Question & Answer
Question
With Guardium FAM - Why does the Client IP have the same value as the Server IP when activity is made from a remote desktop against a shared folder on a mapped network drive ?
Answer
Consider the following environments and scenario
x.xx.xxx.xxx ... The IP address of a user local laptop
y.yy.yyy.yyy ... Windows Server (wwwwww01) \\z.zz.zzz.zzz\work is mapped to Drive W: using user \\AAAAA\AAAAA.
z.zz.zzz.zzz ... Windows Server (wwwwww02) with Guardium S-TAP FAM installed, C:\work is configured as network share.
A Policy is installed on a Guradium Collector that will log for when C:\work has any amendments
1. From the laptop x.xx.xxx.xxx , connect to Windows server y.yy.yyy.yyy via Remote Desktop using user \\AAAAA\AAAAA
2. Launch Windows Explorer and write something on W:\1.txt (i.e. \\z.zz.zzz.zzz\work\1.txt).
3. Check the Guardium Collector reports to see what's reported for this activity.
You will see that the
- CLIENT IP of the activity has the same value as the SERVER IP (z.zz.zzz.zzz)
- DB User Name / Application User /OS User stores Network Share user id (wwwwww02\test_user) - the OS logon user AAAAA\AAAAA is not stored
Cause
These are known limitations.
The Guardium STAP / FAM cannot get the IP address of the client when access comes in through a remote share.
The Guardium STAP is reliant on the Windows Operating System for the information. In this described scenario the information is not available.
It should be noted that extensive discussions were conducted between Guardium and Microsoft with the above conclusion.
x.xx.xxx.xxx ... The IP address of a user local laptop
y.yy.yyy.yyy ... Windows Server (wwwwww01) \\z.zz.zzz.zzz\work is mapped to Drive W: using user \\AAAAA\AAAAA.
z.zz.zzz.zzz ... Windows Server (wwwwww02) with Guardium S-TAP FAM installed, C:\work is configured as network share.
A Policy is installed on a Guradium Collector that will log for when C:\work has any amendments
1. From the laptop x.xx.xxx.xxx , connect to Windows server y.yy.yyy.yyy via Remote Desktop using user \\AAAAA\AAAAA
2. Launch Windows Explorer and write something on W:\1.txt (i.e. \\z.zz.zzz.zzz\work\1.txt).
3. Check the Guardium Collector reports to see what's reported for this activity.
You will see that the
- CLIENT IP of the activity has the same value as the SERVER IP (z.zz.zzz.zzz)
- DB User Name / Application User /OS User stores Network Share user id (wwwwww02\test_user) - the OS logon user AAAAA\AAAAA is not stored
Cause
These are known limitations.
The Guardium STAP / FAM cannot get the IP address of the client when access comes in through a remote share.
The Guardium STAP is reliant on the Windows Operating System for the information. In this described scenario the information is not available.
It should be noted that extensive discussions were conducted between Guardium and Microsoft with the above conclusion.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.1;10.1;10.1.2;10.1.3;10.1.4;10.5;10.6;11","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 October 2019
UID
swg22016127