The ADMonitor component requires very little customization and automatically configures itself during installation by doing the following:
•Monitors the domain of which the computer is a member of
•Finds the nearest domain controller
•Downloads all Active Directory objects as well as the schema to obtain a baseline. The offline AD database is stored in the ADMonitor\DB sub directory.
Basic Configuration
The ADMonitor dialog in the management console supports setting the database for all AD changes, controlling the service and verifying that the ADMonitor service is working properly.
Store in Database
Stores all future changes to objects and group policies in the selected database action
Utilize Collector
When enabled, sends all ADMonitor data through the collector, useful and recommended only when ADMonitor is running on a host that has no direct network connection to the selected database.
Check AD Passwords for Compromise
When enabled, retrieves the NTLM hash for all users from AD and determines whether a user password has been compromised in a data breach in the past. A compromised password does not mean that this user has been compromised in AD, it simply indicates that the password used by a user has also been used somewhere else (e.g. web site) where it was breached at some point.
This feature will also detect if more than one user in AD uses the same password.
When this feature is first enabled, ADMonitor will scan all users' passwords for compromise. After the initial discovery scan, the following timing is used:
•ADMonitor will check every 15 minutes if a user's password has been changed in AD. If it has, ADMonitor will refresh the password hashes and re-check for compromise.
•If no passwords are being changed, ADMonitor will refresh the password hashes and re-check for compromise every 48 hours regardless.
|
Important Technical Details
•ADMonitor is not able to retrieve the actual passwords, only NTLM hashes are retrieved •Only the first 5 characters of the NTLM hash are transmitted to https://api.pwnedpasswords.com •Accessing pwnedpasswords.com is currently free and does not require a subscription •NTLM hashes are not stored in EventSentry, only the SHA256 hash of the NTLM hashes are stored to allow the detection of duplicate passwords
|
If ADMonitor does not have access to the Internet, an offline NTLM hash database can also be downloaded from GitHub. Once downloaded, the full path to the decompressed file can be specified in the "Use local password .." field. Please note that the decompressed file has a size of at least 33Gb. Despite the large size of the offline file, using the offline database will not slow down ADMonitor.
Enhanced Configuration
The ADMonitor component supports additional configuration options that can be configured using the EventSentry ADMonitor Console application.
