Once a Canary has been deployed live into a production network, it can be remotely joined or removed from an Active Directory domain at any time. (This is supported by hardware Canaries from version 2.1.1 and Virtual Canary from version 2.1.2)

Step 1: Navigate to the join window

To join a Canary to a domain, head over to its device status on the Console dashboard where an option to join the domain is shown.

Step 2: Configure Active Directory and provide credentials

Clicking join domain will then prompt to enter the Active Directory details, before joining. (See below for a note on how the credentials are encrypted.) If you are unsure whether to enable guest access, you can read about the pros and cons over here.

When using an AD join user with limited privileges, in addition to being able to create objects, it also needs the WRITE permission set to the value msDS-SupportedEncryptionTypes on machines.

Step 3: Wait while the Canary joins the domain

This can take a few minutes before seeing a response. Correct any settings if an error shows or contact support for assistance. After a successful join the Canary will shortly reboot with the new config.

Step 4: The Canary shows as domain joined on the Console

Once the Canary has rebooted with the new domain joined settings, it will show up on the Console.

A note on security

We treat your AD credentials used to join the domain with an abundance of caution. Credentials are encrypted in your browser before they leave your machine, and can only be decrypted with a key that’s present on the Canary. The decryption key is simply not present on the console, so AD credentials cannot be accessed by Thinkst.

There’s a well-known caveat with in-browser cryptography: the JavaScript cryptography is also supplied by Thinkst. For customers who wish to check that the credentials are indeed being encrypted for their Canaries:

  1. Connect to your device’s configuration interface over Bluetooth.
  2. Scroll to the bottom of the page and click to view the Canary’s public key.
  3. In the Console AD domain join modal, click “Canary Public Key”, and confirm that the key matches that shown on the bird.

If an alternative is preferred, the Canary can always be locally joined to a domain joined when booted into bluetooth configuration mode.