1 Requirements
The enrichment on our side will be based on your DHCP server entries. These entries
contain hostnames and internal IP addresses that we can correlate to the internal IP
addresses that are also found in the existing DNS logging.
We will compare the timestamp of the internal DNS query log, try to find a matching log
containing the same IP address in the DHCP log, and display the hostname on the
dashboard that is the closest in time to the timestamp of the DNS query.
To avoid showing an incorrect hostname, we will always take the hostname that was
assigned the IP before the DNS query was performed.
To set this up, there are a couple of requirements:
- You already have internal IP enrichment on SecureDNS by using Filebeat to send
us the internal DNS query logs on a Windows Server - You have a DHCP server managed on a Windows Server
2 Defining the scope
The activation procedure depends on the setup in your network.
Below, we have defined 2 procedures:
- Enrichment using DHCP audit logs (only DHCP leases)
Recommended to enable by default. Use this quick setup to send us just the
DHCP audit logs. This will only include audit information such as IP leases.
If you have a lot of IP reservations, and also want to view hostnames of these
entries in the SecureDNS dashboards, it is recommended to enable the
below procedure as well. - Enrichment from exported DHCP data using PowerShell Script (DHCP Reservations
+ Leases)
This script will write ALL DHCP data to a file (all DHCP scopes containing
leases and reservations). A scheduled task will have to be created to run the
script at your desired interval.
3 Activation procedure
3.1 Enrichment using DHCP audit logs (only DHCP leases)
This small step will enable DHCP audit logging, meaning that every IP lease by the
DHCP server will be logged. We can receive this information to be able to do a fast
correlation as the below script (see 3.2) for example will be ran at set intervals. This is
however only applicable for DHCP leases, as (existing) reservations are not included
in this log.
Activate DHCP Audit logs on the Windows Server by going to your DHCP server application in Server Manager. |
|
Expand your DHCP server, and right-click on IPv4 -> Properties. | |
Enable DHCP audit logging. | |
In Advanced, make sure you have an Audit log file path, and that it is set to the default C:\Windows\system32\dhcp and click OK: |
|
If you have a recent version of Filebeat, the next steps are not needed, as the filebeat.yml file will already contain the DHCP log path as input, please verify if you already have the input configured. Open your filebeat.yml, and save your client and site name somewhere. If you have a custom log path or filebeat location, please also take note of this. Replace your current filebeat.yml with the one provided. Filebeat is now adapted to send DHCP logs. Note: If your DHCP server is not located on the same server as your DNS server, you can use the same filebeat.yml config file, filebeat can handle configured inputs that do not exist. Ofcourse, you can also remove the (DNS) input from the config file. |
|
Confirm the only tag is “customer”. Add your client and site name again. |
|
Restart the Filebeat service. |
3.2 Enrichment from exported DHCP data using PowerShell Script (DHCP Reservations + Leases)
Because existing DHCP reservations are non-retrievable using Windows events or DHCP audit logs, we have created a PowerShell script that will write all reservations and leases from your DHCP server to a local text file. Filebeat will read this text file to send us this data.
On your Windows DHCP server, place the PowerShell script we provided in a directory. Example: C:\Scripts\DhcpDataExportScript.ps1 |
|
Manually verify if the script is working by executing it with PowerShell, and check if Note: the script is currently not signed by a CA, so to run it manually, use the Set-Executionpolicy Bypass command. |
|
Create a scheduled task in Task Scheduler to run the script in the desired interval General tab: • Choose a name and description • Select a user to run the task: Managed Service Account strongly recommended (Guide how to create a gMSA account can be found here) • Run whether user is logged on or not • Run with highest privileges |
|
Triggers tab: • Select a start date • Repeat task every 1 hour indefinitely (adapt if necessary) |
|
Actions tab: • Action: Start a program • Select the path of the PowerShell executable (C:\Windows\System 32\WindowsPowerS hell\v1.0\powershell. exe) • Add the path where the DhcpDataExportScript.ps1 is located. |
|
The remaining tabs and checkboxes can be left blank, or enabled to fit your specific needs. If everything is correct, the task will be created and in Ready status. |
|
If you didn’t adapt the Filebeat configuration yet to send us the DHCP logs, please see above in the audit logs procedure. |
Because of the wildcard character we entered in the Filebeat configuration (DhcpSrvLog-*.log) in the previous chapter, this will both read the DHCP audit logs that are being created everyday by the DHCP server, and the log file created by the script:
3.2.1 Extra: Creating a gMSA (Group Managed Service Account) to run the Scheduled Task for the PowerShell script
To follow the principle of least privilege, we recommend creating a gMSA to run the Scheduled Task, as this will also discard the need to manage any passwords compared to a regular Service Account. To create a gMSA, simply open a PowerShell window with elevated rights on your Domain Controller.
Use the following command to create the account (adapt the words highlighted in red to your information):
New-ADServiceAccount -Name SVC_DHCP -DNSHostName SVC_DHCP -SamAccountName SVC_DHCP ManagedPasswordIntervalInDays 30 -PrincipalsAllowedToRetrieveManagedPassword DCHOSTNAME$
Next, add the Group Managed Service Account as member of the "DHCP Users" group so it can read the DHCP Server/Scopes (also possible in the GUI in Windows Explorer):
Add-ADGroupMember -Identity "DHCP Users" -Members "SVC_DHCP$"
Next, make sure the Grouped Managed Service Account has "Modify" permissions on the C:\Windows\System32\dhcp folder.
After this, go to your Group Policy Manager and add this account to “Log on as batch job” and “Log on as service” for your Domain Controller or DHCP server. This can be found in:
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/
You should now be able to select and use this account in your Task Scheduler.
More info:
https://learn.microsoft.com/en-us/windows-server/security/group-managed-serviceaccounts/getting-started-with-group-managed-service-accounts#BKMK_CreateGMSA