Monday, March 09, 2015

Quickly implementing Cisco CDA registry permissions required

Recently was working with a colleague on our Cisco team to implement Cisco's Context Directory Agent (CDA) product in order to provide user to IP address mapping so that Cisco Cloud Web Security could correctly identify users based on their IP.

The tasks to configure this on the Microsoft side are fairly straightforward, but there are registry setting permissions that cannot be implemented via GPO because GPO's are run by SYSTEM, which doesn't have access to these particular keys.

So first off, the Cisco article on implementation:
http://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/Install_Config_guide/cda10/cda_install.html

Here's the registry specific settings, which need to be performed on ANY DOMAIN CONTROLLER in a site where users will be using CDA!

From that article:
For Windows 2008 R2,Windows 2012, and Windows 2012 R2, the Domain Admin group does not have full control on certain registry keys in the Windows operating system by default. In order to get the CDA to work, Active Directory admin must give the Active Directory user Full Control permissions on the following registry keys:
  • HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
  • HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
Now, when they say "the Active Directory User" they mean the service account that CDA is using.  So you need to add a reg permission to two keys on every DC.

Now, this customer had less than 10 domain controllers, so I did this in a more manual way, but hopefully someone else can find this and have the problem of 200+ domain controllers and script this properly by focusing on the Domain Controllers OU and implementing (or better yet, finding a way to address via GPO somehow)

I chose to use SetACL.exe, which is NOT a Microsoft tool, but is a quite effective and great tool.  Using this, and either using the \\computername method, or running locally on each DC, you can implement these changes using the below command.  Note - you need to take ownership with your account in order to set permissions.  I highlighted the sections that you will need to configure specific to your environment in bold.

SetACL.exe -on "hklm\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn setowner -ownr "n:AdminAccount"
SetACL.exe -on "hklm\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn ace -ace "n:domain.com\CDAServiceAccount;p:full"
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn setowner -ownr "n:
AdminAccount"
SetACL.exe -on "HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn ace -ace "n:domain.com\
CDAServiceAccount;p:full"

If anyone runs into this situation and ultimately ends up automating the solution feel free to post in the comment section below for others.  Should be easy enough to get domain controllers into an array to for-each through.

No comments: