CN110049028A - Monitor method, apparatus, computer equipment and the storage medium of domain control administrator - Google Patents
Monitor method, apparatus, computer equipment and the storage medium of domain control administrator Download PDFInfo
- Publication number
- CN110049028A CN110049028A CN201910268028.6A CN201910268028A CN110049028A CN 110049028 A CN110049028 A CN 110049028A CN 201910268028 A CN201910268028 A CN 201910268028A CN 110049028 A CN110049028 A CN 110049028A
- Authority
- CN
- China
- Prior art keywords
- domain
- administrator
- log
- information
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses method, apparatus, computer equipment and the storage mediums of a kind of monitoring domain control administrator, this method comprises: obtaining the IP address information of all domain controllers in aiming field, and obtain the account information of all domains control administrator in the aiming field;According to the IP address information, log information is obtained from each domain controller respectively, and according to the account information, administrator's log-on message is determined from each log information;For administrator's log-on message, judge whether the source address information in administrator's log-on message is the address information of default fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.The present invention can control administrator by monitoring domain and log in the behavior of domain controller to protect the Active Directory being stored on domain controller.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of method, apparatus of monitoring domain control administrator calculates
Machine equipment and storage medium.
Background technique
In order to be managed collectively to resources such as enterprise-wide computer, users, Microsoft proposes Active Directory (Active
Directory, abbreviation AD) solution, different from traditional working group's mode, Active Directory biggest advantage is can to collect
Middle management, including the control of unified identity authentication, permission etc..Due to being stored with whole computers of enterprises in Active Directory
Information and user information, so only control administrator in domain, which has permission to access, is located in domain controller in order to protect Active Directory
Active Directory.But attacker can disguise oneself as, administrator is controlled to log in domain controller in domain to access Active Directory, how effectively
The technical issues of protecting Active Directory to become urgent need to resolve.
Summary of the invention
The purpose of the present invention is to provide method, apparatus, computer equipment and the storages of a kind of monitoring domain control administrator to be situated between
Matter can control administrator by monitoring domain and log in the behavior of domain controller to protect the Active Directory being stored on domain controller.
According to an aspect of the invention, there is provided a kind of method of monitoring domain control administrator, this method includes following step
It is rapid:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field
The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account
Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default
The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
Optionally, the IP address information for obtaining all domain controllers in aiming field, specifically includes:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field
The IP address information of device.
Optionally, the account information of all domains control administrator obtained in the aiming field, specifically includes:
The pipe comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field
Reason person's account.
Optionally, the method also includes:
According to the log information of a domain controller, the login time of each domain control administrator in set period of time is counted
Number;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes the domain keyholed back plate
The warning message of the account information of reason person.
Optionally, the method also includes:
Simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events are without described
Default fort machine directly logs in the event of domain controller;
According to the log information of each domain controller, judge whether to monitor the simulation log-in events, if it is not, then
To the default terminal send comprising monitoring less than domain controller IP address information warning message.
To achieve the goals above, the present invention also provides one monitoring domain control administrator device, the device specifically include with
Lower component part:
Module is obtained, for obtaining the IP address information of all domain controllers in aiming field, and the acquisition target
The account information of all domains control administrator in domain;
Determining module, for obtaining log information, and root from each domain controller respectively according to the IP address information
According to the account information, administrator's log-on message is determined from each log information;
Processing module judges the source address in administrator's log-on message for being directed to administrator's log-on message
Whether information is the address information of default fort machine, if it is not, then sending to default terminal comprising administrator's log-on message
Warning message.
Optionally, described device further include:
Statistical module counts each domain keyholed back plate in set period of time for the log information according to a domain controller
The login times of reason person;If the login times of a certain domain control administrator reach preset threshold, packet is sent to the default terminal
The warning message of the account information of the administrator containing domain control.
Optionally, described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events
It is the event that domain controller is directly logged in without the default fort machine;According to the log information of each domain controller, judgement
Whether can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain control
The warning message of the IP address information of device.
