CN110049028A - Monitor method, apparatus, computer equipment and the storage medium of domain control administrator - Google Patents

Monitor method, apparatus, computer equipment and the storage medium of domain control administrator Download PDF

Info

Publication number
CN110049028A
CN110049028A CN201910268028.6A CN201910268028A CN110049028A CN 110049028 A CN110049028 A CN 110049028A CN 201910268028 A CN201910268028 A CN 201910268028A CN 110049028 A CN110049028 A CN 110049028A
Authority
CN
China
Prior art keywords
domain
administrator
log
information
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910268028.6A
Other languages
Chinese (zh)
Other versions
CN110049028B (en
Inventor
聂君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qianxin Technology Co Ltd
Original Assignee
Beijing Qianxin Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qianxin Technology Co Ltd filed Critical Beijing Qianxin Technology Co Ltd
Priority to CN201910268028.6A priority Critical patent/CN110049028B/en
Publication of CN110049028A publication Critical patent/CN110049028A/en
Application granted granted Critical
Publication of CN110049028B publication Critical patent/CN110049028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses method, apparatus, computer equipment and the storage mediums of a kind of monitoring domain control administrator, this method comprises: obtaining the IP address information of all domain controllers in aiming field, and obtain the account information of all domains control administrator in the aiming field;According to the IP address information, log information is obtained from each domain controller respectively, and according to the account information, administrator's log-on message is determined from each log information;For administrator's log-on message, judge whether the source address information in administrator's log-on message is the address information of default fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.The present invention can control administrator by monitoring domain and log in the behavior of domain controller to protect the Active Directory being stored on domain controller.

Description

Monitor method, apparatus, computer equipment and the storage medium of domain control administrator
Technical field
The present invention relates to technical field of network security, in particular to a kind of method, apparatus of monitoring domain control administrator calculates Machine equipment and storage medium.
Background technique
In order to be managed collectively to resources such as enterprise-wide computer, users, Microsoft proposes Active Directory (Active Directory, abbreviation AD) solution, different from traditional working group's mode, Active Directory biggest advantage is can to collect Middle management, including the control of unified identity authentication, permission etc..Due to being stored with whole computers of enterprises in Active Directory Information and user information, so only control administrator in domain, which has permission to access, is located in domain controller in order to protect Active Directory Active Directory.But attacker can disguise oneself as, administrator is controlled to log in domain controller in domain to access Active Directory, how effectively The technical issues of protecting Active Directory to become urgent need to resolve.
Summary of the invention
The purpose of the present invention is to provide method, apparatus, computer equipment and the storages of a kind of monitoring domain control administrator to be situated between Matter can control administrator by monitoring domain and log in the behavior of domain controller to protect the Active Directory being stored on domain controller.
According to an aspect of the invention, there is provided a kind of method of monitoring domain control administrator, this method includes following step It is rapid:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
Optionally, the IP address information for obtaining all domain controllers in aiming field, specifically includes:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field The IP address information of device.
Optionally, the account information of all domains control administrator obtained in the aiming field, specifically includes:
The pipe comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field Reason person's account.
Optionally, the method also includes:
According to the log information of a domain controller, the login time of each domain control administrator in set period of time is counted Number;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes the domain keyholed back plate The warning message of the account information of reason person.
Optionally, the method also includes:
Simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events are without described Default fort machine directly logs in the event of domain controller;
According to the log information of each domain controller, judge whether to monitor the simulation log-in events, if it is not, then To the default terminal send comprising monitoring less than domain controller IP address information warning message.
To achieve the goals above, the present invention also provides one monitoring domain control administrator device, the device specifically include with Lower component part:
Module is obtained, for obtaining the IP address information of all domain controllers in aiming field, and the acquisition target The account information of all domains control administrator in domain;
Determining module, for obtaining log information, and root from each domain controller respectively according to the IP address information According to the account information, administrator's log-on message is determined from each log information;
Processing module judges the source address in administrator's log-on message for being directed to administrator's log-on message Whether information is the address information of default fort machine, if it is not, then sending to default terminal comprising administrator's log-on message Warning message.
Optionally, described device further include:
Statistical module counts each domain keyholed back plate in set period of time for the log information according to a domain controller The login times of reason person;If the login times of a certain domain control administrator reach preset threshold, packet is sent to the default terminal The warning message of the account information of the administrator containing domain control.
Optionally, described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events It is the event that domain controller is directly logged in without the default fort machine;According to the log information of each domain controller, judgement Whether can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain control The warning message of the IP address information of device.
To achieve the goals above, the present invention also provides a kind of computer equipment, which is specifically included: storage Device, processor and it is stored in the computer program that can be run on the memory and on the processor, the processor The step of method of monitoring domain control administrator of above-mentioned introduction is realized when executing the computer program.
To achieve the goals above, the present invention also provides a kind of computer readable storage medium, it is stored thereon with computer The step of program, the computer program realizes the method for monitoring domain control administrator of above-mentioned introduction when being executed by processor.
Method, apparatus, computer equipment and the storage medium of control administrator in monitoring domain provided by the invention, can pass through prison Control administrator in control domain logs in the behavior of domain controller to protect the Active Directory being stored on domain controller, when discovery access activity When the source address of catalogue is not the address of default fort machine, obtains source address information and carry out alarm operation, to reach protection The effect of Active Directory.In addition, in the present embodiment, the login of the login domain controller of each domain control administrator can also be monitored Number needs manually to be verified, to avoid potential danger for logging in excessively frequent domain control administrator.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 is a kind of optional flow diagram for the method that administrator is controlled in the monitoring domain that embodiment one provides;
Fig. 2 is the schematic diagram of the enterprise domain woods in embodiment one;
Fig. 3 is a kind of optional program module schematic diagram for the device that administrator is controlled in the monitoring domain that embodiment two provides;
Fig. 4 is a kind of optional hardware structure schematic diagram for the computer equipment that embodiment three provides.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that described herein, specific examples are only used to explain the present invention, not For limiting the present invention.Based on the embodiments of the present invention, those of ordinary skill in the art are not before making creative work Every other embodiment obtained is put, shall fall within the protection scope of the present invention.
The method of control administrator in monitoring domain provided by the invention is illustrated with reference to the accompanying drawing.
Fig. 1 is a kind of optional flow diagram for the method that administrator is controlled in present invention monitoring domain, and this method specifically includes Following steps:
Step S101: the IP (Internet Protocol, Internet protocol) of all domain controllers in aiming field is obtained Address information, and obtain the account information of all domains control administrator in the aiming field.
In the present embodiment, as shown in Fig. 2, aiming field can be the domain woods of an enterprise, parent company's conduct of the enterprise Rhizosphere (xxsec.com in such as figure) in the domain woods, each subsidiary of the enterprise as each subdomain in the domain woods (such as Shenzhen.xxsec.com, dongguan.xxsec.com, changchun.xxsec.com in figure).Respectively rhizosphere with And corresponding one or more domain controllers are arranged in each subdomain.Domain controller is used to be connected to each the computer and use of network Family carries out verification operation, and is stored with Active Directory on each domain controller.Related network pair is stored in Active Directory As the information of (such as: user, group, domain, security strategy), and the information in the Active Directory on each domain controller is homogeneous Together.Due to being stored with the whole computerized informations and user information of enterprises in Active Directory, so for protected field control The safety of device and Active Directory processed, the domain control administrator of only granted permission, which can log in domain controller and access, is located at domain Active Directory in controller.
