BeyondInsight Installation Guide Version 6.6 – June 2018 Revision/Update Information: June 2018 Software Version: BeyondInsight 6.6 Revision Number: 0 CORPORATE H EADQUARTERS 5090 N. 40th Street Phoenix, AZ 85018 Phone: 1 818-575-4000 COPYRIGHT NOTICE Copyright © 2018 BeyondTrust Software, Inc. All rights reserved. The information contained in this document is subject to change without notice. No part of this document may be photocopied, reproduced or copied or translated in any manner to another language without the prior written consent of BeyondTrust Software. BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material. All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned in this document. Contents Contents Contents 3 Introduction 6 Documentation for BeyondInsight Contacting Support 6 6 Overview 7 Architectural Review Installation Overview 7 8 Requirements 9 Server Requirements Windows Server 2008 Windows Server 2012 Web Server (IIS) Windows Server 2016 Client Requirements Database Requirements Supported Versions Components to Install Service Accounts Database Permissions Matrix ADOMD.net Requirement Port Requirements BeyondInsight UVM Appliance Password Safe 10 10 11 13 15 15 15 15 15 17 18 18 18 19 19 Installing Retina and BeyondInsight 21 Downloading Product Installers Installing and Configuring BeyondInsight Configuration Wizard Settings Installing Retina 21 21 21 24 Configuring Retina Connections to BeyondInsight 25 Configuring Central Policy Configuring Events Client 25 26 Configuring Analytics and Reporting 27 Verify SQL Report Server Configuration Configuring Analytics and Reporting 27 28 Configuring and Running a Scan 32 Patch Management Module 34 BeyondInsight Installation Guide 3 © 2018. BeyondTrust Software, Inc. Contents Installation Notes Requirements Mixed WSUS Environments Windows Server 2012 Overview Installing WSUS Administration Console Using PowerShell Resolving Internal HTTP 500.19 Error PowerBroker Unix and Linux 34 34 34 35 35 35 37 Requirements Generating a Certificate Exporting the BeyondInsight Server SSL Certificate Configuring Keywords PowerBroker for Windows 37 37 37 38 39 Generating a Certificate Creating an MSI File Configuring PowerBroker for Windows 39 39 39 PowerBroker Identity Services 41 Generating a Certificate Configuring PowerBroker Identity Services 41 41 Running the Software Removal Tool 43 Command Line Syntax 43 Using the BeyondInsight Configuration Tool 44 Changing the Access URL Configuring Session Timeout 45 45 Licensing 47 Upgrading Your License License Expiry 47 47 Configuring Windows Authentication to the Database Changing Database Authentication SQL Server 2012 48 49 Appendix A: Certificates 50 Working with BeyondInsight Certificates eEyeEmsServer Certificate EmsClientCert Certificate Troubleshooting BeyondInsight Certificates Using a Domain PKI for BeyondInsight Communication Prerequisites Requirements Assigning the SSL Web Service Certificate in BeyondInsight BeyondInsight Installation Guide 48 4 50 50 51 53 54 55 55 56 © 2018. BeyondTrust Software, Inc. Contents Configuring a Client Certificate for PowerBroker for Windows Configuring Auto Enrollment 57 58 Appendix B: Permissions 59 Analytics and Reporting SQL Server database access Analytics and Reporting Permissions Permissions Required for BeyondInsight Configuration User Permissions Required for the Web Proxy User Permissions Required for the SSRS Proxy User Permissions Required for the SQL Agent Service Running the Daily Sync Job Appendix C: Event Collectors 62 Overview License Keys Event Collectors Authentication and Encryption High Level Installation Software Install Certificates Exporting the Certificate Importing the EmsClientCert and eEyeEmsServer Certificates Importing the eEyeEmsCA Certificate Confirm Certificates Crypto Key Exporting the Key Importing the Key Windows Authentication BeyondInsight Installation Guide 59 59 59 59 60 60 61 5 62 62 62 62 63 63 65 65 66 67 69 69 69 70 70 © 2018. BeyondTrust Software, Inc. Introduction Introduction This guide provides detailed instructions and procedures for installing BeyondInsight. This section includes the document conventions, list of documentation for the product, and where to get additional product information. Documentation