Friday, November 13, 2015

Identifying Distribution Groups within Security Groups

It is important to identify Active Directory distribution groups that are embedded in AD security groups, since it is not best practice to use distro groups for file server permissions.  Unfortunately within Varonis DatAdvantage the 3a Group Members report does not have a filter to sort by Group Type.  Here is a workaround that I have used; identifying group types by their email properties.

There are several caveats here.  It is possible that a Security group has an email address and it is possible that a distribution list does not have an email address assigned.  To get a truly comprehensive picture we would have to create a CSV file from the 3d report of all distribution groups, create a CSV file from the 3a report just looking for Groups embedded in groups, and then use Excel or PowerShell to merge the data to identify the distribution group members.

Wednesday, August 19, 2015

Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

Friday, August 14, 2015

DatAlert Alert Template for Syslog

Within Varonis DatAlert, the default Alert Template for syslog messages contains line feeds and carriage returns.  Most syslog parsers have a much easier time dealing with single line messages.  If you are going to send Varonis alerts to syslog you should create a template specifically for that.  Here is a sample that I work with.

Saturday, April 4, 2015

Correct Share Settings for Adding a Server in Varonis

When adding servers to Varonis, under the Shares tab select the highest level shares that Varonis has access to.  In addition, there is an option to Automatically detect shares.  This should be set to “Detect and Notify” and the “Notify” option should be set to once.  That way, whenever a share is added to a server an email will go out indicating that fact.  At that point, if it is a new volume or new top-level share, you can go back into the Management Console and add that volume.  Do not automatically monitor shares, as this may pick up devices such as CD drives or shares that should not be monitored, such as backup shares.

Friday, February 6, 2015

Removing Disabled Users from the Varonis Permissions Report

One of the most commonly used reports in Varonis DatAdvantage is the “4b - Effective Permissions for User or Group” report.  This is used to list all of the groups and users that have access to a particular folder.  One of the challenges that we faced at a particular customer was that the business people did not want to see the disabled users who had access to the folder.  There is a filter, “Disabled Accounts,” that lets you exclude them.  However, if you just add that filter it removes all of the groups that have access to the folder.  Thanks to Kevin Cyr for asking me if there is a way around this.  Indeed, there is!  Here is a screenshot that handles the problem, which is that the groups do not have the “Disabled Account” property in Active Directory so they are excluded by the standalone “Disabled Accounts” filter.

Monday, September 1, 2014

Identify Servers with Duplicate SIDs in Varonis

One of the challenges in managing a multitude of Windows servers is that Microsoft allows more than one server to has the same SID within a domain.  This usually results because people clone an existing server and then change the name.  Varonis DatAdvantage uses the SID as a unique identifier for the server in some portions on its system.  The primary impact is in managing local groups.  So if we have two or more servers in DatAdvantage with the same SID, only one of them will correctly collect and report on the local security groups, such as the Administrators group.  We can identify these servers by running a SQL Server Query from the IDU server.  Here is the query.

use vrnsDomainDB;

select filer_hostname,filer_ipaddress,filerIdentity from filers where fileridentity in (select filerIdentity from filers Group By  filerIdentity having (COUNT(filerIdentity) > 1)) order by filerIdentity

Sunday, June 22, 2014

Varonis Troubleshooting: RPC Failures

In Varonis DatAdvantage the Probe and monitored Windows file server communicate using the RPC services.  When events are not being collected or the Probe cannot reach the Windows server one place that you look to troubleshoot the problem is the Windows event log on the Probe.

If we receive the error message that the RPC server is unavailable, how go we go about discovering the root cause of the problem?  PORTQRY is a tool from Microsoft that allows you to test connectivity from one server to another.  To test connectivity to a monitored server, go to the Probe or Collector that is attempting to collect events or run the file walk and failing.  Run the following command:

portqry –n ServerName –p TCP –e 4972

The command should be able to:

1)    Resolve the host name
2)    Connect to the port 4972 (which Varonis uses to connect to the service)
3)    See that the port is in Listening state.

If the response is Filtered than there is a firewall or some other service blocking the connection.  If the response is Not Listening than the Varonis Filer Logger is not running or has errors.  At that point, go to the server and check the status of the service.