WebTitan

WADA Configuration

WADA does not require any specific configuration after installation, but changes can be made to the configuration if required. Follow the steps below to make changes. 

  1. Run Notepad with elevated privileges (run as administrator) as described here:

    • Click Windows Start and in the search box type notepad.

    • Right-click on Notepad and choose Run as Administrator.

    • Click Yes and Notepad will open (running with administrator privileges).

  2. The WADA configuration file is wada.ini and can be located at C:\ProgramData\WebtitanADAgent\wada.ini. To make changes, locate wada.ini and open with Notepad running with elevated privileges as described above.

  3. wada.ini looks similar to the example shown here. Use the table below to edit parameters as required.

    Important

    Line breaks in wada.ini must be the same as shown in this example, where each parameter has its own line entry.

    [WADA] 
    Proxytype=1 
    WebTitanServers=http://1.2.3.4:8881 
    DC=WINSERVER1 
    LogMinLevel=0 
    DiscoveryThreads=10 
    DiscoveryIntMin=30 
    LastLogonDays=365 
    TTLMin=60 
    EnumSessIntS=10 
    WMICheckIntS=60 
    WMIMaxCheckRetry=10 
    Security-Status=1 
    SwitchUser-Status=1 
    ExcludedComputers=NETBIOS-NAME,10.1.0.2 
    ExcludedUsers=[user1.upn],[user-2.upn] 
    [Terminal Servers] 
    TSVR-Status=1 
    TSVR=Server1.abc.local,Server2.abc.local,Server3.abc.local 
    [RADIUS] 
    RADIUS-Status=1
  4. Close wada.ini and click Save to save your changes.

Parameter

Default

Description

Proxytype

(0)

(0) is for DNSProxy installations (1) is for WebTitan.

WebTitanServers

 

IP and port number for your WebTitan/WebTitan Cloud installation. This parameter is used to send IP/UserName mappings to DNS Proxy.

Multiple servers can be specified with a comma (,). For example, if you have two DNS Proxies at 192.0.2.0 and 198.51.100.0, this parameter would be as follows:

WebTitanServers=http://192.0.2.0:7777,http://198.51.100.0:8881:7777

DC

 

Name of the remote domain controller. Can be used to run WADA on a different computer on the network than the Domain Controller.

DiscoveryThreads

(10)

Number of child threads used in the WMI discovery process Each thread connects to a computer using WMI and it is done in parallel to speed up the initial discovery process.

DiscoveryIntMin 

(30)

Number of minutes between discoveries (LDAP queries that read the list of available computers and then WMI checks).

LastLogonDays

(365)

Max. number of days of the last logon to a machine so it is checked against existing sessions with WMI. Based on lastLogon LDAP attribute. Computers with a higher number of 'idle' days will be omitted.

TTLMin 

(60)

Number of minutes after which an IP/user pair is removed from the map if the active login session wasn't found on a given IP during this period (either using WMI checks, events from Event Logger or Network session’s enumerator).

EnumSessIntS 

(10)

Number of seconds between enumerating Network Sessions. Note that Windows XP sessions are showing only for about 15 seconds, so don't change this setting to a higher value or you may lose some information about active logon sessions.

WMICheckIntS 

(60)

Number of seconds between single WMI check on a specific computer. This is to avoid flooding of Windows computers.

WMIMaxCheckRetry

(10)

Number of retries when a WMI query to a specific computer is failing. If after this number of retries it is still failing, an error is logged to a file waderror.log and the computer is not checked for active sessions with WMI unless there is some activity from other sources (Event Logger or Network Sessions).

Security-Status 

(1)

An On (1) or Off (0) flag that tells WADA to listen for security-based events. 

SwitchUser-Status 

(1)

An On (1) or Off (0) flag that tells WADA to ignore session enumeration after the first enumeration for machines perceived to be Shared Computers.

ExcludedComputers

NETBIOS Name followed by the IP of a machine that is to be excluded from discovery and scanning by WADA. This feature is used to exclude exchange servers from the scan as these machines can result in possible excessive use of WMI on same.

ExcludedUsers

The UPN of a user to be excluded from reporting. The UPN is the user's domain logon e.g. user@example.local. This feature is used to exclude application based users e.g. sophos@abc.local

TSVR-Status 

(0)

An On (1) or Off (0) flag that tells WADA to listen for terminal server-based events. This is used when Virtual IP's are used.

TSVR

FQDN names of terminal server computers that are issuing visualized IPs to users on the domain. Each terminal server is delimited by a comma. A listener is established for each server listed and virtual IP assignment is captured from the event logger on each one.

RADIUS-Status 

(0)

An On (1) or Off (0) flag that tells WADA to listen for RADIUS server Wi-Fi based events. Wi-Fi access points need to be enabled with RADIUS accounting and have RADIUS Attribute 8 Framed-IP-Address capability.