for BeyondInsight The complete BeyondInsight documentation set includes the following: • BeyondInsight Installation Guide • BeyondInsight User Guide • BeyondInsight Analytics and Reporting User Guide • Third Party Integration Guide If you are working with any of the BeyondInsight modules, refer to the product documentation for additional information about that module. Contacting Support For support, go to our Customer Portal then follow the link to the product you need assistance with. The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along with product downloads, product installers, license management, account, latest product releases, product documentation, webcasts and product demos. Telephone Privileged Account Management Support Within Continental United States: 800.234.9072 Outside Continental United States: 818.575.4040 Vulnerability Management Support North/South America: 866.529.2201 | 949.333.1997 + enter access code All other Regions Standard Support: 949.333.1995 + enter access code Platinum Support: 949.333.1996 + enter access code Online http://www.beyondtrust.com/Resources/Support/ BeyondInsight Installation Guide 6 © 2018. BeyondTrust Software, Inc. Overview Overview This guide is designed to lead you through an installation of BeyondInsight. This guide assumes familiarity with Microsoft Server 2008/2012 and Microsoft SQL Server 2008/2012/2014 installations. Architectural Review Having a conceptual understanding of BeyondInsight’s architecture is tremendously valuable before installing and configuring the components. See the following diagram and explanations: BeyondInsight is the web-based console where you will configure and launch vulnerability assessment scans. As a scan completes, a report is automatically generated. Results can be navigated interactively in the console. BeyondInsight does not perform vulnerability scans directly, but sends a request to Retina. Retina Network Security Scanner is the scanning engine that performs all vulnerability assessments. It can run standalone, but when paired with BeyondInsight, scan results are sent securely to the management console to populate the SQL Server database. Analytics & Reporting is an additional web-based interface that provides comprehensive analytical tools and creates reports from collective scan data. It facilitates trending and delta reports, prioritization, anomaly detection, regulatory compliance. Retina Protection Agent provides local scanning capabilities and is generally used where network-based scanning is problematic. For example, mobile users who only connect periodically, or hardened servers that block scan attempts. The RPA coexists with other endpoint solutions, such as McAfee or Symantec, which may already be in place. BeyondInsight Installation Guide 7 © 2018. BeyondTrust Software, Inc. Overview Installation Overview Two software components comprise the solution: • BeyondInsight management console • Retina Network Security Scanner Analytics and Reporting is a supplementary configuration launched from the console and does not require a separate installer. Note: By default, the scanner is installed as a standalone component that, initially, will not recognize the console. Simple configuration steps will be performed that allow the scanner to: • Receive scan job requests from BeyondInsight • Send completed scan results securely back to BeyondInsight BeyondInsight Installation Guide 8 © 2018. BeyondTrust Software, Inc. Requirements Requirements Verifying that prerequisite software and settings are correct is the key to a successful installation. If you receive errors during the installation, first check that prerequisites have been met. The table below generally indicates the minimum software and hardware requirements. See the BeyondTrust Solution Requirements document. Important considerations follow. Minimum requirements are listed here. Work with your BeyondTrust Professional Services team to determine your deployment strategy. Operating System Windows Server 2008 R2 (64-bit only) – latest service pack is required Windows Server 2012 and 2012 R2 (64-bit only) Windows Server 2016 Note: Integration with WSUS on Windows Server 2016 is not supported at this time. Database Microsoft SQL Server 2008 SP2 