WADA Configuration
WADA does not require any specific configuration after installation, but changes can be made to the configuration if required. Follow the steps below to make changes.
Run Notepad with elevated privileges (run as administrator) as described here:
Click Windows Start and in the search box type notepad.
Right-click on Notepad and choose Run as Administrator.
Click Yes and Notepad will open (running with administrator privileges).
The WADA configuration file is wada.ini and can be located at
C:\ProgramData\WebtitanADAgent\wada.ini
. To make changes, locate wada.ini and open with Notepad running with elevated privileges as described above.wada.ini looks similar to the example shown here. Use the table below to edit parameters as required.
Important
Line breaks in wada.ini must the same as shown in this example, where each parameter has its own line entry.
[WADA] Proxytype=1 WebTitanServers=http://1.2.3.4:8881 DC=WINSERVER1 LogMinLevel=0 DiscoveryThreads=10 DiscoveryIntMin=30 LastLogonDays=365 TTLMin=60 EnumSessIntS=10 WMICheckIntS=60 WMIMaxCheckRetry=10 Security-Status=1 SwitchUser-Status=1 ExcludedComputers=NETBIOS-NAME,10.1.0.2 ExcludedUsers=[user1.upn],[user-2.upn] [Terminal Servers] TSVR-Status=1 TSVR=Server1.abc.local,Server2.abc.local,Server3.abc.local [RADIUS] RADIUS-Status=1
Close wada.ini and click Save to save your changes.
Parameter | Default | Description |
---|---|---|
Proxytype | (0) | (0) is for DNSProxy installations (1) is for WebTitan. |
WebTitanServers |
| IP and port number for your WebTitan/WebTitan Cloud installation. |
DC |
| Name of the remote domain controller. Can be used to run WADA on a different computer on the network than the Domain Controller. |
DiscoveryThreads | (10) | Number of child threads used in the WMI discovery process Each thread connects to a computer using WMI and it is done in parallel to speed-up the initial discovery process. |
DiscoveryIntMin | (30) | Number of minutes between discoveries (LDAP queries that read list of available computers and then WMI checks). |
LastLogonDays | (365) | Max. number of days of the last logon to a machine so it is checked against existing sessions with WMI. Based on lastLogon LDAP attribute. Computers with higher number of 'idle' days will be omitted. |
TTLMin | (60) | Number of minutes after which an IP/user pair is removed from the map if the active login session wasn't found on a given IP during this period (either using WMI checks, events from Event Logger or Network session’s enumerator). |
EnumSessIntS | (10) | Number of seconds between enumerating Network Sessions. Note that Windows XP sessions are showing only for about 15 seconds, so don't change this setting to a higher value or you may lose some information about active logon sessions. |
WMICheckIntS | (60) | Number of seconds between single WMI check on a specific computer. This is to avoid flooding of Windows computers. |
WMIMaxCheckRetry | (10) | Number of retries when a WMI query to a specific computer is failing. If after this number of retries it is still failing, an error is logged to a file waderror.log and the computer is not checked for active sessions with WMI unless there is some activity from other sources (Event Logger or Network Sessions). |
Security-Status | (1) | An On (1) or Off (0) flag that tells WADA to listen for security based events. |
SwitchUser-Status | (1) | An On (1) or Off (0) flag that tells WADA to ignore session enumeration after first enumeration for machines perceived to be Shared Computers. |
ExcludedComputers | NETBIOS Name followed by the IP of a machine that is to be excluded from discovery and scanning by WADA. This feature is used to exclude exchange servers from the scan as these machines can result in possible excessive use of WMI on same. | |
ExcludedUsers | The UPN of a user to be excluded from reporting. The UPN is the users domain logon e.g. user@example.local. This feature is used to exclude application based users e.g. sophos@abc.local | |
TSVR-Status | (0) | An On (1) or Off (0) flag that tells WADA to listen for terminal server based events. This is used when Virtual IP's are used. |
TSVR | FQDN names of terminal server computers that are issuing visualized IP's to users on the domain. Each terminal server is delimited by a comma. A listener is established for each server listed and virtual IP assignment is captured from the event logger on each one. | |
RADIUS-Status | (0) | An On (1) or Off (0) flag that tells WADA to listen for RADIUS server Wi-Fi based events. Wi-Fi access points need to be enabled with RADIUS accounting and have RADIUS Attribute 8 Framed-IP-Address capability. |