StealthAUDIT System Requirements and Installation · PDF fileSMP Data Collector Matrix ... SMP...
Transcript of StealthAUDIT System Requirements and Installation · PDF fileSMP Data Collector Matrix ... SMP...
STEALTHbits Technologies, Inc.
StealthAUDIT v5.1 System Requirements and Installation Notes June 2011
StealthAUDIT v5.1 System Requirements and Installation Notes
2
Table of Contents Overview .......................................................................................................................................... 3
Installation Overview ............................................................................................................... 3
Hosting System Requirements ................................................................................................ 4
Recommended System Requirements .................................................................................... 4
Additional Steps ....................................................................................................................... 5
Target Hosts ............................................................................................................................. 9
Security .................................................................................................................................... 9
Ports....................................................................................................................................... 10
SMP Data Collector Matrix .................................................................................................... 10
Appendix A – Installation............................................................................................................... 13
Installing the StealthAUDIT Management Platform .............................................................. 13
Appendix B – Solution Permissions & Configuration .................................................................... 20
SMP for SharePoint Permission Requirements ..................................................................... 20
Exchange 2010 Data Collection ............................................................................................. 21
StealthAUDIT v5.1 System Requirements and Installation Notes
3
Overview This document outlines basic requirements to successfully operate StealthAUDIT to its full capacity.
Please note that these requirements represent the optimal configuration to enable full functionality.
Failing to meet some requirements may result in StealthAUDIT functioning at a lesser capacity.
Installation Overview
StealthAUDIT installs to a single workstation or server from which data collection occurs. The application
is entirely self-contained and requires access to Microsoft® SQL Server® (2005 or greater) database to
operate. Organizations seeking more advanced data collection capabilities may seek to deploy multiple
satellite StealthAUDIT nodes and a centralized Microsoft® SQL Server® to store collected data (See Figure
1).
Figure 1 – StealthAUDIT Architecture
StealthAUDIT v5.1 System Requirements and Installation Notes
4
Hosting System Requirements
The system hosting StealthAUDIT requires only modest hardware. Hardware recommendations are
heavily influenced by:
The size and distribution of the targeted network (quantity and locations of hosts).
The complexity of each job (how much data is being returned from each host).
The frequency of scheduled job runs.
Data retention settings.
Recommended System Requirements
SMP Console Requirements
o Windows Server® 2008 (x64)
o Dual Core or Multiple CPU (2 GHz +)
o 4GB or more RAM
o 30+ GB Available Disk
o 100/1000Mb Network Connection
StealthAUDIT v5.1 System Requirements and Installation Notes
5
Additional Steps
There are a few additional steps that need to be completed or verified to be successful in building a
StealthAUDIT console machine:
1. Verify availability of a Microsoft® SQL Server® instance
a. Supported Versions
i. SQL Server® 2005 (Express (POC only), Standard, and Enterprise Editions)
ii. SQL Server® 2008 (Express (POC only), Standard, and Enterprise Editions)
1. Preferred: SQL Server® 2008 Enterprise Edition
2. A free copy of SQL Server® 2008 Express with Tools Edition is available
by clicking here. This instance can reside on the same machine as the
StealthAUDIT console, but does not have to.
b. Permissions
i. StealthAUDIT requires the ability to Create, Delete, Update, Drop, Read, and
Join tables within the SQL database in order to function as expected. Full
database owner rights are recommended to ensure proper operation.
ii. If database owner rights cannot be obtained, the following script can be
executed against the StealthAUDIT database to grant the necessary
permissions to the appropriate users:
USE [<stealthaudit>]
GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE [type]
= 'R' AND [name] = '<SA User ID>')
EXEC sp_addrole '<SA User ID>'
GO
EXEC sp_addrolemember 'db_datareader', '<SA User ID>'
GO
EXEC sp_addrolemember 'db_datawriter', '<SA User ID>'
GO
GRANT CREATE TABLE TO [<SA User ID>]
GO
GRANT CREATE VIEW TO [<SA User ID>]
GO
GRANT ALTER ON SCHEMA::dbo TO [<SA User ID>]
GO
GRANT EXECUTE ON SCHEMA::dbo TO [<SA User ID>]
GO
GRANT INSERT ON SCHEMA::dbo TO [<SA User ID>]
GO
GRANT UPDATE ON SCHEMA::dbo TO [<SA User ID>]
GO
StealthAUDIT v5.1 System Requirements and Installation Notes
6
c. Authentication
i. StealthAUDIT allows for the use of both SQL and Windows Authentication to
connect to the database.
1. Recommended: Windows Authentication
d. Database Maintenance
i. StealthAUDIT relies on a SQL backend for data storage for all of its jobs,
analysis, and actions. For disaster recovery reasons, the database should be
backed up on a scheduled basis that is acceptable for recovery of data
collection. Additionally, the backup process will flush any transaction log files.
Depending on usage volume, backup schedules should be adjusted to flush and
shrink the size of the transaction logs. Please refer to Microsoft or your 3rd
party provider for your Microsoft SQL backup solution on how to configure and
schedule backups to clear transaction logs at an interval that meets your needs.
2. Install Adobe® Flash®
a. Download
i. If Flash® is not already installed you can download the software by clicking
here.
b. Additional Info
i. STEALTHbits also recommends turning off Windows® Internet Explorer®
Enhanced Security Configuration for the administrator group if you want to be
able to render reports on the StealthAUDIT console.
3. For Microsoft® Exchange Server data collection only
a. Exchange Server 2000/2003
i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object
extensions
1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT
Exchange MAPI CDO package second.
b. Exchange Server 2007/2010 or Mixed 2003/2007/2010 Environment
i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object
extensions
1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT
Exchange MAPI CDO package second.
2. Exchange Management Console (EMC) 2007/2010 with latest updates
StealthAUDIT v5.1 System Requirements and Installation Notes
7
ii. Exchange 2010 Data Collection
1. In order for SMP Exchange Data Collectors to work properly against
Exchange 2010, please review the configuration options that need to
be set and implement them prior to collection in Appendix B
4. SMP Exchange/BlackBerry/Access Information Center Prerequisites (NOT REQUIRED UNLESS
INSTALLING THE EXCHANGE, BLACKBERRY, OR ACCESS INFORMATION CENTERS)
o Microsoft Internet Information Services (IIS) 7
Ensure ASP.NET and Security/Windows Authentication features are installed
o Install .NET Framework v3.5
o Install Microsoft SilverLight on the client where you plan to run the browser
5. Install the StealthAUDIT Management Platform (SMP)
a. Console
i. Using the installation media provided to you by your STEALTHbits Account
Representative, download the executable to the system StealthAUDIT is to be
installed on.
ii. Follow the instructions in the installation wizard to install and configure the
application.
1. For more detailed instructions on how to install the StealthAUDIT
Management Platform, see Appendix A.
b. License Key
i. Copy and Paste the StealthAUDIT License Key (StealthAUDIT.LIC) into the root
of the installation (typically C:\Program Files\STEALTHbits\StealthAUDITV5).
1. NOTE: This key is available from your STEALTHbits Account
Representative.
6. StealthAUDIT Credential Sets
a. STEALTHbits recommends using an ID with full administrative privileges to the targeted
hosts in order to maximize the amount of data that can be collected by StealthAUDIT;
however, this is not required in order for the application to function properly. If full
administrative privileges are not available, simply create a StealthAUDIT Connection
Profile using credentials with the proper rights to the information you want to collect.
Configuring Connection Profiles are performed in the Global Options of StealthAUDIT
under the Welcome\Connections node. Connection Profiles can also be created during
installation of StealthAUDIT through the installation wizard.
b. Permission Requirements
StealthAUDIT v5.1 System Requirements and Installation Notes
8
i. Windows® Auditing
1. Local Admin
ii. Active Directory
1. Domain Admin
iii. Exchange Auditing
1. Exchange Admin and Local Admin
2. Access to System Attendant Account – MAPI Authentication
iv. BlackBerry® Auditing
1. Local Admin to the BES Server
2. Read Access to the BES SQL Database
v. SharePoint Auditing
1. See Addendum B for full details
7. Publishing Reports
a. STEALTHbits recommends leveraging a Microsoft IIS Server to publish the HTML website
and associated reports that StealthAUDIT creates for you. StealthAUDIT supports
publishing to a share within the file system as well, but please note that performance
can be affected when rendering reports containing high volumes of data due to native
browser limitations.
StealthAUDIT v5.1 System Requirements and Installation Notes
9
Target Hosts
StealthAUDIT query targets must be Microsoft® Windows® based systems with an OS minimum
requirement of Windows® 2000. Windows 9x, NT, or Home Edition hosts will be detected on the
network, but are not supported for auditing.
StealthAUDIT also provides limited support for Linux® and UNIX® host detection and auditing. Red Hat,
SUSE, and AIX are currently supported, with additional version support coming in the near future. Various
3rd
Party storage platforms such as NetApp® Storage Controllers and EMC® Celerra devices are supported
for auditing as well. StealthAUDIT does not currently support other non-Windows hosts.
Security
StealthAUDIT leverages a snap-in Data Collector (DC) architecture. Each DC module exposes a discreet
data source (for example: the Windows Registry) and is implemented as a .DLL housed in the
StealthAUDIT\DC folder.
Each DC must connect to a target host in order to obtain data during an audit. Most Windows®
administrative data is obtained via RPC; hence, a shared RPC connection is utilized. StealthAUDIT Data
Collectors expose Windows®-based administrative data by calling into the Windows API functions in the
same way native Microsoft administration tools do. Thus, StealthAUDIT is in effect never connecting
directly to the managed host, but rather the underlying Microsoft API’s. The dependent network layers
are communicating with peer layers on the target host; providing transparent communications to the data
consumer. These connections are made in the security context of the active logged-on user or in the
context of an impersonated user via optionally supplied credentials; both domain level and target host
local accounts are supported. Supplied credentials are encrypted in a security profile using MD5
encryption and stored in the local file system.
STEALTHbits Technologies recommends providing StealthAUDIT (either through a logged-in user or
impersonation credentials) full administrative access to the target host for greatest availability of data to
collect. In some cases where this may not be possible, StealthAUDIT may still be able to successfully
obtain data from the remote host depending on the nature of the query. For example, to query large
portions of the remote registry, only user access is required.
NetworkTransportProtocolData API
Native Tool
Data Collector
Target HostStealthAUDIT Workstation
StealthAUDIT
Optional
User ImpersonationUser Impersonation
Logged in User
Microsoft API’s and
Network Layers
Figure 2 - Security and Connection Illustration
StealthAUDIT v5.1 System Requirements and Installation Notes
10
Firewalls
StealthAUDIT, via the Operating System API’s, establishes direct connections between the StealthAUDIT host and the target host. Any firewalls between the two application layers must be configured to provide trusted, rich access between the two hosts. In most cases where firewalls are encountered, organizations will configure the firewall to trust the IP Address or subnet where StealthAUDIT resides.
Ports
StealthAUDIT currently supports a range of Windows and industry protocols as documented in the
following table. For proper operations, network administrators should ensure that RPC communications
are available between the StealthAUDIT console and the target hosts including:
RPC TCP ports 135-139
RPC TCP/UDP Port 445
RPC TCP ports 1024 – 1100 (dynamic)
SSH TCP port 22 (UNIX® and Linux® support)
Additional optional ports:
ICMP TCP port 7 (Ping)
HTTP TCP Port 80 (MS Patch database download)
SMTP TCP 25 (email notification / report submission)
SMP Data Collector Matrix
Data Collector
Description Protocols Ports Used Recommended Permissions
Active Directory
Auditing objects published in AD LDAP RPC
TCP 389 TCP 135-139 Randomly allocated high TCP Ports
Domain Admin
AD Inventory Inventories AD User and Group information for correlation purposes throughout all StealthAUDIT Solution Sets
LDAP RPC
TCP 389 TCP 135-139 Randomly allocated high TCP Ports
Domain Admin
BlackBerry Auditing BlackBerry properties and BES database information
ODBC Remote Registry
TCP 1433 TCP 139 and 445
Local Admin to the BES Server
Read Access to the BES SQL Database
Command Line Utility
Provides the ability to remotely spawn, execute, and extract data provided by Microsoft native command line utilities.
RPC Remote Registry
TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Disk Provides enumeration of disks and their associated properties
RPC TCP 135, Randomly allocated high TCP Ports
Local Admin
DNS Provides information regarding DNS configuration and records
RPC TCP 135, Randomly allocated high TCP Ports
Domain Admin
Event Log Provides search and extraction of details from event logs on target system
RPC TCP 135, Randomly allocated high TCP Ports
Local Admin
Domain Admin if targeting Domain
StealthAUDIT v5.1 System Requirements and Installation Notes
11
Controllers
E2K (Exchange Configuration)
Provides Exchange 2000/2003/2007/2010 admin property extraction
RPC LDAP
TCP 135-139, Randomly allocated high TCP Ports TCP 389 Optionally TCP 445
Exchange Admin
Domain Admin for Active Directory property collection
Exchange Mailbox / Public Folder
Provides statistical, content, and permission reporting on mailboxes and public folders
MAPI over RPC TCP 135, Randomly allocated high TCP Ports
Exchange Admin
Exchange Metrics
Provides metrics information from Exchange tracking logs
RPC TCP 135, Randomly allocated high TCP Ports
Local Admin
Domain Admin
File File and folder enumeration, properties, permissions
RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445
Local Admin
File System Access (FSAA)
Access rights via Shares, Folders, and Policies
RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445
Local Admin
Domain Admin
Group Policy Auditing GPO settings and properties
LDAP RPC
TCP 389 TCP 135-139 Randomly allocated high TCP Ports
Domain Admin
INIFile INI and INF file content search and extraction
RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445
Local Admin
LDAP Search for and extract Active Directory and Exchange 5.5 directory properties
LDAP TCP 389 Domain Admin
ODBC Query ODBC compliant databases for tables and table properties
ODBC TCP 1433 Database Read Access
Patch Check Provides patch verification and optional automatic bulletin downloads from Microsoft
RPC HTTP ICMP
TCP 135-139 Randomly allocated high TCP Ports TCP 80 TCP 7
Local Admin
Perfmon Performance monitor counter data samples
PRC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
PowerShell Provides PowerShell Script exit from StealthAUDIT
N/A N/A N/A
Registry Enumeration and extraction from remote registries
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Script Provides VB Script exit from StealthAUDIT
N/A N/A N/A
Services Enumeration, status and settings from remote services
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
SharePoint Access
Assesses access rights throughout the SharePoint infrastructure
SP Web Services MS SQL Remote Registry
MS SQL (connection string) read from Registry on SharePoint Server SP Web Services (web app urls) read from SharePoint configuration database
Remote read access to SharePoint server’s registry
Read access to configuration database
Read All permissions for each web app policy in SharePoint farm
SharePoint Content
Assesses SharePoint content related information
SharePoint Activity
Assesses access activity details within SharePoint
SMARTlog Provides search and extraction of RPC TCP 135, Randomly Local Admin
StealthAUDIT v5.1 System Requirements and Installation Notes
12
details from Windows® Event Logs (online or offline) and Microsoft® Internet Information Server® (IIS) logs
allocated high TCP Ports
Domain Admin if targeting Domain Controllers
SQL SQL database configuration, permissions, and data extraction
ODBC Remote Registry
TCP 1433 Local Admin to SQL Server
Read access to SQL Database
SystemInfo A collection of various properties RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Text Search Enables searching through text based log files
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Unix Host inventory, Software inventory, logical volume inventory on UNIX® & Linux® platforms
SSH TCP 22 User configurable
ROOT
Users & Groups
Auditing user and group accounts, both local and domain. Extracting system policies
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Domain Admin if targeting Domain Controllers
WMI Browsing and extraction of WMI objects and properties
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
i
StealthAUDIT v5.1 System Requirements and Installation Notes
13
Appendix A – Installation
Installing the StealthAUDIT Management Platform
Part 1 of 2 – SMP Installation Wizard
Step 1: After downloading StealthAUDIT, run the installation wizard by double-clicking
StealthAUDIT.exe:
Step 2: Accept the End User License Agreement to advance to the next step in the installation
process.
StealthAUDIT v5.1 System Requirements and Installation Notes
14
Step 3: Choose which product components to install and which directory the application should
be installed in:
Step 4: Click “Next” on the “Ready to Install the Application” menu to begin the installation
process:
Part 2 of 2 – SMP Configuration Wizard
Step 1: After the installation has completed, the following screen will appear allowing for the
configuration of a new StealthAUDIT instance or the migration/upgrade of a previous
version installed on the same system.
StealthAUDIT v5.1 System Requirements and Installation Notes
15
For first time users, select “I am a first time StealthAUDIT user” and then select OK.
Step 2: In the “Welcome: Initial Settings” wizard, select “next” to begin the process of setting up a
database profile, connection credentials, and an initial discovery query to identify systems
in the environment:
Step 3: In the “SQL Server Settings” menu, enter the following information to create a
StealthAUDIT Database Profile:
Server Name – The name of the SQL Server you plan to create a database on
Instance Name – The name of the SQL Instance the database will be created on
Authentication Mode – SMP supports both Windows and SQL Authentication
StealthAUDIT v5.1 System Requirements and Installation Notes
16
methods. If using SQL Authentication, input a User Name and Password, otherwise, SMP will leverage the credentials currently running the application through Windows Authentication.
Database – Choose to create a new database or leverage an existing StealthAUDIT database if present.
Step 4: In the “Connection Settings” menu, choose to either leverage the credentials currently
being used to the log into the StealthAUDIT console server or create a connection profile
containing different credentials such as a service account created for StealthAUDIT:
StealthAUDIT v5.1 System Requirements and Installation Notes
17
Step 5: In the “Query Sources – Host Discovery Source” menu, select the method you’d like to use
for discovering your environment. Your choices at initial setup are limited to the
following:
Scan your IP network
Browse your Windows Network Neighborhood
Query an Active Directory Server o General AD Query – Best used for discovering machines contained in
multiple locations within the AD structure (i.e. Desktops and Servers) o Exchange Servers Only – Best used for discovering just Exchange Servers o Domain Controllers Only – Best used for discovering just Domain
Controllers *If you’d like to import your machine listings from a text file, .csv file, or another database, hit cancel and configure your discovery query through the Host Management node in the left-side tree menu.
After selecting your method of discovery, configure the options to define which machines you’d like StealthAUDIT to discover and inventory (See Active Directory example below)
StealthAUDIT v5.1 System Requirements and Installation Notes
18
Step 6: In the “Instant Job” menu, select the instant solutions you’d like to install into your job
tree.
Step 7: Click FINISH in the “Summary” menu and then FINISH again when the Instant Solution has
finished its installation.
StealthAUDIT v5.1 System Requirements and Installation Notes
19
Step 8: Finally, select whether or not you’d like the Host Discovery query to run now or later to
finish the initial configuration process.
StealthAUDIT v5.1 System Requirements and Installation Notes
20
Appendix B – Solution Permissions & Configuration
SMP for SharePoint Permission Requirements
The following details the permissions that need to be granted to a domain user in order for them to be
used as the connection profile account of StealthAUDIT to run the SharePoint jobs. These instructions
assume administrative knowledge of SharePoint and access to the servers which are hosting the
SharePoint farms which need to be audited.
To configure your SharePoint connection profile user you must do the following:
Add it as a member of local Backup Operator group on a SharePoint application server for the
farm that will be audited in order to access registry remotely. By default only members of Local
Administrators and Backup Operators has access to remote registry so Backup Operators group
provides least privilege.
Add it as a member of local WSS_WPG group on the same SharePoint application server(s).
Members of this group have read access to system resources used by Microsoft SharePoint
Foundation 2010.
Grant the user Full read on every web application through a web application policy. This is done
through Central Administration. I can show you how to do this if you need.
Add the user as a Site Collection administrator in Central Administration site collection in case if
you need scan Central Administration (also do this for the Help site collection in SharePoint
2010). If the customer doesn’t care about monitoring Central Admin then this can be skipped.
Grant the user WSS_Content_Application_Pools role and db_datareader role in configuration
database for each farm.
Grant the user the db_datareader role on every content database for a farm.
Execute the following script against every content database in the farm, replacing
“DOMAIN\USER” with the account being configured:
grant execute on proc_ListAllWebsOfSite to "DOMAIN\USER"
grant execute on proc_GetWebId to "DOMAIN\USER"
grant execute on proc_SecListSiteGroupMembership to "DOMAIN\USER"
grant execute on proc_SecListAllSiteMembers to "DOMAIN\USER"
grant execute on proc_SecListAllWebMembers to "DOMAIN\USER"
grant execute on proc_SecListSiteGroups to "DOMAIN\USER"
grant execute on proc_SecGetRoleAssignments to "DOMAIN\USER"
grant execute on proc_SecGetRoleBindingsForAllPrincipals to "DOMAIN\USER"
grant execute on proc_SecGetSecurityInfo to "DOMAIN\USER"
StealthAUDIT v5.1 System Requirements and Installation Notes
21
Exchange 2010 Data Collection
For Microsoft Exchange Server 2010, all communication to the private and public stores must go through
a Client Access Server. Due to these changes, additional properties have been added to SMP Data
Collectors requiring configuration changes that need to be set before being able to collect data from
Exchange 2010 servers.
Welcome Settings: A user alias needs to be set for each query that requires this information. This can be done at the top
level for job configuration. The user alias can be any mail-enabled Exchange 2010 account that is utilized
for connection to the Exchange Server. It does not need escalated privileges to Exchange.
Public Folder Queries: In the Public Folder data collector, specific settings need to be set for the Public Folder data collection to
work properly against Exchange 2010.
1. The user alias will need to be set unless it has been set at the Global Level
StealthAUDIT v5.1 System Requirements and Installation Notes
22
2. A Client Access Server needs to be set so the data collector can connect to it to access the public
store for Exchange 2010.
3. The Option to “Process folders that physically reside on the target server only” needs to be
unchecked. Since Exchange 2010 supports public folders in a different manner than previous
versions of Exchange, the data collector currently targets the entire hierarchy of the public
folders. Since this is the case, the query only needs to be run against one public folder server
that contains the entire hierarchy.
StealthAUDIT v5.1 System Requirements and Installation Notes
23
Exchange Mailbox Data Collection Data collection for Exchange Mailboxes for 2010 is similar to how the Public Folder data collection works.
1. The user alias will need to be set unless it has been set at the Global Level
2. A Client Access Server needs to be set so the data collector can connect to it to access the private
store for Exchange 2010. Once the CAS server is entered, you can choose “Select from this
Server:” and type in a mailbox server to connect and view the mailboxes on that server.
Alternatively, navigate back to the Welcome page of the query and type in a mailbox server in
the “Test Connection Setting” box to test your connection to Exchange.
StealthAUDIT v5.1 System Requirements and Installation Notes
24
Exchange2k Data Collection The following categories within the Exchange2K data collector need the properties set for data collection
from Exchange 2010 servers.
Exchange Organization
o Users
Mailbox Stores
Public Folders
OrphanedMailboxes
OrphanedPublicFolders
1. The user alias will need to be set unless it has been set at the Global Level
2. A Client Access Server needs to be set so the data collector can connect to it to access the private
store for Exchange 2010.
StealthAUDIT v5.1 System Requirements and Installation Notes
25
i STEALTHbits and StealthAUDIT are trademarks of STEALTHbits Technologies, Inc. BlackBerry and BES are trademarks of Research In
Motion Limited. Microsoft, Active Directory, Exchange, and Windows are registered trademarks of Microsoft Corporation in the
United States and other countries. Celerra is a trademark of the EMC Corporation. All other trademarks are the trademarks or
registered trademarks of their respective owners.