CN110049028B - Method and device for monitoring domain control administrator, computer equipment and storage medium - Google Patents
Method and device for monitoring domain control administrator, computer equipment and storage medium Download PDFInfo
- Publication number
- CN110049028B CN110049028B CN201910268028.6A CN201910268028A CN110049028B CN 110049028 B CN110049028 B CN 110049028B CN 201910268028 A CN201910268028 A CN 201910268028A CN 110049028 B CN110049028 B CN 110049028B
- Authority
- CN
- China
- Prior art keywords
- domain
- information
- login
- administrator
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method, a device, computer equipment and a storage medium for monitoring a domain control administrator, wherein the method comprises the following steps: acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain control managers in the target domain; according to the IP address information, log information is respectively obtained from each domain controller, and according to the account information, administrator login information is determined from each log information; and aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine, and if not, sending an alarm message containing the manager login information to a preset terminal. The present invention can protect the active directory stored on the domain controller by monitoring the behavior of the domain controller administrator logging into the domain controller.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for monitoring a domain control administrator, a computer device, and a storage medium.
Background
In order to uniformly manage resources such as computers and users in enterprises, microsoft provides a solution of an Active Directory (AD for short), which is different from a traditional workgroup mode, and the Active Directory has the greatest advantage of centralized management including uniform identity authentication, authority control and the like. Since all computer information and user information inside the enterprise are stored in the active directory, only the domain control administrator has the right to access the active directory located in the domain controller in order to protect the active directory. However, an attacker pretends to be a domain control administrator to log in a domain controller to access an active directory, and how to effectively protect the active directory becomes an urgent technical problem to be solved.
Disclosure of Invention
The invention aims to provide a method, a device, a computer device and a storage medium for monitoring a domain controller, which can protect an active directory stored on the domain controller by monitoring the behavior of the domain controller logging in the domain controller.
According to an aspect of the present invention, there is provided a method of monitoring a domain administrator, the method including the steps of:
acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain control managers in the target domain;
according to the IP address information, log information is respectively obtained from each domain controller, and according to the account information, administrator login information is determined from each log information;
and aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine, and if not, sending an alarm message containing the manager login information to a preset terminal.
Optionally, the obtaining IP address information of all domain controllers in the target domain specifically includes:
and acquiring the IP address information of all domain controllers in the target domain from the active directory of any domain controller in the target domain.
Optionally, the obtaining account information of all domain control administrators in the target domain specifically includes:
and searching an administrator account containing the specified security identifier SID from the active directory of any domain controller in the target domain.
Optionally, the method further includes:
according to the log information of a domain controller, counting the login times of each domain control administrator in a set time period; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
Optionally, the method further includes:
respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine;
and judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal.
In order to achieve the above object, the present invention further provides a device for monitoring a domain administrator, which specifically includes the following components:
the system comprises an acquisition module, a storage module and a control module, wherein the acquisition module is used for acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain managers in the target domain;
the determining module is used for respectively acquiring log information from each domain controller according to the IP address information and determining administrator login information from each log information according to the account information;
and the processing module is used for judging whether the source address information in the administrator login information is the address information of the preset bastion machine or not aiming at the administrator login information, and if not, sending an alarm message containing the administrator login information to a preset terminal.
Optionally, the apparatus further comprises:
the statistical module is used for counting the login times of each domain control manager in a set time period according to the log information of one domain controller; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
Optionally, the apparatus further comprises:
the testing module is used for respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine; and judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal.
In order to achieve the above object, the present invention further provides a computer device, which specifically includes: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-introduced steps of the method of monitoring a domain control administrator when executing the computer program.
In order to achieve the above object, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the above-introduced steps of the method for monitoring a domain control administrator.
The method, the device, the computer equipment and the storage medium for monitoring the domain control administrator can protect the active directory stored on the domain controller by monitoring the behavior of the domain control administrator logging in the domain controller, and when the source address of the active directory is found not to be the address of the preset bastion machine, the source address information is obtained and alarm operation is carried out, so that the effect of protecting the active directory is achieved. In addition, in this embodiment, the login times of each domain controller for logging in to the domain controller may be monitored, and the domain controller that logs in too frequently needs to be manually checked to avoid potential danger.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is an alternative flowchart of a method for monitoring a domain control administrator according to an embodiment;
FIG. 2 is a diagram of an enterprise domain forest in accordance with a first embodiment;
FIG. 3 is a schematic diagram of an alternative program module of the apparatus for monitoring a domain administrator according to the second embodiment;
fig. 4 is a schematic diagram of an alternative hardware architecture of the computer device according to the third embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The method for monitoring a domain control administrator according to the present invention is described below with reference to the accompanying drawings.
Fig. 1 is an optional schematic flow chart of the method for monitoring a domain control administrator according to the present invention, which specifically includes the following steps:
step S101: the method comprises the steps of obtaining IP (Internet Protocol) address information of all domain controllers in a target domain and obtaining account information of all domain control managers in the target domain.
In this embodiment, as shown in fig. 2, the target domain may be a domain forest of an enterprise, the head office of the enterprise serving as a root domain in the domain forest, and the sub-companies of the enterprise serving as sub-domains in the domain forest. One or more corresponding domain controllers are respectively arranged for the root domain and each subdomain. The domain controller is used for verifying each computer and user connected to the network, and an active directory is stored in each domain controller. Information about network objects (e.g., users, groups, domains, security policies) is stored in the active directory, and the information in the active directory on each domain controller is the same. Since all computer information and user information inside the enterprise are stored in the active directory, only a domain control administrator granted authority can log in the domain controller and access the active directory located in the domain controller in order to protect the security of the domain controller and the active directory.
Specifically, the acquiring IP address information of all domain controllers in the target domain specifically includes:
and acquiring the IP address information of all domain controllers in the target domain from the active directory of any domain controller in the target domain.
Since the information in the active directory on each domain controller is the same, the IP address information of all domain controllers in the target domain can be acquired from the active directory of any domain controller in the target domain.
Further, the obtaining account information of all domain control administrators in the target domain specifically includes:
and searching an administrator account containing the specified security identifier SID from the active directory of any domain controller in the target domain.
Preferably, the SID (Security Identifier) feature of S-1-5-32-544 is used to traverse the active directory to obtain account information of all domain administrators in the target domain, where the administrator accounts including S-1-5-32-544 in all SIDs are account information of all domain administrators in the target domain. In addition, account information of all Domain administrators in the target Domain can be acquired from a Domain administrators group (DA for short) of the active directory.
Step S102: and according to the IP address information, acquiring log information from each domain controller respectively, and according to the account information, determining administrator login information from each log information.
Specifically, step S102 includes:
step A1: determining each domain controller in the target domain according to the ID address information, and respectively acquiring log information from each determined domain controller;
step A2: and according to the account information, respectively determining administrator login information containing the domain control administrator account from each acquired log information.
After the domain controller is successfully logged in the domain controller, corresponding administrator login information is recorded in log information of the domain controller; in this embodiment, only successful login behavior of the login domain controller is checked.
Step S103: and aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine, and if not, sending an alarm message containing the manager login information to a preset terminal.
In the prior art, in order to protect the active directory stored on the domain controller, a bastion machine is provided; if a domain control administrator wants to access the active directory on the domain controller, the domain control administrator needs to access the bastion machine firstly and then access the domain controller through the bastion machine. Although the attacker can acquire the account number of the domain control administrator to simulate the domain control administrator to access the domain controller, the attacker can only simulate the domain control administrator to directly access the domain controller because the attacker cannot easily acquire the address of the bastion machine. Therefore, in the present embodiment, it is possible to determine whether the access source is an attacker or a domain administrator by determining whether the source address information in the administrator login information is the address information of the bastion machine. If the domain control administrator normally accesses the domain control administrator, the source address information in the administrator login information is the address information of the preset bastion machine; if the attacker has abnormal access, the source address information in the administrator login information is the address information of the other terminal.
When the preset terminal receives the alarm information, the worker can perform investigation processing on the corresponding domain control administrator according to the administrator login information contained in the alarm information; and then, the login account and the login password of the corresponding domain control administrator can be modified, and the access request of the corresponding domain control administrator is rejected.
In the embodiment, whether a login source is the address of a preset bastion machine or not is judged by analyzing a login log of a login domain controller, if so, the login source is judged to be a normal login behavior, and if not, the login source is judged to be an abnormal login behavior; when abnormal login behavior is found, early warning operation is required, so that the active directory stored in the domain controller is protected.
Further, the method further comprises:
according to the log information of a domain controller, counting the login times of each domain control administrator in a set time period; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
In this embodiment, the login frequency of each domain control administrator is also monitored, generally, the login frequency of one domain control administrator in a certain time period is not too many, if it is monitored that one domain control administrator frequently logs in a domain controller in a certain time period, it is determined that the domain control administrator is an abnormal login behavior, and early warning processing is required, so that the pre-control administrator with too many login frequencies is checked in the later period.
In addition, in practical application, the frequency of cross-domain access is not too high, that is, a pre-control administrator in one domain usually only accesses the domain controller in the local domain, and does not access the domain controllers in other domains in a cross-domain manner; thus, the method further comprises:
determining cross-domain login information according to log information of a domain controller; the cross-domain login information is login information of a pre-control administrator which does not belong to the domain where the domain controller is located; and when the quantity of the cross-domain login information reaches a preset threshold value, sending alarm information containing the cross-domain login information to the preset terminal.
Therefore, in this embodiment, the access frequency of each domain control administrator in the local domain and the cross-domain access frequency of the domain control administrators of other domains may be monitored to monitor the access behavior of each domain control administrator, so as to protect the active directory stored in the domain controller more comprehensively.
Still further, the method further comprises:
step B1: respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine;
step B2: and judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal.
In this embodiment, in order to verify the validity of the above steps S101 to S103, a simulated login time is also periodically initiated to each domain controller in the target domain, so as to simulate a situation that an attacker steals the administrator account and accesses the domain controller without going through the bastion machine. And judging whether the simulated login event can be monitored or not by analyzing the login log information of each domain controller, and executing early warning operation if the simulated login event cannot be monitored. Specifically, in practical application, each domain controller in the target domain may be scanned through a development script to trigger a simulation login event and a verification log, and a verification result is displayed in a visual manner. The user can easily find the problem by looking at the chart of the inspection results.
In addition, in order to distinguish the simulated login event from the real login event, the simulated login event can be bound to a specified domain control manager, and if the login event which does not pass through the bastion machine is detected to be initiated by the specified domain control manager (namely, the account information of the specified domain control manager is contained in the login information of the manager), the simulated login event can be judged, so that a corresponding chart can be drawn; if the checked login event that does not pass through the bastion machine is not initiated by the designated domain control administrator (i.e., account information of other domain control administrators is included in the administrator login information), it may be determined that the login event is a real login event, and an alarm operation needs to be performed in the manner of step S103.
Preferably, in practical applications, all the above methods can be implemented by a SOC (Security Operations Center). The SOC is used for uniformly collecting, storing and processing various safety-related monitoring alarm information of enterprises, transferring a safety event work order through a safety event management process, processing safety alarms of different levels by first-line, second-line and third-line safety personnel in a division manner, and reviewing and continuously improving safety events to improve safety effectiveness. SOC is a complex system with both product and service, as well as operation and maintenance (operation), which is an organic combination of technology, process and human. In this embodiment, the IP address information of all domain controllers and the account information of all domain managers in a target domain are obtained through an SOC, log information is obtained from each domain controller according to the IP address information, and administrator login information is obtained from each log information according to the account information; and finally, the SOC judges whether the source address information in the administrator login information is the address information of the preset bastion machine, and if not, the SOC sends an alarm message containing the administrator login information to a preset terminal. In addition, the SOC can also initiate a simulated login event to each domain controller periodically, and analyze which domain controllers can monitor the simulated login event and which domain controllers cannot monitor the simulated login event according to the log information of each domain controller.
Example two
Based on the method for monitoring a domain administrator provided in the first embodiment, an apparatus for monitoring a domain administrator is provided in this embodiment, and specifically, fig. 3 illustrates an optional block diagram of the apparatus for monitoring a domain administrator, where the apparatus for monitoring a domain administrator is divided into one or more program modules, and the one or more program modules are stored in a storage medium and executed by one or more processors, so as to complete the present invention. The program module referred to in the present invention refers to a series of computer program instruction segments capable of performing specific functions, and is more suitable for describing the execution process of the device for monitoring the domain control administrator in the storage medium than the program itself, and the following description will specifically describe the functions of each program module in this embodiment.
As shown in fig. 3, the apparatus for monitoring a domain administrator specifically includes the following components:
an obtaining module 301, configured to obtain IP address information of all domain controllers in a target domain, and obtain account information of all domain administrators in the target domain;
a determining module 302, configured to obtain log information from each domain controller according to the IP address information, and determine administrator login information from each log information according to the account information;
the processing module 303 is configured to determine, for an administrator login information, whether source address information in the administrator login information is address information of a preset bastion machine, and if not, send an alarm message including the administrator login information to a preset terminal.
Specifically, the obtaining module 301 is configured to:
acquiring IP address information of all domain controllers in the target domain from an active directory of any domain controller in the target domain; and searching an administrator account containing the specified security identifier SID from the active directory of any domain controller in the target domain.
Preferably, the obtaining module 301 uses the SID (Security Identifier) feature of S-1-5-32-544 to traverse the active directory to obtain account information of all domain administrators in the target domain, where the administrator accounts including S-1-5-32-544 in all the SIDs are account information of all the domain administrators in the target domain. In addition, the obtaining module 301 may further obtain account information of all Domain administrators in the target Domain from a Domain administrators group (DA) of the active directory.
The determining module 302 is specifically configured to:
determining each domain controller in the target domain according to the ID address information, and respectively acquiring log information from each determined domain controller; and according to the account information, respectively determining administrator login information containing the domain control administrator account from each acquired log information.
Further, the apparatus further comprises:
the statistical module is used for counting the login times of each domain control manager in a set time period according to the log information of one domain controller; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
In this embodiment, the login frequency of each domain control administrator is also monitored, generally, the login frequency of one domain control administrator in a certain time period is not too many, if it is monitored that one domain control administrator frequently logs in a domain controller in a certain time period, it is determined that the domain control administrator is an abnormal login behavior, and early warning processing is required, so that the pre-control administrator with too many login frequencies is checked in the later period.
In addition, in practical application, the frequency of cross-domain access is not too high, that is, a pre-control administrator in one domain usually only accesses the domain controller in the local domain, and does not access the domain controllers in other domains in a cross-domain manner; therefore, the statistical module is further configured to:
determining cross-domain login information according to log information of a domain controller; the cross-domain login information is login information of a pre-control administrator which does not belong to the domain where the domain controller is located; and when the quantity of the cross-domain login information reaches a preset threshold value, sending alarm information containing the cross-domain login information to the preset terminal.
Still further, the apparatus further comprises:
the testing module is used for respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine; and judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal.
EXAMPLE III
The embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. As shown in fig. 4, the computer device 40 of the present embodiment at least includes but is not limited to: a memory 401, a processor 402, which may be communicatively coupled to each other via a system bus. It is noted that FIG. 4 only shows the computer device 40 having components 401 and 402, but it is understood that not all of the shown components are required to be implemented, and that more or fewer components may be implemented instead.
In this embodiment, the memory 401 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 401 may be an internal storage unit of the computer device 40, such as a hard disk or a memory of the computer device 40. In other embodiments, the memory 401 may also be an external storage device of the computer device 40, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device 40. Of course, the memory 401 may also include both internal and external storage devices for the computer device 40. In the present embodiment, the memory 401 is generally used for storing an operating system and various application software installed in the computer device 40, such as program codes of the device of the monitoring domain administrator of the second embodiment. Further, the memory 401 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 402 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 402 is generally operative to control the overall operation of the computer device 40.