Specifically, the IP address information for obtaining all domain controllers in aiming field, specifically includes:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field The IP address information of device.
Since the information in the Active Directory on each domain controller is all the same, it is possible to from any in aiming field The IP address information of all domain controllers in aiming field is obtained in the Active Directory of domain controller.
Further, the account information of all domains control administrator obtained in the aiming field, specifically includes:
The pipe comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field Reason person's account.
Preferably, using S-1-5-32-544, this SID (Security Identifier, secure identifier) feature is gone Traversal Active Directory includes S-1-5- in all SID to obtain the account information that administrator is controlled in all domains in the aiming field Administrator's account of 32-544 is the account information of all domains control administrator in the aiming field.Further, it is also possible to from work Obtain all domains control administrator's in the aiming field in the domain administrator group (Domain Admins, abbreviation DA) of dynamic catalogue Account information.
Step S102: according to the IP address information, log information is obtained from each domain controller respectively, and according to institute Account information is stated, administrator's log-on message is determined from each log information.
Specifically, step S102, comprising:
Step A1: according to the ID address information, each domain controller in the aiming field is determined, and respectively from true Log information is obtained in each domain controller made;
Step A2: it according to the account information, determines to include domain control from each log information got respectively Administrator's log-on message of administrator's account.
After control administrator logs in domain controller success when domain, there can be corresponding pipe by record in the log information of domain controller Reason person's log-on message;In the present embodiment, only behavior is successfully logged in login domain controller to check.
Step S103: it is directed to administrator's log-on message, judges the source address information in administrator's log-on message Whether it is the address information of default fort machine, if it is not, then sending the alarm comprising administrator's log-on message to default terminal Message.
In the prior art, in order to protect the Active Directory being stored on domain controller, fort machine can be set;Domain keyholed back plate reason Member needs first to access fort machine to the Active Directory on access domain controller, then accesses domain controller by fort machine.Although attacking The person of hitting is available to control the account of administrator to domain with analog domain control administrator access domain controller, but since attacker is not easy Get the address of fort machine, thus attacker can only analog domain control administrator directly access domain controller.Therefore, in this implementation In example, it can judge to access by judging whether the source address information in administrator's log-on message is the address information of fort machine Source is attacker or domain control administrator.If the normal access of domain control administrator, then source in administrator's log-on message Location information is the address information of default fort machine;If the abnormal access of attacker, then the source in administrator's log-on message Location information is the address information of other terminals.
When default terminal receives warning message, staff can be according to including that administrator in warning message steps on Record information investigates to corresponding domain control administrator;Can also modify later corresponding domain control administrator login account and Login password, and refuse the access request of corresponding domain control administrator.
In the present embodiment, by analyzing the login log for logging in domain controller, judge whether login source is pre- If the address of fort machine, if so, being determined as normal login behavior, if it is not, being then determined as abnormal login behavior;When noting abnormalities It needs to carry out early warning operation when login behavior, thus the Active Directory that protection is stored in domain controller.
Further, the method also includes:
According to the log information of a domain controller, the login time of each domain control administrator in set period of time is counted Number;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes the domain keyholed back plate The warning message of the account information of reason person.
In the present embodiment, also the login frequency of each domain control administrator is monitored, under normal circumstances, a domain control The login times of administrator within a certain period of time will not be excessive, if monitoring a domain control administrator within a certain period of time Domain controller is frequently logged on, then is judged as abnormal login behavior, needs to carry out early warning processing, so that the later period is excessive to login times Pre-control and management person verified.
In addition, in practical applications, the frequency of cross-domain access will not be too high, i.e. pre-control and management person in a domain is usual The domain controller in this domain is only accessed, it will not the cross-domain domain controller accessed in other domains;Therefore, the method also includes:
According to the log information of a domain controller, cross-domain log-on message is determined;Wherein, the cross-domain log-on message is The log-on message of the pre-control and management person in domain where being not belonging to the domain controller;When the quantity of the cross-domain log-on message reaches pre- If when threshold value, sending the warning message comprising the cross-domain log-on message to the default terminal.
Therefore, in the present embodiment, can also by monitor each domain in this domain control administrator access frequency and The cross-domain access frequency of the domain control administrator in other domains is monitored come the access behavior for controlling administrator to each domain, thus more Comprehensively protect the Active Directory being stored on the domain controller.
Further, the method also includes:
Step B1: simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events be without Cross the event that the default fort machine directly logs in domain controller;
Step B2: according to the log information of each domain controller, judging whether to monitor the simulation log-in events, If it is not, then to the default terminal send comprising monitoring less than domain controller IP address information warning message.
It in the present embodiment, can also be periodically to the mesh in order to verify the validity of above-mentioned steps S101 to step S103 It marks each domain controller in domain and initiates simulation login time, usurp administrator's account and without fort to simulate attacker Machine accesses the case where domain controller.By analyzing the login log information of each domain controller, judge to monitor to simulate Log-in events execute early warning operation if unable to monitor go out to simulate log-in events.Specifically, in practical applications, can pass through Each domain controller in aiming field described in script scans is developed, with triggering simulation log-in events and examination log, and will examination As a result it is shown in a manner of visual.User, which passes through, checks that the chart of examination result can easily find the problem.
In addition, being distinguished in order to which log-in events and true log-in events will be simulated, simulation log-in events can also be tied up Administrator is controlled in fixed to one specified domain, if checking without the log-in events of fort machine is by the specified domain keyholed back plate (that is, account information comprising the specified domain control administrator in administrator's log-on message) that reason person initiates, then can sentence Break to simulate log-in events, to draw corresponding chart;If the log-in events without fort machine checked are not It is to be initiated by the specified domain control administrator (that is, the account comprising other domains control administrator in administrator's log-on message Information), then it may determine that as true log-in events, then need to execute alarm operation in the way of step S103.
Preferably, in practical applications, above-mentioned all methods can pass through SOC (Security Operations Center, safe operation center) it realizes.SOC refers to unified collection, storage, all kinds of safety-related monitoring alarms of processing enterprise Information, by security incident management process circulation security incident work order, not by a line, two wires, three line Security Officer's division of labor processing Same level security alarm, and carry out security incident review and sustained improvement promotion safety and effectiveness.SOC is one System, existing product, and have service, there are also O&M (operation), SOC is technology, process and the combination of people.In the present embodiment In, the IP address information of all domain controllers in aiming field and the account information of all domains control administrator are obtained by SOC, then Log information is obtained from each domain controller respectively according to the IP address information, and according to the account information from each day Administrator's log-on message is obtained in will information;Finally, SOC judge the source address information in administrator's log-on message whether be The address information of default fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.This Outside, SOC periodically can also initiate simulation log-in events to each domain controller, and according to the log information of each domain controller point It is precipitated and which domain controller can monitor simulation log-in events for, which domain controller monitoring to log in thing less than simulation for Part.
Embodiment two
The method of the monitoring domain control administrator provided in one based on the above embodiment provides a kind of monitoring domain in the present embodiment The device of administrator is controlled, specifically, Fig. 3 shows the optional structural block diagram of the device of monitoring domain control administrator, the monitoring The device of domain control administrator is divided into one or more program modules, one or more program module is stored in storage and is situated between In matter, and as performed by one or more processors, to complete the present invention.The so-called program module of the present invention is to refer to complete The series of computation machine program instruction section of specific function, the device for being more suitable for description monitoring domain control administrator than program itself are being deposited Implementation procedure in storage media, the function of each program module of the present embodiment will specifically be introduced by being described below.
As shown in figure 3, the device of monitoring domain control administrator specifically includes consisting of part:
Module 301 is obtained, for obtaining the IP address information of all domain controllers in aiming field, and the acquisition mesh Mark the account information of all domains control administrator in domain;
Determining module 302, for obtaining log information from each domain controller respectively according to the IP address information, And according to the account information, administrator's log-on message is determined from each log information;
Processing module 303, for being directed to administrator's log-on message, with judging the source in administrator's log-on message Whether location information is the address information of default fort machine, if it is not, then sending to default terminal comprising administrator's log-on message Warning message.
Specifically, obtaining module 301, it is used for:
All domains control in the aiming field is obtained from the Active Directory of any domain controller in the aiming field The IP address information of device;And it is searched from the Active Directory of any domain controller in the aiming field comprising specified safety Administrator's account of identifier SID.
Preferably, it obtains module 301 and utilizes S-1-5-32-544 this SID (Security Identifier, safety post Know symbol) feature removes traversal Active Directory to obtain the account information of the control of all domains in aiming field administrator, in all SID Administrator's account comprising S-1-5-32-544 is the account information of all domains control administrator in the aiming field.In addition, The aiming field can also be obtained from the domain administrator group (Domain Admins, abbreviation DA) of Active Directory by obtaining module 301 In all domains control administrator account information.
Determining module 302, is specifically used for:
According to the ID address information, determine each domain controller in the aiming field, and respectively from determining Log information is obtained in each domain controller;According to the account information, determined from each log information got respectively It out include administrator's log-on message of domain control administrator's account.
Further, described device further include:
Statistical module counts each domain keyholed back plate in set period of time for the log information according to a domain controller The login times of reason person;If the login times of a certain domain control administrator reach preset threshold, packet is sent to the default terminal The warning message of the account information of the administrator containing domain control.
In the present embodiment, also the login frequency of each domain control administrator is monitored, under normal circumstances, a domain control The login times of administrator within a certain period of time will not be excessive, if monitoring a domain control administrator within a certain period of time Domain controller is frequently logged on, then is judged as abnormal login behavior, needs to carry out early warning processing, so that the later period is excessive to login times Pre-control and management person verified.
In addition, in practical applications, the frequency of cross-domain access will not be too high, i.e. pre-control and management person in a domain is usual The domain controller in this domain is only accessed, it will not the cross-domain domain controller accessed in other domains;Therefore, the statistical module, is also used In:
According to the log information of a domain controller, cross-domain log-on message is determined;Wherein, the cross-domain log-on message is The log-on message of the pre-control and management person in domain where being not belonging to the domain controller;When the quantity of the cross-domain log-on message reaches pre- If when threshold value, sending the warning message comprising the cross-domain log-on message to the default terminal.
Further, described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events It is the event that domain controller is directly logged in without the default fort machine;According to the log information of each domain controller, judgement Whether can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain control The warning message of the IP address information of device.
Embodiment three
The present embodiment also provides a kind of computer equipment, can such as execute the smart phone, tablet computer, notebook of program Computer, desktop computer, rack-mount server, blade server, tower server or Cabinet-type server are (including independent Server cluster composed by server or multiple servers) etc..As shown in figure 4, the computer equipment 40 of the present embodiment to It is few to include but is not limited to: memory 401, the processor 402 of connection can be in communication with each other by system bus.It should be pointed out that Fig. 4 illustrates only the computer equipment 40 with component 401-402, it should be understood that being not required for implementing all show Component, the implementation that can be substituted is more or less component.