or later Microsoft SQL Server 2008 R2 SP1 or later Microsoft SQL Server 2012 Microsoft SQL Server 2014 Microsoft SQL Server 2016 Microsoft SQL Standard or Enterprise Editions Only Microsoft SQL Server Reporting Services Microsoft SQL Server Analysis Services Microsoft SQL Server Integration Services Note: SQL Server collation must be set to SQL_Latin1_General_CP1_CI_ AS Processor Intel Dual Core 2.0GHz (or compatible, minimum) Assign two processors when installing Retina and the console on a single virtual machine. This greatly improves performance. Memory 16GB Minimum (Requires x64 OS) Hard Drive 500MB (software install) 40GB (database minimum) Network Network Interface Card (NIC) with TCP/IP enabled Server Requirements Microsoft .NET Framework 3.5 SP1 (Application Server Role, Windows Process Activation Service Support/HTTP Activation) Microsoft .NET Framework 4.5 (Application Server Role, Windows Process Activation Service Support/HTTP Activation) Microsoft Internet Information Server (IIS) 7.0 or later with ASP.Net support (Web Server (IIS) role) Client Requirements Adobe Flash Player 22.0 or later Notes Installation on Domain Controllers or Small Business Servers is not supported. BeyondInsight Installation Guide 9 © 2018. BeyondTrust Software, Inc. Requirements Server Requirements After you configure BeyondInsight, ensure the following IIS roles and Server Roles and Features in Server Manager are set. Note that some features are selected by default. Windows Server 2008 Web Server (IIS) Application Server Download and install the latest version of .NET Framework, 4.5 or higher. To verify, go to Control Panel | Programs | Programs and Features. BeyondInsight Installation Guide 10 © 2018. BeyondTrust Software, Inc. Requirements Windows Server 2012 Web Server (IIS) Verify Server Roles: Application Server Verify Server Roles: Verify Features: BeyondInsight Installation Guide 11 © 2018. BeyondTrust Software, Inc. Requirements BeyondInsight Installation Guide 12 © 2018. BeyondTrust Software, Inc. Requirements Windows Server 2016 Web Server (IIS) Note: Under Performance, only 'Static Content Compression' is required. BeyondInsight Installation Guide 13 © 2018. BeyondTrust Software, Inc. Requirements Note: Management Service is optional. Application Server BeyondInsight Installation Guide 14 © 2018. BeyondTrust Software, Inc. Requirements Features Client Requirements BeyondInsight and Analytics & Reporting use a browser-based interface. The client is a web browser. Therefore, the requirements apply to any machine, including the machine where BeyondInsight is installed, using a browser to access BeyondInsight or Analytics and Reporting consoles. Database Requirements • Install the SQL Server database before installing the console. • Install SQL Server while logged on as a domain or local administrator. Supported Versions The following Microsoft SQL Server versions are supported: • SQL Server 2008 and 2008 R2 • SQL Server 2012 and 2012 R2 • SQL Server 2014 • SQL Server 2016 Note: Microsoft SQL Server Express is not supported and will cause installation errors. Components to Install • Database Engine Services • Analysis Services • Reporting and Integration Services • SQL Server Management Studio Service Accounts • SQL Server 2008: Use the NT AUTHORITY\SYSTEM account for all services where you are required to set it. BeyondInsight Installation Guide 15 © 2018. BeyondTrust Software, Inc. Requirements • SQL Server 2012, 2014: Accept the default service accounts. SQL Server 2012 and 2014 creates individual accounts for each service. • Set SQL Server Agent to start ‘Automatic’ (default is ‘Manual’). • Select Windows authentication mode. Note: • You can select Mixed Mode authentication, if desired, and provide the ‘sa’ account password, however, this is not necessary when SQL Server resides on the same machine as the console. Select Add Current User when setting the SQL Server Administrator and Analysis Services Administrator. BeyondInsight Installation Guide 16 © 2018. BeyondTrust Software, Inc. Requirements Database Permissions Matrix Note: Note: Windows Authentication is not supported on remote standalone systems. UVM appliances and software must be on the domain or a trusted domain in a forest. REM3Admins