Specifically, in this embodiment, the processor 402 is configured to execute a program of a method for monitoring a domain control administrator stored in the processor 402, and when the program of the method for monitoring the domain control administrator is executed, the following steps are implemented:
acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain control managers in the target domain;
according to the IP address information, log information is respectively obtained from each domain controller, and according to the account information, administrator login information is determined from each log information;
and aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine, and if not, sending an alarm message containing the manager login information to a preset terminal.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
Example four
The present embodiments also provide a computer readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., having stored thereon a computer program that when executed by a processor implements the method steps of:
acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain control managers in the target domain;
according to the IP address information, log information is respectively obtained from each domain controller, and according to the account information, administrator login information is determined from each log information;
and aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine, and if not, sending an alarm message containing the manager login information to a preset terminal.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (8)
1. A method of monitoring a domain control administrator, the method comprising:
acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain control managers in the target domain;
according to the IP address information, log information is respectively obtained from each domain controller, and according to the account information, administrator login information is determined from each log information;
aiming at one manager login information, judging whether source address information in the manager login information is address information of a preset bastion machine or not, and if not, sending an alarm message containing the manager login information to a preset terminal;
the method further comprises the following steps:
respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine, and is bound to a specified domain control manager;
judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal;
in addition, if the login event which does not pass through the preset bastion machine is detected to be initiated by the designated domain control administrator, the login event is judged to be the simulated login event;
and if the login event which does not pass through the bastion machine is detected not to be initiated by the specified domain control administrator, judging that the login event is a real login event and needing to execute alarm operation.
2. The method for monitoring domain control administrators according to claim 1, wherein the obtaining IP address information of all domain controllers in a target domain specifically comprises:
and acquiring the IP address information of all domain controllers in the target domain from the active directory of any domain controller in the target domain.
3. The method for monitoring domain control administrators according to claim 1, wherein the obtaining account information of all domain control administrators in the target domain specifically comprises:
and searching an administrator account containing the specified security identifier SID from the active directory of any domain controller in the target domain.
4. The method of monitoring a domain control administrator of claim 1, the method further comprising:
according to the log information of a domain controller, counting the login times of each domain control administrator in a set time period; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
5. An apparatus for monitoring a domain administrator, the apparatus comprising:
the system comprises an acquisition module, a storage module and a control module, wherein the acquisition module is used for acquiring IP address information of all domain controllers in a target domain and acquiring account information of all domain managers in the target domain;
the determining module is used for respectively acquiring log information from each domain controller according to the IP address information and determining administrator login information from each log information according to the account information;
the processing module is used for judging whether source address information in the administrator login information is address information of a preset bastion machine or not aiming at the administrator login information, and if not, sending an alarm message containing the administrator login information to a preset terminal;
the device further comprises:
the testing module is used for respectively initiating a simulated login event to each domain controller; the simulated login event is an event which is directly logged in a domain controller without passing through the preset bastion machine, and is bound to a specified domain control manager; judging whether the simulated login event can be monitored or not according to the log information of each domain controller, and if not, sending alarm information containing the IP address information of the domain controller which cannot be monitored to the preset terminal;
in addition, if the login event which does not pass through the preset bastion machine is detected to be initiated by the designated domain control administrator, the login event is judged to be the simulated login event; and if the login event which does not pass through the bastion machine is detected not to be initiated by the specified domain control administrator, judging that the login event is a real login event and needing to execute alarm operation.
6. The apparatus for monitoring a domain administrator of claim 5, further comprising:
the statistical module is used for counting the login times of each domain control manager in a set time period according to the log information of one domain controller; and if the login times of a certain domain control manager reach a preset threshold value, sending an alarm message containing the account information of the domain control manager to the preset terminal.