In the present embodiment, memory 401 (i.e. readable storage medium storing program for executing) includes flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic Disk, CD etc..In some embodiments, memory 401 can be the internal storage unit of computer equipment 40, such as the calculating The hard disk or memory of machine equipment 40.In further embodiments, memory 401 is also possible to the external storage of computer equipment 40 The plug-in type hard disk being equipped in equipment, such as the computer equipment 40, intelligent memory card (Smart Media Card, SMC), peace Digital (Secure Digital, SD) card, flash card (Flash Card) etc..Certainly, memory 401 can also both include meter The internal storage unit for calculating machine equipment 40 also includes its External memory equipment.In the present embodiment, memory 401 is commonly used in depositing Storage is installed on the operating system and types of applications software of computer equipment 40, such as the dress for monitoring domain control administrator of embodiment two The program code etc. set.In addition, memory 401 can be also used for temporarily storing all kinds of numbers that has exported or will export According to.
Processor 402 can be in some embodiments central processing unit (Central Processing Unit, CPU), Controller, microcontroller, microprocessor or other data processing chips.The processor 402 is commonly used in control computer equipment 40 overall operation.
Specifically, in the present embodiment, processor 402 is used to execute the monitoring domain control administrator stored in processor 402 Method program, the program of method of the monitoring domain control administrator is performed realization following steps:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
The specific embodiment process of above method step can be found in first embodiment, and the present embodiment is not repeated to go to live in the household of one's in-laws on getting married herein It states.
Example IV
The present embodiment also provides a kind of computer readable storage medium, such as flash memory, hard disk, multimedia card, card-type memory (for example, SD or DX memory etc.), random access storage device (RAM), static random-access memory (SRAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable read only memory (PROM), magnetic storage, magnetic Disk, CD, server, App are stored thereon with computer program, the computer program is held by processor using store etc. Following method and step is realized when row:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domains control in the aiming field The account information of administrator;
According to the IP address information, log information is obtained from each domain controller respectively, and believe according to the account Breath, determines administrator's log-on message from each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default The address information of fort machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
The specific embodiment process of above method step can be found in first embodiment, and the present embodiment is not repeated to go to live in the household of one's in-laws on getting married herein It states.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the device that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or device institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or device.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of method of monitoring domain control administrator, which is characterized in that the described method includes:
The IP address information of all domain controllers in aiming field is obtained, and obtains all domain keyholed back plates reason in the aiming field The account information of member;
According to the IP address information, log information is obtained from each domain controller respectively, and according to the account information, from Administrator's log-on message is determined in each log information;
For administrator's log-on message, judge whether the source address information in administrator's log-on message is default fort The address information of machine, if it is not, then sending the warning message comprising administrator's log-on message to default terminal.
2. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the institute obtained in aiming field There is the IP address information of domain controller, specifically include:
All domain controllers in the aiming field are obtained from the Active Directory of any domain controller in the aiming field IP address information.
3. the method for control administrator in monitoring domain according to claim 1, which is characterized in that described to obtain in the aiming field All domains control administrator account information, specifically include:
The administrator comprising specified secure identifier SID is searched from the Active Directory of any domain controller in the aiming field Account.
4. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the method also includes:
According to the log information of a domain controller, the login times of each domain control administrator in set period of time are counted;If The login times of a certain domain control administrator reach preset threshold, then send to the default terminal comprising domain control administrator's The warning message of account information.
5. the method for control administrator in monitoring domain according to claim 1, which is characterized in that the method also includes:
Simulation log-in events are initiated to each domain controller respectively;Wherein, the simulation log-in events are without described default Fort machine directly logs in the event of domain controller;
According to the log information of each domain controller, judge whether to monitor the simulation log-in events, if it is not, then to institute State default terminal send comprising monitoring less than domain controller IP address information warning message.
6. a kind of device of monitoring domain control administrator, which is characterized in that described device includes:
Module is obtained, for obtaining in the IP address information of all domain controllers in aiming field, and the acquisition aiming field All domains control administrator account information;
Determining module, for obtaining log information from each domain controller respectively, and according to institute according to the IP address information Account information is stated, administrator's log-on message is determined from each log information;
Processing module judges the source address information in administrator's log-on message for being directed to administrator's log-on message Whether it is the address information of default fort machine, if it is not, then sending the alarm comprising administrator's log-on message to default terminal Message.
7. the device of control administrator in monitoring domain according to claim 6, which is characterized in that described device further include:
Statistical module, for the log information according to a domain controller, administrator is controlled in each domain counted in set period of time Login times;If the login times of a certain domain control administrator reach preset threshold, sending to the default terminal includes institute State the warning message of the account information of domain control administrator.
8. the device of control administrator in monitoring domain according to claim 6, which is characterized in that described device further include:
Test module, for initiating simulation log-in events to each domain controller respectively;Wherein, the simulation log-in events are not The event of domain controller is directly logged in by the default fort machine;According to the log information of each domain controller, judge whether Can monitor the simulation log-in events, if it is not, then to the default terminal send comprising monitoring less than domain controller The warning message of IP address information.
9. a kind of computer equipment, the computer equipment includes: memory, processor and is stored on the memory simultaneously The computer program that can be run on the processor, which is characterized in that the processor executes real when the computer program The step of any one of existing claim 1 to 5 the method.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program The step of any one of claim 1 to 5 the method is realized when being executed by processor.
CN201910268028.6A 2019-04-03 2019-04-03 Method and device for monitoring domain control administrator, computer equipment and storage medium Active CN110049028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910268028.6A CN110049028B (en) 2019-04-03 2019-04-03 Method and device for monitoring domain control administrator, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910268028.6A CN110049028B (en) 2019-04-03 2019-04-03 Method and device for monitoring domain control administrator, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110049028A true CN110049028A (en) 2019-07-23
CN110049028B CN110049028B (en) 2021-03-23

Family

ID=67276196

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910268028.6A Active CN110049028B (en) 2019-04-03 2019-04-03 Method and device for monitoring domain control administrator, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110049028B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110688274A (en) * 2019-08-30 2020-01-14 平安科技(深圳)有限公司 Active directory monitoring method based on Windows Server operating system and related equipment
CN112398695A (en) * 2020-11-19 2021-02-23 上海浦东发展银行股份有限公司 Large-scale terminal equipment management and control method, system, equipment and storage medium
CN114205110A (en) * 2021-11-02 2022-03-18 北京中安网星科技有限责任公司 AD domain threat detection method and device and electronic equipment
CN116204494A (en) * 2023-04-28 2023-06-02 深圳竹云科技股份有限公司 Method and device for migrating active directory data, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333090A (en) * 2011-09-28 2012-01-25 辽宁国兴科技有限公司 Internal control bastion host and security access method of internal network resources
CN102413013A (en) * 2011-11-21 2012-04-11 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting abnormal network behavior
CN104239197A (en) * 2014-10-10 2014-12-24 浪潮电子信息产业股份有限公司 Administrative user abnormal behavior detection method based on big data log analysis
US9225721B2 (en) * 2011-11-16 2015-12-29 Google Inc. Distributing overlay network ingress information
CN106445763A (en) * 2016-09-09 2017-02-22 中国南方电网有限责任公司电网技术研究中心 Power distribution and utilization big data platform test method and system
CN108521347A (en) * 2018-04-10 2018-09-11 江苏亨通工控安全研究院有限公司 Industry control O&M behavior auditing method, apparatus and system
CN108984379A (en) * 2018-07-10 2018-12-11 湖南人文科技学院 A kind of dispatch data net remotely accesses the system and method for reinforcing and Centralized Monitoring

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102333090A (en) * 2011-09-28 2012-01-25 辽宁国兴科技有限公司 Internal control bastion host and security access method of internal network resources
US9225721B2 (en) * 2011-11-16 2015-12-29 Google Inc. Distributing overlay network ingress information
CN102413013A (en) * 2011-11-21 2012-04-11 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting abnormal network behavior
CN104239197A (en) * 2014-10-10 2014-12-24 浪潮电子信息产业股份有限公司 Administrative user abnormal behavior detection method based on big data log analysis
CN106445763A (en) * 2016-09-09 2017-02-22 中国南方电网有限责任公司电网技术研究中心 Power distribution and utilization big data platform test method and system
CN108521347A (en) * 2018-04-10 2018-09-11 江苏亨通工控安全研究院有限公司 Industry control O&M behavior auditing method, apparatus and system
CN108984379A (en) * 2018-07-10 2018-12-11 湖南人文科技学院 A kind of dispatch data net remotely accesses the system and method for reinforcing and Centralized Monitoring

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110688274A (en) * 2019-08-30 2020-01-14 平安科技(深圳)有限公司 Active directory monitoring method based on Windows Server operating system and related equipment
CN112398695A (en) * 2020-11-19 2021-02-23 上海浦东发展银行股份有限公司 Large-scale terminal equipment management and control method, system, equipment and storage medium
CN112398695B (en) * 2020-11-19 2022-06-28 上海浦东发展银行股份有限公司 Large-scale terminal equipment control method, system, equipment and storage medium
CN114205110A (en) * 2021-11-02 2022-03-18 北京中安网星科技有限责任公司 AD domain threat detection method and device and electronic equipment
CN114205110B (en) * 2021-11-02 2023-11-10 北京中安网星科技有限责任公司 AD domain threat detection method and device and electronic equipment
CN116204494A (en) * 2023-04-28 2023-06-02 深圳竹云科技股份有限公司 Method and device for migrating active directory data, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110049028B (en) 2021-03-23

Similar Documents

Publication Publication Date Title
CN110049028A (en) Monitor method, apparatus, computer equipment and the storage medium of domain control administrator
CN104519032B (en) A kind of security strategy and system of internet account number
CN110417778B (en) Access request processing method and device
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
CN111490981B (en) Access management method and device, bastion machine and readable storage medium
US20210234877A1 (en) Proactively protecting service endpoints based on deep learning of user location and access patterns
EP2479698A1 (en) Systems and methods for detecting fraud associated with systems application processing
CN108989150A (en) A kind of login method for detecting abnormality and device
CN109039987A (en) A kind of user account login method, device, electronic equipment and storage medium
CN111131221B (en) Interface checking device, method and storage medium
CN113726780B (en) Network monitoring method and device based on situation awareness and electronic equipment
CN111083132A (en) Safe access method and system for web application with sensitive data
CN114418263A (en) A defense system for power monitoring device of thermal power plant
CN110012011A (en) Method, apparatus, computer equipment and the storage medium for preventing malice from logging in
CN104104666B (en) Method of detecting abnormal cloud service and device
CN109040146A (en) Account logs in authorization method, server, computer equipment and storage medium
CN109241769A (en) A kind of electronic equipment personal secrets method for early warning and system
CN104219219A (en) Method, server and system for handling data
CN106850562A (en) A kind of malice peripheral hardware detecting system and method
CN114036480B (en) Security access control method and system for private application and readable storage medium
CN105763555A (en) Website risk control server and method and client
CN110191097A (en) Detection method, system, equipment and the storage medium of login page safety
CN115550068A (en) Host log information security audit method
CN112953951B (en) User login verification and security detection method and system based on domestic CPU
CN114640536A (en) Data access monitoring method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Applicant after: Qianxin Technology Group Co.,Ltd.

Address before: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing

Applicant before: Beijing Qi'anxin Technology Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant