StealthAUDIT System Requirements and Installation · PDF fileSMP Data Collector Matrix ... SMP...

STEALTHbits Technologies, Inc.

StealthAUDIT v5.1 System Requirements and Installation Notes June 2011

StealthAUDIT v5.1 System Requirements and Installation Notes

2

Table of Contents Overview .......................................................................................................................................... 3

Installation Overview ............................................................................................................... 3

Hosting System Requirements ................................................................................................ 4

Recommended System Requirements .................................................................................... 4

Additional Steps ....................................................................................................................... 5

Target Hosts ............................................................................................................................. 9

Security .................................................................................................................................... 9

Ports....................................................................................................................................... 10

SMP Data Collector Matrix .................................................................................................... 10

Appendix A – Installation............................................................................................................... 13

Installing the StealthAUDIT Management Platform .............................................................. 13

Appendix B – Solution Permissions & Configuration .................................................................... 20

SMP for SharePoint Permission Requirements ..................................................................... 20

Exchange 2010 Data Collection ............................................................................................. 21


3

Overview This document outlines basic requirements to successfully operate StealthAUDIT to its full capacity.

Please note that these requirements represent the optimal configuration to enable full functionality.

Failing to meet some requirements may result in StealthAUDIT functioning at a lesser capacity.

Installation Overview

StealthAUDIT installs to a single workstation or server from which data collection occurs. The application

is entirely self-contained and requires access to Microsoft® SQL Server® (2005 or greater) database to

operate. Organizations seeking more advanced data collection capabilities may seek to deploy multiple

satellite StealthAUDIT nodes and a centralized Microsoft® SQL Server® to store collected data (See Figure

1).

Figure 1 – StealthAUDIT Architecture


4

Hosting System Requirements

The system hosting StealthAUDIT requires only modest hardware. Hardware recommendations are

heavily influenced by:

The size and distribution of the targeted network (quantity and locations of hosts).

The complexity of each job (how much data is being returned from each host).

The frequency of scheduled job runs.

Data retention settings.

Recommended System Requirements

SMP Console Requirements

o Windows Server® 2008 (x64)

o Dual Core or Multiple CPU (2 GHz +)

o 4GB or more RAM

o 30+ GB Available Disk

o 100/1000Mb Network Connection


5

Additional Steps

There are a few additional steps that need to be completed or verified to be successful in building a

StealthAUDIT console machine:

1. Verify availability of a Microsoft® SQL Server® instance

a. Supported Versions

i. SQL Server® 2005 (Express (POC only), Standard, and Enterprise Editions)

ii. SQL Server® 2008 (Express (POC only), Standard, and Enterprise Editions)

1. Preferred: SQL Server® 2008 Enterprise Edition

2. A free copy of SQL Server® 2008 Express with Tools Edition is available

by clicking here. This instance can reside on the same machine as the

StealthAUDIT console, but does not have to.

b. Permissions

i. StealthAUDIT requires the ability to Create, Delete, Update, Drop, Read, and

Join tables within the SQL database in order to function as expected. Full

database owner rights are recommended to ensure proper operation.

ii. If database owner rights cannot be obtained, the following script can be

executed against the StealthAUDIT database to grant the necessary

permissions to the appropriate users:

USE [<stealthaudit>]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE [type]

= 'R' AND [name] = '<SA User ID>')

EXEC sp_addrole '<SA User ID>'

GO

EXEC sp_addrolemember 'db_datareader', '<SA User ID>'

GO

EXEC sp_addrolemember 'db_datawriter', '<SA User ID>'

GO

GRANT CREATE TABLE TO [<SA User ID>]

GO

GRANT CREATE VIEW TO [<SA User ID>]

GO

GRANT ALTER ON SCHEMA::dbo TO [<SA User ID>]

GO

GRANT EXECUTE ON SCHEMA::dbo TO [<SA User ID>]

GO

GRANT INSERT ON SCHEMA::dbo TO [<SA User ID>]

GO

GRANT UPDATE ON SCHEMA::dbo TO [<SA User ID>]

GO

http://www.microsoft.com/downloads/details.aspx?FamilyID=7522a683-4cb2-454e-b908-e805e9bd4e28&DisplayLang=en


6

c. Authentication

i. StealthAUDIT allows for the use of both SQL and Windows Authentication to

connect to the database.

1. Recommended: Windows Authentication

d. Database Maintenance

i. StealthAUDIT relies on a SQL backend for data storage for all of its jobs,

analysis, and actions. For disaster recovery reasons, the database should be

backed up on a scheduled basis that is acceptable for recovery of data

collection. Additionally, the backup process will flush any transaction log files.

Depending on usage volume, backup schedules should be adjusted to flush and

shrink the size of the transaction logs. Please refer to Microsoft or your 3rd

party provider for your Microsoft SQL backup solution on how to configure and

schedule backups to clear transaction logs at an interval that meets your needs.

2. Install Adobe® Flash®

a. Download

i. If Flash® is not already installed you can download the software by clicking

here.

b. Additional Info

i. STEALTHbits also recommends turning off Windows® Internet Explorer®

Enhanced Security Configuration for the administrator group if you want to be

able to render reports on the StealthAUDIT console.

3. For Microsoft® Exchange Server data collection only

a. Exchange Server 2000/2003

i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object

extensions

1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT

Exchange MAPI CDO package second.

b. Exchange Server 2007/2010 or Mixed 2003/2007/2010 Environment

i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object

extensions

1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT

Exchange MAPI CDO package second.

2. Exchange Management Console (EMC) 2007/2010 with latest updates

http://get.adobe.com/flashplayer/?promoid=BUIGP

http://downloads.stealthbits.com/access/files/Dependencies/Exchange%20Mapi%20CDO.EXE

http://downloads.stealthbits.com/access/files/Dependencies/StealthAudit%20Mapi%20CDO.exe


http://downloads.stealthbits.com/access/files/Dependencies/Exchange%20Mapi%20CDO.EXE




7

ii. Exchange 2010 Data Collection

1. In order for SMP Exchange Data Collectors to work properly against

Exchange 2010, please review the configuration options that need to

be set and implement them prior to collection in Appendix B

4. SMP Exchange/BlackBerry/Access Information Center Prerequisites (NOT REQUIRED UNLESS

INSTALLING THE EXCHANGE, BLACKBERRY, OR ACCESS INFORMATION CENTERS)

o Microsoft Internet Information Services (IIS) 7

Ensure ASP.NET and Security/Windows Authentication features are installed

o Install .NET Framework v3.5

o Install Microsoft SilverLight on the client where you plan to run the browser

5. Install the StealthAUDIT Management Platform (SMP)

a. Console

i. Using the installation media provided to you by your STEALTHbits Account

Representative, download the executable to the system StealthAUDIT is to be

installed on.

ii. Follow the instructions in the installation wizard to install and configure the

application.

1. For more detailed instructions on how to install the StealthAUDIT

Management Platform, see Appendix A.

b. License Key

i. Copy and Paste the StealthAUDIT License Key (StealthAUDIT.LIC) into the root

of the installation (typically C:\Program Files\STEALTHbits\StealthAUDITV5).

1. NOTE: This key is available from your STEALTHbits Account

Representative.

6. StealthAUDIT Credential Sets

a. STEALTHbits recommends using an ID with full administrative privileges to the targeted

hosts in order to maximize the amount of data that can be collected by StealthAUDIT;

however, this is not required in order for the application to function properly. If full

administrative privileges are not available, simply create a StealthAUDIT Connection

Profile using credentials with the proper rights to the information you want to collect.

Configuring Connection Profiles are performed in the Global Options of StealthAUDIT

under the Welcome\Connections node. Connection Profiles can also be created during

installation of StealthAUDIT through the installation wizard.

b. Permission Requirements


8

i. Windows® Auditing

1. Local Admin

ii. Active Directory

1. Domain Admin

iii. Exchange Auditing

1. Exchange Admin and Local Admin

2. Access to System Attendant Account – MAPI Authentication

iv. BlackBerry® Auditing

1. Local Admin to the BES Server

2. Read Access to the BES SQL Database

v. SharePoint Auditing

1. See Addendum B for full details

7. Publishing Reports

a. STEALTHbits recommends leveraging a Microsoft IIS Server to publish the HTML website

and associated reports that StealthAUDIT creates for you. StealthAUDIT supports

publishing to a share within the file system as well, but please note that performance

can be affected when rendering reports containing high volumes of data due to native

browser limitations.


9

Target Hosts

StealthAUDIT query targets must be Microsoft® Windows® based systems with an OS minimum

requirement of Windows® 2000. Windows 9x, NT, or Home Edition hosts will be detected on the

network, but are not supported for auditing.

StealthAUDIT also provides limited support for Linux® and UNIX® host detection and auditing. Red Hat,

SUSE, and AIX are currently supported, with additional version support coming in the near future. Various

3rd

Party storage platforms such as NetApp® Storage Controllers and EMC® Celerra devices are supported

for auditing as well. StealthAUDIT does not currently support other non-Windows hosts.

Security

StealthAUDIT leverages a snap-in Data Collector (DC) architecture. Each DC module exposes a discreet

data source (for example: the Windows Registry) and is implemented as a .DLL housed in the

StealthAUDIT\DC folder.

Each DC must connect to a target host in order to obtain data during an audit. Most Windows®

administrative data is obtained via RPC; hence, a shared RPC connection is utilized. StealthAUDIT Data

Collectors expose Windows®-based administrative data by calling into the Windows API functions in the

same way native Microsoft administration tools do. Thus, StealthAUDIT is in effect never connecting

directly to the managed host, but rather the underlying Microsoft API’s. The dependent network layers

are communicating with peer layers on the target host; providing transparent communications to the data

consumer. These connections are made in the security context of the active logged-on user or in the

context of an impersonated user via optionally supplied credentials; both domain level and target host

local accounts are supported. Supplied credentials are encrypted in a security profile using MD5

encryption and stored in the local file system.

STEALTHbits Technologies recommends providing StealthAUDIT (either through a logged-in user or

impersonation credentials) full administrative access to the target host for greatest availability of data to

collect. In some cases where this may not be possible, StealthAUDIT may still be able to successfully

obtain data from the remote host depending on the nature of the query. For example, to query large

portions of the remote registry, only user access is required.

NetworkTransportProtocolData API

Native Tool

Data Collector

Target HostStealthAUDIT Workstation

StealthAUDIT

Optional

User ImpersonationUser Impersonation

Logged in User

Microsoft API’s and

Network Layers

Figure 2 - Security and Connection Illustration


10

Firewalls

StealthAUDIT, via the Operating System API’s, establishes direct connections between the StealthAUDIT host and the target host. Any firewalls between the two application layers must be configured to provide trusted, rich access between the two hosts. In most cases where firewalls are encountered, organizations will configure the firewall to trust the IP Address or subnet where StealthAUDIT resides.

Ports

StealthAUDIT currently supports a range of Windows and industry protocols as documented in the

following table. For proper operations, network administrators should ensure that RPC communications

are available between the StealthAUDIT console and the target hosts including:

RPC TCP ports 135-139

RPC TCP/UDP Port 445

RPC TCP ports 1024 – 1100 (dynamic)

SSH TCP port 22 (UNIX® and Linux® support)

Additional optional ports:

ICMP TCP port 7 (Ping)

HTTP TCP Port 80 (MS Patch database download)

SMTP TCP 25 (email notification / report submission)

SMP Data Collector Matrix

Data Collector

Description Protocols Ports Used Recommended Permissions

Active Directory

Auditing objects published in AD LDAP RPC

TCP 389 TCP 135-139 Randomly allocated high TCP Ports

Domain Admin

AD Inventory Inventories AD User and Group information for correlation purposes throughout all StealthAUDIT Solution Sets

LDAP RPC


Domain Admin

BlackBerry Auditing BlackBerry properties and BES database information

ODBC Remote Registry

TCP 1433 TCP 139 and 445

Local Admin to the BES Server

Read Access to the BES SQL Database

Command Line Utility

Provides the ability to remotely spawn, execute, and extract data provided by Microsoft native command line utilities.

RPC Remote Registry

TCP 135-139 Randomly allocated high TCP Ports

Local Admin

Disk Provides enumeration of disks and their associated properties

RPC TCP 135, Randomly allocated high TCP Ports

Local Admin

DNS Provides information regarding DNS configuration and records


Domain Admin

Event Log Provides search and extraction of details from event logs on target system


Local Admin

Domain Admin if targeting Domain


11

Controllers

E2K (Exchange Configuration)

Provides Exchange 2000/2003/2007/2010 admin property extraction

RPC LDAP

TCP 135-139, Randomly allocated high TCP Ports TCP 389 Optionally TCP 445

Exchange Admin

Domain Admin for Active Directory property collection

Exchange Mailbox / Public Folder

Provides statistical, content, and permission reporting on mailboxes and public folders

MAPI over RPC TCP 135, Randomly allocated high TCP Ports

Exchange Admin

Exchange Metrics

Provides metrics information from Exchange tracking logs


Local Admin

Domain Admin

File File and folder enumeration, properties, permissions

RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445

Local Admin

File System Access (FSAA)

Access rights via Shares, Folders, and Policies


Local Admin

Domain Admin

Group Policy Auditing GPO settings and properties

LDAP RPC


Domain Admin

INIFile INI and INF file content search and extraction


Local Admin

LDAP Search for and extract Active Directory and Exchange 5.5 directory properties

LDAP TCP 389 Domain Admin

ODBC Query ODBC compliant databases for tables and table properties

ODBC TCP 1433 Database Read Access

Patch Check Provides patch verification and optional automatic bulletin downloads from Microsoft

RPC HTTP ICMP

TCP 135-139 Randomly allocated high TCP Ports TCP 80 TCP 7

Local Admin

Perfmon Performance monitor counter data samples

PRC TCP 135-139 Randomly allocated high TCP Ports

Local Admin

PowerShell Provides PowerShell Script exit from StealthAUDIT

N/A N/A N/A

Registry Enumeration and extraction from remote registries

RPC TCP 135-139 Randomly allocated high TCP Ports

Local Admin

Script Provides VB Script exit from StealthAUDIT

N/A N/A N/A

Services Enumeration, status and settings from remote services


Local Admin

SharePoint Access

Assesses access rights throughout the SharePoint infrastructure

SP Web Services MS SQL Remote Registry

MS SQL (connection string) read from Registry on SharePoint Server SP Web Services (web app urls) read from SharePoint configuration database

Remote read access to SharePoint server’s registry

Read access to configuration database

Read All permissions for each web app policy in SharePoint farm

SharePoint Content

Assesses SharePoint content related information

SharePoint Activity

Assesses access activity details within SharePoint

SMARTlog Provides search and extraction of RPC TCP 135, Randomly Local Admin


12

details from Windows® Event Logs (online or offline) and Microsoft® Internet Information Server® (IIS) logs

allocated high TCP Ports

Domain Admin if targeting Domain Controllers

SQL SQL database configuration, permissions, and data extraction

ODBC Remote Registry

TCP 1433 Local Admin to SQL Server

Read access to SQL Database

SystemInfo A collection of various properties RPC TCP 135-139 Randomly allocated high TCP Ports

Local Admin

Text Search Enables searching through text based log files


Local Admin

Unix Host inventory, Software inventory, logical volume inventory on UNIX® & Linux® platforms

SSH TCP 22 User configurable

ROOT

Users & Groups

Auditing user and group accounts, both local and domain. Extracting system policies


Local Admin

Domain Admin if targeting Domain Controllers

WMI Browsing and extraction of WMI objects and properties


Local Admin

i


13

Appendix A – Installation

Installing the StealthAUDIT Management Platform

Part 1 of 2 – SMP Installation Wizard

Step 1: After downloading StealthAUDIT, run the installation wizard by double-clicking

StealthAUDIT.exe:

Step 2: Accept the End User License Agreement to advance to the next step in the installation

process.


14

Step 3: Choose which product components to install and which directory the application should

be installed in:

Step 4: Click “Next” on the “Ready to Install the Application” menu to begin the installation

process:

Part 2 of 2 – SMP Configuration Wizard

Step 1: After the installation has completed, the following screen will appear allowing for the

configuration of a new StealthAUDIT instance or the migration/upgrade of a previous

version installed on the same system.


15

For first time users, select “I am a first time StealthAUDIT user” and then select OK.

Step 2: In the “Welcome: Initial Settings” wizard, select “next” to begin the process of setting up a

database profile, connection credentials, and an initial discovery query to identify systems

in the environment:

Step 3: In the “SQL Server Settings” menu, enter the following information to create a

StealthAUDIT Database Profile:

Server Name – The name of the SQL Server you plan to create a database on

Instance Name – The name of the SQL Instance the database will be created on

Authentication Mode – SMP supports both Windows and SQL Authentication


16

methods. If using SQL Authentication, input a User Name and Password, otherwise, SMP will leverage the credentials currently running the application through Windows Authentication.

Database – Choose to create a new database or leverage an existing StealthAUDIT database if present.

Step 4: In the “Connection Settings” menu, choose to either leverage the credentials currently

being used to the log into the StealthAUDIT console server or create a connection profile

containing different credentials such as a service account created for StealthAUDIT:


17

Step 5: In the “Query Sources – Host Discovery Source” menu, select the method you’d like to use

for discovering your environment. Your choices at initial setup are limited to the

following:

Scan your IP network

Browse your Windows Network Neighborhood

Query an Active Directory Server o General AD Query – Best used for discovering machines contained in

multiple locations within the AD structure (i.e. Desktops and Servers) o Exchange Servers Only – Best used for discovering just Exchange Servers o Domain Controllers Only – Best used for discovering just Domain

Controllers *If you’d like to import your machine listings from a text file, .csv file, or another database, hit cancel and configure your discovery query through the Host Management node in the left-side tree menu.

After selecting your method of discovery, configure the options to define which machines you’d like StealthAUDIT to discover and inventory (See Active Directory example below)


18

Step 6: In the “Instant Job” menu, select the instant solutions you’d like to install into your job

tree.

Step 7: Click FINISH in the “Summary” menu and then FINISH again when the Instant Solution has

finished its installation.


19

Step 8: Finally, select whether or not you’d like the Host Discovery query to run now or later to

finish the initial configuration process.


20

Appendix B – Solution Permissions & Configuration

SMP for SharePoint Permission Requirements

The following details the permissions that need to be granted to a domain user in order for them to be

used as the connection profile account of StealthAUDIT to run the SharePoint jobs. These instructions

assume administrative knowledge of SharePoint and access to the servers which are hosting the

SharePoint farms which need to be audited.

To configure your SharePoint connection profile user you must do the following:

Add it as a member of local Backup Operator group on a SharePoint application server for the

farm that will be audited in order to access registry remotely. By default only members of Local

Administrators and Backup Operators has access to remote registry so Backup Operators group

provides least privilege.

Add it as a member of local WSS_WPG group on the same SharePoint application server(s).

Members of this group have read access to system resources used by Microsoft SharePoint

Foundation 2010.

Grant the user Full read on every web application through a web application policy. This is done

through Central Administration. I can show you how to do this if you need.

Add the user as a Site Collection administrator in Central Administration site collection in case if

you need scan Central Administration (also do this for the Help site collection in SharePoint

2010). If the customer doesn’t care about monitoring Central Admin then this can be skipped.

Grant the user WSS_Content_Application_Pools role and db_datareader role in configuration

database for each farm.

Grant the user the db_datareader role on every content database for a farm.

Execute the following script against every content database in the farm, replacing

“DOMAIN\USER” with the account being configured:

grant execute on proc_ListAllWebsOfSite to "DOMAIN\USER"

grant execute on proc_GetWebId to "DOMAIN\USER"

grant execute on proc_SecListSiteGroupMembership to "DOMAIN\USER"

grant execute on proc_SecListAllSiteMembers to "DOMAIN\USER"

grant execute on proc_SecListAllWebMembers to "DOMAIN\USER"

grant execute on proc_SecListSiteGroups to "DOMAIN\USER"

grant execute on proc_SecGetRoleAssignments to "DOMAIN\USER"

grant execute on proc_SecGetRoleBindingsForAllPrincipals to "DOMAIN\USER"

grant execute on proc_SecGetSecurityInfo to "DOMAIN\USER"


21

Exchange 2010 Data Collection

For Microsoft Exchange Server 2010, all communication to the private and public stores must go through

a Client Access Server. Due to these changes, additional properties have been added to SMP Data

Collectors requiring configuration changes that need to be set before being able to collect data from

Exchange 2010 servers.

Welcome Settings: A user alias needs to be set for each query that requires this information. This can be done at the top

level for job configuration. The user alias can be any mail-enabled Exchange 2010 account that is utilized

for connection to the Exchange Server. It does not need escalated privileges to Exchange.

Public Folder Queries: In the Public Folder data collector, specific settings need to be set for the Public Folder data collection to

work properly against Exchange 2010.

1. The user alias will need to be set unless it has been set at the Global Level


22

2. A Client Access Server needs to be set so the data collector can connect to it to access the public

store for Exchange 2010.

3. The Option to “Process folders that physically reside on the target server only” needs to be

unchecked. Since Exchange 2010 supports public folders in a different manner than previous

versions of Exchange, the data collector currently targets the entire hierarchy of the public

folders. Since this is the case, the query only needs to be run against one public folder server

that contains the entire hierarchy.


23

Exchange Mailbox Data Collection Data collection for Exchange Mailboxes for 2010 is similar to how the Public Folder data collection works.


2. A Client Access Server needs to be set so the data collector can connect to it to access the private

store for Exchange 2010. Once the CAS server is entered, you can choose “Select from this

Server:” and type in a mailbox server to connect and view the mailboxes on that server.

Alternatively, navigate back to the Welcome page of the query and type in a mailbox server in

the “Test Connection Setting” box to test your connection to Exchange.


24

Exchange2k Data Collection The following categories within the Exchange2K data collector need the properties set for data collection

from Exchange 2010 servers.

Exchange Organization

o Users

Mailbox Stores

Public Folders

OrphanedMailboxes

OrphanedPublicFolders


2. A Client Access Server needs to be set so the data collector can connect to it to access the private

store for Exchange 2010.


25

i STEALTHbits and StealthAUDIT are trademarks of STEALTHbits Technologies, Inc. BlackBerry and BES are trademarks of Research In

Motion Limited. Microsoft, Active Directory, Exchange, and Windows are registered trademarks of Microsoft Corporation in the

United States and other countries. Celerra is a trademark of the EMC Corporation. All other trademarks are the trademarks or

registered trademarks of their respective owners.

StealthAUDIT System Requirements and Installation · PDF fileSMP Data Collector Matrix ... SMP...

Documents

Transcript of StealthAUDIT System Requirements and Installation · PDF fileSMP Data Collector Matrix ... SMP...