To achieve the goals above, the present invention also provides a kind of computer equipment, which is specifically included: storage
Device, processor and it is stored in the computer program that can be run on the memory and on the processor, the processor
The step of method of monitoring domain control administrator of above-mentioned introduction is realized when executing the computer program.
To achieve the goals above, the present invention also provides a kind of computer readable storage medium, it is stored thereon with computer
The step of program, the computer program realizes the method for monitoring domain control administrator of above-mentioned introduction when being executed by processor.
Method, apparatus, computer equipment and the storage medium of control administrator in monitoring domain provided by the invention, can pass through prison
Control administrator in control domain logs in the behavior of domain controller to protect the Active Directory being stored on domain controller, when discovery access activity
When the source address of catalogue is not the address of default fort machine, obtains source address information and carry out alarm operation, to reach protection
The effect of Active Directory.In addition, in the present embodiment, the login of the login domain controller of each domain control administrator can also be monitored
Number needs manually to be verified, to avoid potential danger for logging in excessively frequent domain control administrator.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is a kind of optional flow diagram for the method that administrator is controlled in the monitoring domain that embodiment one provides;
Fig. 2 is the schematic diagram of the enterprise domain woods in embodiment one;
Fig. 3 is a kind of optional program module schematic diagram for the device that administrator is controlled in the monitoring domain that embodiment two provides;
Fig. 4 is a kind of optional hardware structure schematic diagram for the computer equipment that embodiment three provides.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right
The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not
For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work
Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
The method of control administrator in monitoring domain provided by the invention is illustrated with reference to the accompanying drawing.
Fig. 1 is a kind of optional flow diagram for the method that administrator is controlled in present invention monitoring domain, and this method specifically includes
Following steps:
Step S101: the IP (Internet Protocol, Internet protocol) of all domain controllers in aiming field is obtained
Address information, and obtain the account information of all domains control administrator in the aiming field.
In the present embodiment, as shown in Fig. 2, aiming field can be the domain woods of an enterprise, parent company's conduct of the enterprise
Rhizosphere (xxsec.com in such as figure) in the domain woods, each subsidiary of the enterprise as each subdomain in the domain woods (such as
Shenzhen.xxsec.com, dongguan.xxsec.com, changchun.xxsec.com in figure).Respectively rhizosphere with
And corresponding one or more domain controllers are arranged in each subdomain.Domain controller is used to be connected to each the computer and use of network
Family carries out verification operation, and is stored with Active Directory on each domain controller.Related network pair is stored in Active Directory
As the information of (such as: user, group, domain, security strategy), and the information in the Active Directory on each domain controller is homogeneous
Together.Due to being stored with the whole computerized informations and user information of enterprises in Active Directory, so for protected field control
The safety of device and Active Directory processed, the domain control administrator of only granted permission, which can log in domain controller and access, is located at domain
Active Directory in controller.
Specifically, the IP address information for obtaining all domain controllers in aiming field, specifically includes:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field
The IP address information of device.
Since the information in the Active Directory on each domain controller is all the same, it is possible to from any in aiming field
The IP address information of all domain controllers in aiming field is obtained in the Active Directory of domain controller.
Further, the account information of all domains control administrator obtained in the aiming field, specifically includes:
The pipe comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field
Reason person's account.
Preferably, using S-1-5-32-544, this SID (Security Identifier, secure identifier) feature is gone
Traversal Active Directory includes S-1-5- in all SID to obtain the account information that administrator is controlled in all domains in the aiming field
Administrator's account of 32-544 is the account information of all domains control administrator in the aiming field.Further, it is also possible to from work
Obtain all domains control administrator's in the aiming field in the domain administrator group (Domain Admins, abbreviation DA) of dynamic catalogue
Account information.
Step S102: according to the IP address information, log information is obtained from each domain controller respectively, and according to institute
Account information is stated, administrator's log-on message is determined from each log information.
Specifically, step S102, comprising:
Step A1: according to the ID address information, each domain controller in the aiming field is determined, and respectively from true
Log information is obtained in each domain controller made;
Step A2: it according to the account information, determines to include domain control from each log information got respectively
Administrator's log-on message of administrator's account.
After control administrator logs in domain controller success when domain, there can be corresponding pipe by record in the log information of domain controller
Reason person's log-on message;In the present embodiment, only behavior is successfully logged in login domain controller to check.
Step S103: it is directed to administrator's log-on message, judges the source address information in administrator's log-on message
Whether it is the address information of default fort machine, if it is not, then sending the alarm comprising administrator's log-on message to default terminal
Message.
In the prior art, in order to protect the Active Directory being stored on domain controller, fort machine can be set;Domain keyholed back plate reason
Member needs first to access fort machine to the Active Directory on access domain controller, then accesses domain controller by fort machine.Although attacking
The person of hitting is available to control the account of administrator to domain with analog domain control administrator access domain controller, but since attacker is not easy
Get the address of fort machine, thus attacker can only analog domain control administrator directly access domain controller.Therefore, in this implementation
In example, it can judge to access by judging whether the source address information in administrator's log-on message is the address information of fort machine
Source is attacker or domain control administrator.If the normal access of domain control administrator, then source in administrator's log-on message
Location information is the address information of default fort machine;If the abnormal access of attacker, then the source in administrator's log-on message
Location information is the address information of other terminals.
When default terminal receives warning message, staff can be according to including that administrator in warning message steps on
Record information investigates to corresponding domain control administrator;Can also modify later corresponding domain control administrator login account and
Login password, and refuse the access request of corresponding domain control administrator.
In the present embodiment, by analyzing the login log for logging in domain controller, judge whether login source is pre-
If the address of fort machine, if so, being determined as normal login behavior, if it is not, being then determined as abnormal login behavior;When noting abnormalities
It needs to carry out early warning operation when login behavior, thus the Active Directory that protection is stored in domain controller.
Further, the method also includes:
According to the log information of a domain controller, the login time of each domain control administrator in set period of time is counted
Number;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes the domain keyholed back plate
The warning message of the account information of reason person.
In the present embodiment, also the login frequency of each domain control administrator is monitored, under normal circumstances, a domain control
The login times of administrator within a certain period of time will not be excessive, if monitoring a domain control administrator within a certain period of time
Domain controller is frequently logged on, then is judged as abnormal login behavior, needs to carry out early warning processing, so that the later period is excessive to login times
Pre-control and management person verified.
In addition, in practical applications, the frequency of cross-domain access will not be too high, i.e. pre-control and management person in a domain is usual
The domain controller in this domain is only accessed, it will not the cross-domain domain controller accessed in other domains;Therefore, the method also includes:
According to the log information of a domain controller, cross-domain log-on message is determined;Wherein, the cross-domain log-on message is
The log-on message of the pre-control and management person in domain where being not belonging to the domain controller;When the quantity of the cross-domain log-on message reaches pre-
If when threshold value, sending the warning message comprising the cross-domain log-on message to the default terminal.
Therefore, in the present embodiment, can also by monitor each domain in this domain control administrator access frequency and
The cross-domain access frequency of the domain control administrator in other domains is monitored come the access behavior for controlling administrator to each domain, thus more
Comprehensively protect the Active Directory being stored on the domain controller.
Further, the method also includes:
Step B1: simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events be without
Cross the event that the default fort machine directly logs in domain controller;
Step B2: according to the log information of each domain controller, judging whether to monitor the simulation log-in events,
If it is not, then to the default terminal send comprising monitoring less than domain controller IP address information warning message.
It in the present embodiment, can also be periodically to the mesh in order to verify the validity of above-mentioned steps S101 to step S103
It marks each domain controller in domain and initiates simulation login time, usurp administrator's account and without fort to simulate attacker
Machine accesses the case where domain controller.By analyzing the login log information of each domain controller, judge to monitor to simulate
Log-in events execute early warning operation if unable to monitor go out to simulate log-in events.Specifically, in practical applications, can pass through
Each domain controller in aiming field described in script scans is developed, with triggering simulation log-in events and examination log, and will examination
As a result it is shown in a manner of visual.User, which passes through, checks that the chart of examination result can easily find the problem.
In addition, being distinguished in order to which log-in events and true log-in events will be simulated, simulation log-in events can also be tied up
Administrator is controlled in fixed to one specified domain, if checking without the log-in events of fort machine is by the specified domain keyholed back plate
(that is, account information comprising the specified domain control administrator in administrator's log-on message) that reason person initiates, then can sentence
Break to simulate log-in events, to draw corresponding chart;If the log-in events without fort machine checked are not
It is to be initiated by the specified domain control administrator (that is, the account comprising other domains control administrator in administrator's log-on message
Information), then it may determine that as true log-in events, then need to execute alarm operation in the way of step S103.
Preferably, in practical applications, above-mentioned all methods can pass through SOC (Security Operations
Center, safe operation center) it realizes.SOC refers to unified collection, storage, all kinds of safety-related monitoring alarms of processing enterprise
Information, by security incident management process circulation security incident work order, not by a line, two wires, three line Security Officer's division of labor processing
Same level security alarm, and carry out security incident review and sustained improvement promotion safety and effectiveness.SOC is one
System, existing product, and have service, there are also O&M (operation), SOC is technology, process and the combination of people.In the present embodiment
In, the IP address information of all domain controllers in aiming field and the account information of all domains control administrator are obtained by SOC, then
Log information is obtained from each domain controller respectively according to the IP address information, and according to the account information from each day
Administrator's log-on message is obtained in will information;Finally, SOC judge the source address information in administrator's log-on message whether be
The address information of default fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.This
Outside, SOC periodically can also initiate simulation log-in events to each domain controller, and according to the log information of each domain controller point
It is precipitated and which domain controller can monitor simulation log-in events for, which domain controller monitoring to log in thing less than simulation for
Part.
Embodiment two
The method of the monitoring domain control administrator provided in one based on the above embodiment provides a kind of monitoring domain in the present embodiment
The device of administrator is controlled, specifically, Fig. 3 shows the optional structural block diagram of the device of monitoring domain control administrator, the monitoring
The device of domain control administrator is divided into one or more program modules, one or more program module is stored in storage and is situated between
In matter, and as performed by one or more processors, to complete the present invention.The so-called program module of the present invention is to refer to complete
The series of computation machine program instruction section of specific function, the device for being more suitable for description monitoring domain control administrator than program itself are being deposited
Implementation procedure in storage media, the function of each program module of the present embodiment will specifically be introduced by being described below.
As shown in figure 3, the device of monitoring domain control administrator specifically includes consisting of part:
Module 301 is obtained, for obtaining the IP address information of all domain controllers in aiming field, and the acquisition mesh
Mark the account information of all domains control administrator in domain;
Determining module 302, for obtaining log information from each domain controller respectively according to the IP address information,
And according to the account information, administrator's log-on message is determined from each log information;
Processing module 303, for being directed to administrator's log-on message, with judging the source in administrator's log-on message
Whether location information is the address information of default fort machine, if it is not, then sending to default terminal comprising administrator's log-on message
Warning message.
Specifically, obtaining module 301, it is used for:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field
The IP address information of device;And it is searched from the Active Directory of any domain controller in the aiming field comprising specified safety
Administrator's account of identifier SID.
Preferably, it obtains module 301 and utilizes S-1-5-32-544 this SID (Security Identifier, safety post
Know symbol) feature removes traversal Active Directory to obtain the account information of the control of all domains in aiming field administrator, in all SID
Administrator's account comprising S-1-5-32-544 is the account information of all domains control administrator in the aiming field.In addition,
The aiming field can also be obtained from the domain administrator group (Domain Admins, abbreviation DA) of Active Directory by obtaining module 301
In all domains control administrator account information.
Determining module 302, is specifically used for:
According to the ID address information, determine each domain controller in the aiming field, and respectively from determining
Log information is obtained in each domain controller;According to the account information, determined from each log information got respectively
It out include administrator's log-on message of domain control administrator's account.
Further, described device further include:
Statistical module counts each domain keyholed back plate in set period of time for the log information according to a domain controller
The login times of reason person;If the login times of a certain domain control administrator reach preset threshold, packet is sent to the default terminal
The warning message of the account information of the administrator containing domain control.
In the present embodiment, also the login frequency of each domain control administrator is monitored, under normal circumstances, a domain control
The login times of administrator within a certain period of time will not be excessive, if monitoring a domain control administrator within a certain period of time
Domain controller is frequently logged on, then is judged as abnormal login behavior, needs to carry out early warning processing, so that the later period is excessive to login times
Pre-control and management person verified.
In addition, in practical applications, the frequency of cross-domain access will not be too high, i.e. pre-control and management person in a domain is usual
The domain controller in this domain is only accessed, it will not the cross-domain domain controller accessed in other domains;Therefore, the statistical module, is also used
In:
According to the log information of a domain controller, cross-domain log-on message is determined;Wherein, the cross-domain log-on message is
The log-on message of the pre-control and management person in domain where being not belonging to the domain controller;When the quantity of the cross-domain log-on message reaches pre-
If when threshold value, sending the warning message comprising the cross-domain log-on message to the default terminal.
Further, described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events
It is the event that domain controller is directly logged in without the default fort machine;According to the log information of each domain controller, judgement
Whether can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain control
The warning message of the IP address information of device.
Embodiment three
The present embodiment also provides a kind of computer equipment, can such as execute the smart phone, tablet computer, notebook of program
Computer, desktop computer, rack-mount server, blade server, tower server or Cabinet-type server are (including independent
Server cluster composed by server or multiple servers) etc..As shown in figure 4, the computer equipment 40 of the present embodiment to
It is few to include but is not limited to: memory 401, the processor 402 of connection can be in communication with each other by system bus.It should be pointed out that
Fig. 4 illustrates only the computer equipment 40 with component 401-402, it should be understood that being not required for implementing all show
Component, the implementation that can be substituted is more or less component.
In the present embodiment, memory 401 (i.e. readable storage medium storing program for executing) includes flash memory, hard disk, multimedia card, card-type memory
(for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic
Disk, CD etc..In some embodiments, memory 401 can be the internal storage unit of computer equipment 40, such as the calculating
The hard disk or memory of machine equipment 40.In further embodiments, memory 401 is also possible to the external storage of computer equipment 40
The plug-in type hard disk being equipped in equipment, such as the computer equipment 40, intelligent memory card (Smart Media Card, SMC), peace
Digital (Secure Digital, SD) card, flash card (Flash Card) etc..Certainly, memory 401 can also both include meter
The internal storage unit for calculating machine equipment 40 also includes its External memory equipment.In the present embodiment, memory 401 is commonly used in depositing
Storage is installed on the operating system and types of applications software of computer equipment 40, such as the dress for monitoring domain control administrator of embodiment two
The program code etc. set.In addition, memory 401 can be also used for temporarily storing all kinds of numbers that has exported or will export
According to.
Processor 402 can be in some embodiments central processing unit (Central Processing Unit, CPU),
Controller, microcontroller, microprocessor or other data processing chips.The processor 402 is commonly used in control computer equipment
40 overall operation.
Specifically, in the present embodiment, processor 402 is used to execute the monitoring domain control administrator stored in processor 402
Method program, the program of method of the monitoring domain control administrator is performed realization following steps:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field
The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account
Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default
The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
The specific embodiment process of above method step can be found in first embodiment, and the present embodiment is not repeated to go to live in the household of one's in-laws on getting married herein
It states.
Example IV
The present embodiment also provides a kind of computer readable storage medium, such as flash memory, hard disk, multimedia card, card-type memory
(for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic
Disk, CD, server, App are stored thereon with computer program, the computer program is held by processor using store etc.
Following method and step is realized when row:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field
The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account
Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default
The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
The specific embodiment process of above method step can be found in first embodiment, and the present embodiment is not repeated to go to live in the household of one's in-laws on getting married herein
It states.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of method of monitoring domain control administrator, which is characterized in that the described method includes:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domain keyholed back plates reason in the aiming field
The account information of member;
According to the IP address information, log information is obtained from each domain controller respectively, and according to the account information, from
Administrator's log-on message is determined in each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default fort
The address information of machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
2. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the institute obtained in aiming field
There is the IP address information of domain controller, specifically include:
All domain controllers in the aiming field are obtained from the Active Directory of any domain controller in the aiming field
IP address information.
3. the method for control administrator in monitoring domain according to claim 1, which is characterized in that described to obtain in the aiming field
All domains control administrator account information, specifically include:
The administrator comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field
Account.
4. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the method also includes:
According to the log information of a domain controller, the login times of each domain control administrator in set period of time are counted;If
The login times of a certain domain control administrator reach preset threshold, then send to the default terminal comprising domain control administrator's
The warning message of account information.
5. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the method also includes:
Simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events are without described default
Fort machine directly logs in the event of domain controller;
According to the log information of each domain controller, judge whether to monitor the simulation log-in events, if it is not, then to institute
State default terminal send comprising monitoring less than domain controller IP address information warning message.
6. a kind of device of monitoring domain control administrator, which is characterized in that described device includes:
Module is obtained, for obtaining in the IP address information of all domain controllers in aiming field, and the acquisition aiming field
All domains control administrator account information;
Determining module, for obtaining log information from each domain controller respectively, and according to institute according to the IP address information
Account information is stated, administrator's log-on message is determined from each log information;
Processing module judges the source address information in administrator's log-on message for being directed to administrator's log-on message
Whether it is the address information of default fort machine, if it is not, then sending the alarm comprising administrator's log-on message to default terminal
Message.
7. the device of control administrator in monitoring domain according to claim 6, which is characterized in that described device further include:
Statistical module, for the log information according to a domain controller, administrator is controlled in each domain counted in set period of time
Login times;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes institute
State the warning message of the account information of domain control administrator.
8. the device of control administrator in monitoring domain according to claim 6, which is characterized in that described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events are not
The event of domain controller is directly logged in by the default fort machine;According to the log information of each domain controller, judge whether
Can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain controller
The warning message of IP address information.
9. a kind of computer equipment, the computer equipment includes: memory, processor and is stored on the memory simultaneously
The computer program that can be run on the processor, which is characterized in that the processor executes real when the computer program
The step of any one of existing claim 1 to 5 the method.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of any one of claim 1 to 5 the method is realized when being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910268028.6A CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910268028.6A CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110049028A true CN110049028A (en) | 2019-07-23 |
CN110049028B CN110049028B (en) | 2021-03-23 |
Family
ID=67276196
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910268028.6A Active CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110049028B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110688274A (en) * | 2019-08-30 | 2020-01-14 | 平安科技(深圳)有限公司 | Active directory monitoring method based on Windows Server operating system and related equipment |
CN112398695A (en) * | 2020-11-19 | 2021-02-23 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment management and control method, system, equipment and storage medium |
CN114205110A (en) * | 2021-11-02 | 2022-03-18 | 北京中安网星科技有限责任公司 | AD domain threat detection method and device and electronic equipment |
CN116204494A (en) * | 2023-04-28 | 2023-06-02 | 深圳竹云科技股份有限公司 | Method and device for migrating active directory data, electronic equipment and storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
US9225721B2 (en) * | 2011-11-16 | 2015-12-29 | Google Inc. | Distributing overlay network ingress information |
CN106445763A (en) * | 2016-09-09 | 2017-02-22 | 中国南方电网有限责任公司电网技术研究中心 | Power distribution and utilization big data platform test method and system |
CN108521347A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | Industry control O&M behavior auditing method, apparatus and system |
CN108984379A (en) * | 2018-07-10 | 2018-12-11 | 湖南人文科技学院 | A kind of dispatch data net remotely accesses the system and method for reinforcing and Centralized Monitoring |
-
2019
- 2019-04-03 CN CN201910268028.6A patent/CN110049028B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
US9225721B2 (en) * | 2011-11-16 | 2015-12-29 | Google Inc. | Distributing overlay network ingress information |
CN102413013A (en) * | 2011-11-21 | 2012-04-11 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
CN106445763A (en) * | 2016-09-09 | 2017-02-22 | 中国南方电网有限责任公司电网技术研究中心 | Power distribution and utilization big data platform test method and system |
CN108521347A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | Industry control O&M behavior auditing method, apparatus and system |
CN108984379A (en) * | 2018-07-10 | 2018-12-11 | 湖南人文科技学院 | A kind of dispatch data net remotely accesses the system and method for reinforcing and Centralized Monitoring |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110688274A (en) * | 2019-08-30 | 2020-01-14 | 平安科技(深圳)有限公司 | Active directory monitoring method based on Windows Server operating system and related equipment |
CN112398695A (en) * | 2020-11-19 | 2021-02-23 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment management and control method, system, equipment and storage medium |
CN112398695B (en) * | 2020-11-19 | 2022-06-28 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment control method, system, equipment and storage medium |
CN114205110A (en) * | 2021-11-02 | 2022-03-18 | 北京中安网星科技有限责任公司 | AD domain threat detection method and device and electronic equipment |
CN114205110B (en) * | 2021-11-02 | 2023-11-10 | 北京中安网星科技有限责任公司 | AD domain threat detection method and device and electronic equipment |
CN116204494A (en) * | 2023-04-28 | 2023-06-02 | 深圳竹云科技股份有限公司 | Method and device for migrating active directory data, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN110049028B (en) | 2021-03-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110049028A (en) | Monitor method, apparatus, computer equipment and the storage medium of domain control administrator | |
CN104519032B (en) | A kind of security strategy and system of internet account number | |
CN110417778B (en) | Access request processing method and device | |
CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
CN111490981B (en) | Access management method and device, bastion machine and readable storage medium | |
US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
EP2479698A1 (en) | Systems and methods for detecting fraud associated with systems application processing | |
CN108989150A (en) | A kind of login method for detecting abnormality and device | |
CN109039987A (en) | A kind of user account login method, device, electronic equipment and storage medium | |
CN111131221B (en) | Interface checking device, method and storage medium | |
CN113726780B (en) | Network monitoring method and device based on situation awareness and electronic equipment | |
CN111083132A (en) | Safe access method and system for web application with sensitive data | |
CN114418263A (en) | A defense system for power monitoring device of thermal power plant | |
CN110012011A (en) | Method, apparatus, computer equipment and the storage medium for preventing malice from logging in | |
CN104104666B (en) | Method of detecting abnormal cloud service and device | |
CN109040146A (en) | Account logs in authorization method, server, computer equipment and storage medium | |
CN109241769A (en) | A kind of electronic equipment personal secrets method for early warning and system | |
CN104219219A (en) | Method, server and system for handling data | |
CN106850562A (en) | A kind of malice peripheral hardware detecting system and method | |
CN114036480B (en) | Security access control method and system for private application and readable storage medium | |
CN105763555A (en) | Website risk control server and method and client | |
CN110191097A (en) | Detection method, system, equipment and the storage medium of login page safety | |
CN115550068A (en) | Host log information security audit method | |
CN112953951B (en) | User login verification and security detection method and system based on domestic CPU | |
CN114640536A (en) | Data access monitoring method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co.,Ltd. Address before: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: Beijing Qi'anxin Technology Co.,Ltd. |
|
CB02 | Change of applicant information | ||
GR01 | Patent grant | ||
GR01 | Patent grant |