Data Loss Prevention

 View Only
  • 1.  How to run DLP-Lookup script in the context of another user

    Posted Aug 08, 2013 01:06 PM

    I created DLP-Lookup script in powershell that will take in sender-ip=some_IP_address, and will return userId

     

    Two issues

    1. This script will work if I perform Run-As, another-account

    2. The server that the DLP engine is located will not run using another-account

     

    This means that when DLP invokes the script, the script must automatically run as our another-account otherwise it will not be able to find userId based on some_IP_address

     

    Here is the script I have so far

    $username = 'another-account'
    $password = get-content D:\script\do_not_delete.txt | convertto-securestring
    $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password

    $line_array = @()
    $multi_array = @()
    [hashtable]$my_hash = @{}

    foreach ($i in $args){
       $line_array+= $i.split(" ")
    }

    foreach ($j in $line_array){
        $multi_array += ,@($j.split("="))
    }

    foreach ($k in $multi_array){
        $my_hash.add($k[0],$k[1])
    }

    $Sender_IP = $my_hash.Get_Item("sender-ip")

    $eventList = @()
    Get-EventLog "Security" -computername $Sender_IP `
        | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10 -and $_.ReplacementStrings[5] -notlike "*$"} `
        | Select-Object -First 2 `
        | foreach-Object {
            $row = "" | Select UserName, LoginTime
            $row.UserName = $_.ReplacementStrings[5]
            $row.LoginTime = $_.TimeGenerated
            $eventList += $row
            }
    $userId = $eventList[0].UserName
    $userId

     

    I followed directions on how to create a file with the encrypted password and store it in D:\script\do_not_delete.txt from this website, http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx

    I just do not know how to make this script run in the context of the service account based on

    $username = 'another-account'
    $password = get-content D:\script\do_not_delete.txt | convertto-securestring
    $credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password

     

    Any guidance is greatly appreciated!!!!!



  • 2.  RE: How to run DLP-Lookup script in the context of another user

    Trusted Advisor
    Posted Aug 09, 2013 02:18 AM

    DLP is able to encrypt username/password that you want to use in your script and they will decrypt the file then call your script with two more arguments which are username and password. So may be you can do a runas afterward in your script to perform the get-event-log command (i think it is because of it that you have to run in other account than the DLP one).

    you can have a look at DLP11.6 admin guide page 1019, they provide information on how to do it and use it.