7. A computer device, the computer device comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1 to 4 when executing the computer program.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910268028.6A CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910268028.6A CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110049028A CN110049028A (en) | 2019-07-23 |
| CN110049028B true CN110049028B (en) | 2021-03-23 |
Family
ID=67276196
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910268028.6A Active CN110049028B (en) | 2019-04-03 | 2019-04-03 | Method and device for monitoring domain control administrator, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110049028B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110688274B (en) * | 2019-08-30 | 2022-04-12 | 平安科技(深圳)有限公司 | Active directory monitoring method based on Windows Server operating system and related equipment |
| CN112398695B (en) * | 2020-11-19 | 2022-06-28 | 上海浦东发展银行股份有限公司 | Large-scale terminal equipment control method, system, equipment and storage medium |
| CN114205110B (en) * | 2021-11-02 | 2023-11-10 | 北京中安网星科技有限责任公司 | AD domain threat detection method and device and electronic equipment |
| CN116204494B (en) * | 2023-04-28 | 2023-07-14 | 深圳竹云科技股份有限公司 | Method and device for migrating active directory data, electronic equipment and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
| US9225721B2 (en) * | 2011-11-16 | 2015-12-29 | Google Inc. | Distributing overlay network ingress information |
| CN106445763A (en) * | 2016-09-09 | 2017-02-22 | 中国南方电网有限责任公司电网技术研究中心 | Power distribution and utilization big data platform test method and system |
| CN108521347A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | Industry control O&M behavior auditing method, apparatus and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102413013B (en) * | 2011-11-21 | 2013-11-06 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN108984379A (en) * | 2018-07-10 | 2018-12-11 | 湖南人文科技学院 | A kind of dispatch data net remotely accesses the system and method for reinforcing and Centralized Monitoring |
-
2019
- 2019-04-03 CN CN201910268028.6A patent/CN110049028B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333090A (en) * | 2011-09-28 | 2012-01-25 | 辽宁国兴科技有限公司 | Internal control bastion host and security access method of internal network resources |
| US9225721B2 (en) * | 2011-11-16 | 2015-12-29 | Google Inc. | Distributing overlay network ingress information |
| CN104239197A (en) * | 2014-10-10 | 2014-12-24 | 浪潮电子信息产业股份有限公司 | Administrative user abnormal behavior detection method based on big data log analysis |
| CN106445763A (en) * | 2016-09-09 | 2017-02-22 | 中国南方电网有限责任公司电网技术研究中心 | Power distribution and utilization big data platform test method and system |
| CN108521347A (en) * | 2018-04-10 | 2018-09-11 | 江苏亨通工控安全研究院有限公司 | Industry control O&M behavior auditing method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110049028A (en) | 2019-07-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110049028B (en) | Method and device for monitoring domain control administrator, computer equipment and storage medium | |
| US11240256B2 (en) | Grouping alerts into bundles of alerts | |
| US10491621B2 (en) | Website security tracking across a network | |
| CN108989355B (en) | Vulnerability detection method and device | |
| CN111191226B (en) | Method, device, equipment and storage medium for determining program by utilizing right-raising loopholes | |
| CN111683047B (en) | Unauthorized vulnerability detection method, device, computer equipment and medium | |
| CN110912876A (en) | Mimicry defense system, method and medium for information system | |
| US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
| CN112685682B (en) | Method, device, equipment and medium for identifying forbidden object of attack event | |
| CN111131221A (en) | Interface checking device, method and storage medium | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| EP3172692A1 (en) | Remedial action for release of threat data | |
| CN112417391A (en) | Information data security processing method, device, equipment and storage medium | |
| CN114138590A (en) | Operation and maintenance processing method and device for Kubernetes cluster and electronic equipment | |
| CN108650123B (en) | Fault information recording method, device, equipment and storage medium | |
| CN108989298B (en) | Equipment safety monitoring method and device and computer readable storage medium | |
| CN111212077A (en) | Host access system and method | |
| US11418393B1 (en) | Remediation of detected configuration violations | |
| CN109257213B (en) | Method and device for judging computer terminal access verification failure | |
| CN117040927B (en) | Password service monitoring system and method | |
| CN111949363A (en) | Service access management method, computer equipment, storage medium and system | |
| CN114553563B (en) | Verification method and device without back display loopholes, electronic equipment and readable storage medium | |
| CN109714351B (en) | Asset protection method and server | |
| CN114549133A (en) | Tenant application system management method and device | |
| CN115967521A (en) | Sensitive information operation monitoring method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant after: Qianxin Technology Group Co.,Ltd. Address before: 100088 Building 3 332, 102, 28 Xinjiekouwai Street, Xicheng District, Beijing Applicant before: Beijing Qi'anxin Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |