Integrating Active Directory
Overview
For RansomStop to be able to suspend users in Active Directory, there is an integration that needs to be configured to allow RansomStop permissions to make those changes in real-time. In a nutshell, an AD service account is created with the ability to disable user accounts. The password for the service account is encrypted in a file, that only a RansomStop generated certificate can decrypt. The password is never exposed in clear text, and is not accessible to Plume Security. AD Setup is required to be done on an Active Directory Domain Controller, by a Global Admin, once per Domain. AD Setup is required on each RansomStop-protected server, but is automatically handled by the RansomStop installer.
Prerequisites
- You will need Domain Admin permissions to make the necessary changes to AD
- You will need to identify a valid OU to apply a Group Policy Object (GPO) , that contains the servers you will be installing RansomStop on
If you are only installing RansomStop on a subset of the servers in the OU, you can create a new OU under your existing OU, and move the RansomStop servers into the newly created child OU. That way they will maintain their existing GPOs, while also receiving the RansomStop GPO.
To understand options or discuss your specific environment, please contact support@plumesecurity.com for more information.
Domain Controller Setup
- Download the AD Installer file from the RansomStop Admin Portal
- Extract the zip file and right-click Setup_AD.ps1 and click Run in Powershell
- Enter your Domain netbios name, e.g. Tyrell for Tyrell.com
- Enter the name of the OU your servers are in. You can just enter a few characters and it will show you matching names.
- Confirm the correct OU
- When prompted, authenticate using Domain Admin credentials
Related Articles
Configure a Windows Active Directory Site
Overview Steps Configure A Windows Active Directory Site Deploy A Windows Active Directory Site Overview A site is a logical definition of a cloud account or an on-prem location. A site needs to be configured and deployed before you can deploy an ...Installing RansomStop for Google Drive
Overview RansomStop can monitor Google Drive and automatically suspend compromised user account which exhibit ransomware activity, i.e. malicious encryption events. To do this RansomStop has to be installed in your Google Cloud Platform (GCP) ...Installing RansomStop for Windows
Overview Before installation, you will receive a custom URL, a username, and a password. This guide walks you through logging in to the RansomStop dashboard and installing the Windows analyzer. Login to the Dashboard 1. Navigate to Your Custom URL ...Getting Started with the RansomStop Dashboard
Overview Welcome to the RansomStop Dashboard walkthrough. This guide covers the main features and navigation of the dashboard. Dashboard 1. Alerts The dashboard is the default log on screen. It gives you a quick overview of alerts and file activity. ...Feature Spotlight: Forensic Collection
Overview After a ransomware attack, incident responders will want to be able to investigate how the attackers were successful. Some of this evidence can be collected afterwards during the investigation, but much of the data is temporary and needs to ...