Read-Only Domain Controllers
A domain controller is a server on a Windows domain that responds to security and authentication requests, such as asset login, permission changes, and user verification.
In some environments, you can set domain controllers to “read-only” mode. These domain controllers do not perform authentication themselves, but send authentication requests to other domain controllers in the environment on behalf of the endpoint.
When performing this proxy service between the active domain controller and the endpoint requesting authentication, the read-only domain controller injects its own IP address as the source IP of the request, replacing the source IP of the endpoint.
You should correct the replacement of the endpoint’s IP address with the read-only domain controller’s IP address as the source IP of the event immediately, as it can have a detrimental effect on InsightIDR’s legacy detection rules. It may appear in your environment as lateral movement, suspicious authentication, or other false positive detections.
Mark Read-Only Domain Controllers
To prevent endpoint IP address replacement, you can add a list of your read-only domain controllers so InsightIDR will not accidentally assign the IP address to endpoints and assets.
To add a list of your read-only domain controllers:
- Sign in to InsightIDR.
- On the left menu, select the Settings page.
- Select the Read-Only Domain Controller page from the list.
- Enter the IP address of your domain controller and click the Add IP button.
- Click the Save button.
Your Active Directory Domain Controllers will no longer be assigned incorrect IP addresses.