager's attention.      Here's how to submit:  https://kc.mcafee.com/corporate/index?page=content&id=KB60021        Prepare for some eye rolling as you're mysteriously required to install an activex control from acceptondemand.    :-)

     

    If you submit one, plese let us know - I can throw a log on the "yes, this would be helpful and make me more productive in rule creation" fire. 

  • Jon Scholten McAfee SME 857 posts since
    Nov 3, 2009
    Currently Being Moderated
    8. Jan 25, 2013 11:48 AM (in response to Regis)
    Re: Using AD groups as criteria for rules

    Hi all!

     

    This may not have any relevence to the original question (sorry), but may help in certain situations.

     

    I was able to create a block page that would allow you to enter a username and show the associated groups for that user. This doesnt really help for "in rule" group lookups but maybe it will help as a crutch in the meantime.

     

     

    The rules I created use LDAP (not NTLM! there is a big difference for AD because the primary group will not be returned with LDAP)..

     

    To use the rules you simply import it, visit the arbitrary domain "getmygroups.com"... and then you are presented with a blockpage to enter the username of interest. This will then set URL parameters that are used in the rules to perform the lookup.

     

    1.0.0_ruleset.png 1.0.1_blockpage_example.png

     

    Attached is the ruleset required as well as the blockpage contents (it doesnt get imported with the ruleset so you need to create it!).

     

    If you use this you should modify the Client.IP list as this would be available to anyone who visits that URL (getmygroups.com).

     

    Best,

     

    Jon

    Attachments:
  • itsec Apprentice 65 posts since
    Oct 24, 2012
    Currently Being Moderated
    9. Jan 28, 2013 5:06 AM (in response to Jon Scholten)
    Re: Using AD groups as criteria for rules

    @Regis,

    Here's a couple of links to get you started.

    The security descriptor attrib is called: nTSecurityDescriptor but I wouldn't use that - groupType attribute is a better one to search on.

     

    http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/29/ Default.aspx

    http://www.google.com/support/enterprise/static/gapps/docs/admin/en/gads/admin/l dap.5.4.html

     

     

    I had a quick searcn on MWG and it would appear that openldap is installed [find / -name  *ldap*]

    I'm not too familiar with how to use openldap as I've used windows tools in the past/ present but the query should be the same - it's just getting the program started I can't help you with:

    Active Directory Users & Computers - If you use the query wizard then it will show you the query string which you can review and understand.

    Powershell (Quest ActiveRoles Management Shell for Active Directory is good)

    Sysinternals ADExplorer

    LDP.exe (native in XP/ Windows 7 etc)

    ADSIEdit

     

    Hope this helps.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points