is a custom role created by the installer. SQL Server 2008 + SQL Authentication (SQL Local or SQL Remote) SQL 2012+ / SQL 2014+ / SQL 2016 Assign SQL Server account the role: q sysadmin • • Windows Authentication (SQL Local) NT AUTHORITY\SYSTEM is assigned sysadmin server role. Assign NT AUTHORITY\SYSTEM the role: q sysadmin • NT AUTHORITY\NETWORK SERVICE exists as a Login in SQL Server. • • On the BeyondInsight database, assign these roles to the NT AUTHORITY\NETWORK SERVICE account: Add NT AUTHORITY\NETWORK SERVICE as a Login account in SQL Server. • On the BeyondInsight database, assign these roles to the NT AUTHORITY\NETWORK SERVICE account: q db_owner q REM3Admins q db_owner q REM3Admins In SQL Server, create a local Windows group and add the group to the SQL Server instance. Windows Authentication On the BeyondInsight database, assign these roles to the account: (SQL Remote - SQL Server q db_owner and BeyondInsight are on q REM3Admins the same domain or in Add each BeyondInsight machine to this local group, including any Event Collector trusted domains of a machines or Password Safe worker node machines, in the format: forest) 'Domain\MachineName1$', 'Domain\MachineName2$' Setting Server Role on NT AUTHORITY\SYSTEM Applies to SQL Server 2012, 2014, and 2016. 1. 2. In SQL Server 2012 Management Studio, go to Security | Logins | <right-click> NT AUTHORITY\SYSTEM | Properties. Select Server Roles |sysadmin, then click OK. BeyondInsight Installation Guide 17 © 2018. BeyondTrust Software, Inc. Requirements ADOMD.net Requirement The BeyondInsight web server uses SQL ADOMD.net components to communicate with the SQL Analysis Services cube. In cases where the web server does not have SQL installed, you will need to manually install the ADOMD.net components. The SQL_AS_ADOMD.msi file is included with BeyondInsight and can be found in the “Support” folder. After installing the ADOMD.net components you may need to restart IIS. Port Requirements BeyondInsight Function Database connectivity Components Port Console to the database, 1433 BeyondInsight Reporting to the database Event Collector Retina and Retina Protection agent to BeyondInsight RPA Central Policy Endpoint to the console RNSS Central Policy Scanner to the console Update Servers SyncIt or EUS to BeyondTrust server 443 or 80 Client Browser User to BeyondInsight or BeyondInsight Reporting 443 or 80 PowerBroker for Windows Connector to Web services 443 Version 1 – 2000 Version 2 – 443 Version 1 – 10001 Version 2 – 443 Android Mobile Connector Android agents to the console BeyondInsight Installation Guide 21690 18 443 © 2018. BeyondTrust Software, Inc. Requirements UVM Appliance Traffic Port Database Connectivity: BeyondInsight to SQL Server, BeyondInsight Analytics and Reporting to SQL Server 1433 Event Collector: Retina, PowerBroker Endpoint Protection Platform, or Retina Protection Agent to BeyondInsight 21690 Mobile Agents and PowerBroker Windows Connector to Web Services, Update Servers SyncIT or EUS to BeyondTrust 443 Android Mobile Connector, Android Agents to BeyondInsight 21691 PowerBroker Endpoint Protection Platform or Retina Protection Agent Central Policy Endpoint to BeyondInsight V1 – 2000, V2 - 443 V1 - 10001, Retina Central Policy, Retina to BeyondInsight V2 - 443 Update Servers SyncIT or EUS to BeyondTrust, Client Browser User to BeyondInsight or BeyondInsight Reporting 443 or 80 BeyondSaaS Job Results 8080 Windows Passwords: Password Safe Service to Client 135, 139, 445, 389 UNIX, Linux, Other: Password Safe Service to Client 22 MS SQL 1433, Database: Password Safe Service to Client Oracle 1521 RDP Client and Target Proxy Session Monitoring 4489 / 3389 SSH Client and Target Proxy Session Monitoring 4422 / 22 High Availability BeyondInsight HA 443, 5022 Notifications (email): SMITE 25 Appliance Discovery Tool 4069 Password Safe Functionality Service ---> Protocol User Enumeration nb-ssn| ms-ds 139|445* TCP Hardware Enumeration nb-ssn| ms-ds 139|445* TCP Requirement/Notes System Discovery BeyondInsight Installation Guide 19 WMI Service running on target © 2018. BeyondTrust Software, Inc. Requirements Remote Registry service running on target Software Enumeration nb-ssn| ms-ds 139|445* TCP Local Scan Services ms-ds 445 TCP Windows