DeepSurface: Domain (LDAP) Scanning
DocumentationInstallation GuideOverviewLet DeepSurface Host For YouGetting StartedSystem RequirementsSelf Hosted Quick Start - Installing to Cloud PlatformsSelf Hosted - Installation Using an OVARegistration, Package Installation, and InitializationFirst Steps After Initialization of the ConsoleDeployment OptionsMain and Subordinate ConsolesAgent-Based DeploymentUser Managed Scan DeploymentCredentialed Scanning DeploymentMixed EnvironmentDeployment ToolsActive Directory Group PolicyMicrosoft Endpoint Configuration Manager (part of InTune)Tanium DeployHCL BigFixIvantiVirtual MachinesVMWareVirtual BoxVirtualBox Guest AdditionsAWS EC2 (BYOL)AWS EC2 (Usage Based)Azure CloudGoogle CloudAdditional Items to ConsiderMain Console Server CertificatesLDAPTOFUClock SyncDeepSurface CommandsMultiple Vulnerability SourcesAPI DocumentationUser GuideReportingDashboardsExportsRisk InsightHostsPatchesVulnerabilitiesVulnerability InstancesUsersRemediation Workflow ManagerPlansSettingsIntegrationsWorkflowExportingAccepted Risk PlansAccepted Risk WorkflowExploreModelPathsActivityTasksConfiguration AlertsScan LogsNotification SettingsScanningStatusAgentsUser ManagedCredentialed Scanning SettingsCredentialsScan GroupsGeneral SettingsCloud ScanningNetwork ConnectivitySubordinatesVulnerability SourcesSetupSensitive Assets: PolicesSensitive Assets: ManualAdmin SettingsSMTP SettingsCertificatesOutbound ProxyAuthentication ProvidersUsersTagsIntegrations GuideVulnerability SourcesCrowdStrike SpotlightSentinelOneCarbon Black CloudMicrosoft Defender for EndpointWazuhLansweeper CloudNessus APITenable.io APISecurity Center/Tenable.sc APIRapid7 InsightVM APIQualys APINozomi GuardianEclypsiumAWS InspectorRemediationJira SoftwareTanium (BETA)Authentication ProvidersLDAP (Active Directory)SAML (Azure Active Directory)SAML (Google)SAML (Okta)PAMCyberArkDelinea (Thycotic)Microsoft LAPSSecurity GuideFirewall ConfigurationBase Network RequirementsAgent Network RequirementsCredentialed Scanning Network RequirementsAPI Network RequirementsHow DeepSurface Scans WorkDomain (LDAP) ScanningHost Scanning RoutineReasons for the Administrative Access RequirementEndpoint Protection ConsiderationsOther ItemsScope of Data Storage and RetentionIPS/IDS ConsiderationsLoggingResetting the DSADMIN passwordProduct InformationChangelogsOpen source LicensesEnd User License Agreement (EULA)
DeepSurface RiskAnalyzer ingests Windows Domain data in order to understand access rights and trust relationships between systems in typical Windows enterprise environments. This kind of data is obtained through LDAP-based queries, regardless of whether agents or credentialed scans are in use. The queries submitted via LDAP do not require administrative access to the domain or to the domain controllers. Typically any valid domain user would have access to obtain the information for this phase of scanning.
The kinds of information obtained via LDAP includes the following:
- Metadata about the domains hosted, other domains in the forest, and identities of domain controllers
- Domain users
- Domain computers
- Domain groups
- Domain group memberships
When RiskAnalyzer scans a domain controller via credentialed scans, either LDAP with StartTLS or LDAPS can be used. In all cases, SSL/TLS is required for scanning. If the SSL/TLS certificate cannot be trusted through the installed certificate authorities, Trust on First Use (TOFU) will be used as a fallback. NOTE: By default, Windows domain controllers enable the SSL/TLS with LDAP service, but no certificate is installed which causes secure connections to fail. Please ensure you have some kind of SSL/TLS certificate configured with your LDAP service to allow credentialed scans to succeed.
When RiskAnalyzer's agent is installed on a domain controller, the agent accesses the LDAP service over the local interface, leveraging the computer/machine account to access the service. In this case, a SSL/TLS certificate does not need to be configured on the domain controller's LDAP service.