Password Change adsi-ldap 389 TCP ms-ds (445/TCP) is used as a fallback Windows Update/Restart Services wmi 135 TCP WMI Service running on target Active Directory Password Change adsi-ldap 389 TCP ms-ds (445/TCP) is used as a fallback User and Computer kerberos Authentication, Forest Level Trusts 88 TCP and UDP Unix/Linux/OS X ssh 22 TCP Oracle oracle-listener 1521 TCP MS SQL Server netlib 1433 TCP HP ILO ssh 22 TCP Dell DRAC ssh 22 TCP Remote Desktop rdp 3389 TCP SSH ssh 22 TCP Mail Server Integration smtp 25 TCP AD Integration idap 389 TCP Backup smb 445 TCP Time Protocol ntp 123 TCP HA Replication (pair) sql-mirroring|https 5022|443 TCP Password Change Session Management Appliance BeyondInsight Installation Guide 20 © 2018. BeyondTrust Software, Inc. Installing Retina and BeyondInsight Installing Retina and BeyondInsight Downloading Product Installers After BeyondTrust Sales generates a customer license, you will receive an email that includes a link to download product installers. Installing and Configuring BeyondInsight Installing the console is a two-step process: • Installing the software First, run the downloaded BeyondInsight_x.x.x installer, enter the console license key (serial number) and follow the default prompts. Supply the License Registration information when prompted. Note: • If you already installed Retina, the License Registration information will automatically populate. Running through the configuration After the software is installed, the BeyondInsight Configuration Wizard automatically starts. Note: Required audit upgrades are downloaded after the installation is complete. Audit upgrades take several minutes to complete, or longer depending on the number of pending updates. Configuration Wizard Settings Database page: Configure the database. Accept the default (local) SQL Server if the SQL Server is on the same machine and will use the logged on Windows credentials to connect. Otherwise, click the Advanced button to enter SQL Server information, including the SQL Server server name, database name, and database credentials. You can select an existing BeyondInsight database. Note that the BeyondInsight database version must match the installer version. Otherwise, an error message is displayed indicating the database version and installer version do not match. BeyondInsight Installation Guide 21 © 2018. BeyondTrust Software, Inc. Installing Retina and BeyondInsight Web Site Information page: Informs you that the console will be implemented as the default IIS website. Agent Password page: The Agent Password is used to configure the connection between the scanner and the console, to be performed later. Agents need a password to retrieve Central Policy information from the console. The password is also used when importing certificates using the Events Client Configuration tool. The password must match the machine’s password composition requirements. BeyondInsight Installation Guide 22 © 2018. BeyondTrust Software, Inc. Installing Retina and BeyondInsight Event Server Information page: Provides the option to configure SNMP. Email Information page: Allows you to provide a default SMTP mail server and account. This may be used, for example, to automatically email a report after vulnerability scans complete. However, the SMTP mail server and email address you provide are not verified by the configuration wizard. If you do not know the information you can enter fake data as shown below. Administrator Password page: Creates an initial login account to the console with full rights. This is NOT the local machine administrator or domain administrator account. The console administrator password must match the machine’s password composition requirements. BeyondInsight Installation Guide 23 © 2018. BeyondTrust Software, Inc. Installing Retina and BeyondInsight Ready to Apply Settings and BeyondInsight Configuration pages: After entering your information, the database will be created in SQL Server. Expect this process to take about 7-10 minutes. Once completed, and you select Finish, the management console starts in your default browser. You can log on with the Administrator account and password created earlier. Installing Retina To install Retina, run the downloaded Retina_x.xx.x installer, enter the license key (serial number) and follow the default prompts. After supplying the License Registration information, the auto-update process runs, contacting BeyondTrust servers; this can take several minutes. Once complete, Retina will automatically start. For more information, refer to the Retina Installation Guide. BeyondInsight Installation Guide 24 © 2018. BeyondTrust Software, Inc. Configuring Retina Connections to BeyondInsight Configuring Retina Connections to BeyondInsight Now that the scanner and the console are installed, they must be configured to work together by configuring both Central Policy and Events Client. Configuring Central Policy Central Policy enables Retina to pull scan requests from, and send scan status updates to, the console. To configure Central Policy: 1. 2. 3. Run Retina. Select Tools > Options. Select the Event Routing tab and then select Enable Event Routing to Centralized Console. 4. Select the Management tab, select Enable Central Policy and enter the required information. – Central Policy Server: Name or IP address of the machine where the console is installed. You can use ‘localhost’ if the scanner and the console reside on the same machine. – Password: Use the Agent Password that was defined during the previous BeyondInsight configuration steps. For example, ‘Retina123’. BeyondInsight Installation Guide 25 © 2018. BeyondTrust Software, Inc. Configuring Retina Connections to BeyondInsight – 5. Agent Name: Enter a name of your choice, which will identify the scanner in the console. Click the Test button. In a few seconds you should receive a confirmation message that the connection from the scanner to the BeyondInsight console was successful. If you receive a message that “The connection was refused by the specified server”, verify that the NT AUTHORITY\SYSTEM account is assigned the sysadmin server role as previously mentioned. Configuring Events Client The Events Client enables Retina to securely send completed scan data to the management console, where it will be extracted to populate the database. To configure the Events Client: 1. In Windows 2008: Start | All Programs | BeyondTrust| Tools |Event Client Configuration. In Windows 2012: Start | Apps | BeyondTrust| Events Client Configuration. 2. Run through the Events Client Installation wizard, accepting default values. At the Select a Client Certificate page, See "Appendix A: Certificates" 3. When prompted for a password, enter the Agent Password defined during the previous configuration steps. For example, ‘Retina123’. 4. At the Test Connection page, click Next, wait a few seconds, and verify that a test message was successfully sent to the Application Bus. After configuring Central Policy and Events Client, you are ready to run vulnerability scans and view the corresponding report. Next, you can set up Analytics and Reporting. BeyondInsight Installation Guide 26 © 2018. BeyondTrust Software, Inc. Configuring Analytics and Reporting Configuring Analytics and Reporting Analytics and Reporting requires initial configuration before it can be used. The configuration assumes that SQL Reporting, Analysis and Integration services are installed and working as per the prerequisites. See Database Requirements. Before configuring Analytics and Reporting, verify that the SQL Report Server is working properly. Verify SQL Report Server Configuration 1. On Windows 2008: Start | All Programs | Microsoft SQL Server 2008 R2 | Configuration Tools | Reporting Services Configuration Manager On Windows 2012: Start | Apps | Microsoft SQL Server 2014 (or 2012) | SQL Server 2014 Reporting Services Configuration Manager 2. After connecting, select Web Service URL, then select the Report Server Web Service URL link and verify the confirmation web page. 3. Select Report manager URL, then select the Report Manager Site Identification link and verify success. BeyondInsight Installation Guide 27 © 2018. BeyondTrust Software, Inc. Configuring Analytics and Reporting Configuring Analytics and Reporting For details on the permissions needed to use Analytics and Reporting, see Appendix B: Permissions. 1. 2. Log on to the console and select Analytics and Reporting. On the logon page, enter the same administrator/password used to log on to the console. Once logged on, select Configure Now. 3. Installation Credentials: Enter the machine or domain administrator credentials. BeyondInsight Installation Guide 28 © 2018. BeyondTrust Software, Inc. Configuring Analytics and Reporting 4. SQL Server and SQL Server Analysis Services: Enter the Machine Name. 5. SQL Server Reporting Services (SSRS): Enter the Web Service URL, i.e., http://<machine name>:80/ReportServer. BeyondInsight Installation Guide 29 © 2018. BeyondTrust Software, Inc. Configuring Analytics and Reporting 6. SQL Server Agent: The SQLSERVERAGENT service account created during the SQL Server 2012/2014 installation will not have the necessary write permissions to the BeyondInsightReporting database. 7. Web Service Credentials: User name and password should automatically populate, just select Deploy. 8. Deployment Progress: Deployment progress is shown while the database BeyondInsightReporting is created. Verify success, then select Finish. Deployment Complete: Once the deployment completes, select the option to synchronize data now. This critical process synchronizes scan results from the RetinaCSDatabase, which was created during the management console configuration, with the newly created BeyondInsightReporting database. By default, synchronization occurs every day at 12:00 am (See Step 5: SQL Server Agent), but can also be run manually if desired. It takes several minutes to complete. 9. 10. Verify successful synchronization by selecting the SQL Server Agent Jobs tab and then Refresh. Be mindful NOT to select the browser’s refresh button since that will reload the page and you will have to log on again. BeyondInsight Installation Guide 30 © 2018. BeyondTrust Software, Inc. Configuring Analytics and Reporting BeyondInsight Installation Guide 31 © 2018. BeyondTrust Software, Inc. Configuring and Running a Scan Configuring and Running a Scan For your first scan, it is helpful to only scan the local machine since this will verify communication between Retina and the console without introducing other variables such as firewall settings or network conditions that may impede scanning external targets. Configuring and running a discovery scan can be performed with a few simple steps: 1. In the management console, navigate to the Assets tab, then click Scan. 2. Click Discovery Scan. The Management Report Templates contain the specific audits that will be executed on the target machines. Click Scan. 3. 4. Enter the target machines to scan. You can use a single IP address, an IP address range, CIDR notation or named host(s). 5. 6. Enter credentials for the target machine(s). Click Start Scan. BeyondInsight Installation Guide 32 © 2018. BeyondTrust Software, Inc. Configuring and Running a Scan 7. Select the Jobs tab to see scan progress. When the scan completes, select the Reports tab, and then double-click the completed job to open the report. BeyondInsight Installation Guide 33 © 2018. BeyondTrust Software, Inc. Patch Management Module Patch Management Module For more information about the Patch Management module requirements, refer to the BeyondInsight User Guide. Patch Management Module Requirements BeyondInsight management console 2.0 or later Installation Notes • Ensure that your license includes the Patch Management module feature before proceeding with the install. Contact your BeyondTrust representative. • Installing the Patch Management module on domain controllers or Small Business Servers is not supported. • BITS and Microsoft WSUS Client must be enabled on all clients. Requirements Windows Server 2012 WSUS Installation Requirements • IIS • Windows PowerShell • .NET Framework 4.5 Features • Microsoft Report View Redistributable 2008 http://www.microsoft.com/enus/download/details.aspx?id=3841 Mixed WSUS Environments Review this section if you plan to use the Patch Management module or the SCCM feature. The fundamental challenge with mixed scenarios with different operating systems has to do with the WSUS API version. To support local publishing activities (basically anything involving putting a third-party update into the WSUS database), both the WSUS Console version of the BeyondInsight server and the version of WSUS installed on the WSUS server must be same. Otherwise, the Third Party Patch Service returns the following error message and no Third Party Updates will be available for approval and installation. Message: Failed to publish packageName. Publishing operation failed because the console and remote server versions do not match. Currently there are three supported production versions of WSUS that can contribute to this situation. • WSUS v3.2 - runs on Windows Server 2003, 2008, and 2008R2 • WSUS v6.2 - runs on Windows Server 2012 • WSUS v6.3 - runs on Windows Server 2012 R2 Resolution Ensure all WSUS servers and BeyondInsight servers have the same WSUS patches installed. To check the WSUS patches installed on a server: BeyondInsight Installation Guide 34 © 2018. BeyondTrust Software, Inc. Patch Management Module 1. 2. 3. Log on to the server you need to check. If you are running Windows Server 2003, find the patches in Add or Remove Programs: a. Open Control Panel > Add or Remove Programs. b. At the top of the window, select Show updates. c. Scroll to Windows Server Update Services. d. Note the KB numbers (in parentheses) at the end of each "Hotfix" entry. If you are running Windows Server 2008, find the patches in Programs and Features: a. Open Control Panel > Programs and Features. b. In the left pane, click View installed updates. c. Scroll to Windows Server Update Services. d. Note the KB numbers (in parentheses) at the end of each entry. Windows Server 2012 Overview Review the following articles to learn more about how Windows Server 2012 and WSUS work together. • WSUS on Windows Server 2012 Overview http://technet.microsoft.com/en-us/library/hh852345.aspx • Deploy Windows Server Update Services in Your Organization http://technet.microsoft.com/en-us/library/hh852340.aspx • Difference between WSUS 3.2 and WSUS 6.0 http://social.technet.microsoft.com/Forums/windowsserver/en-US/16d5f9bb-98cc-4285-a88652fb2b99531e/difference-between-wsus-30-and-wsus-40 Installing WSUS Administration Console Using PowerShell 1. 2. Open a Windows PowerShell console as an administrator. Execute the following command: Install-WindowsFeature -Name UpdateServices-Ui This command installs the console only and will not run a post-install task. Resolving Internal HTTP 500.19 Error If Windows Server 2012, IIS, WSUS, and BeyondInsight are installed on the same server, and HTTP Error 500.19 occurs when you try to log on to BeyondInsight. Windows Server 2012 is a 64-bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool is 32-bit and will result in the error when the 64-bit suscomp.dll attempts to load. You can use one of the following ways to fix the issue. Option 1 1. Back up IIS. 2. Open IIS Manager. 3. Click the server module node in the tree and select Modules. 4. Right-click DynamicCompressionModule and select Unlock. 5. Right-click on StaticCompressionModule and select Unlock. BeyondInsight Installation Guide 35 © 2018. BeyondTrust Software, Inc. Patch Management Module 6. 7. 8. 9. Open the Default Web Site, and then open Modules. Right-click DynamicCompressionModules and select Remove. Right-click StaticCompressionModule and select Remove. Do IISRESET from an elevated/administrative command prompt. Option 2 Install BeyondInsight and WSUS on separate Windows Server 2012 servers. BeyondInsight Installation Guide 36 © 2018. BeyondTrust Software, Inc. PowerBroker Unix and Linux PowerBroker Unix and Linux Use BeyondInsight to manage PowerBroker for Unix & Linux event log records. Configure BeyondInsight and PowerBroker for Unix & Linux to work together to send the event logs to the BeyondInsight management console. This chapter provides information on preparing PowerBroker Servers to work with BeyondInsight. Refer to the PowerBroker Servers product documentation for specific details on the keywords that must be configured. Requirements • BeyondInsight version 4.5 or later • PowerBroker for Unix & Linux version 7.5 or later Generating a Certificate 1. 2. 3. 4. 5. 6. 7. 8. Open the BeyondInsight Configuration Tool and select Certificate Management. Select Export certificate. Select Client certificate from the list. Enter a password for the export file and provide the destination in the Path field. Click OK to export the certificate as a PKCS#12 file (with a .pfx extension). Using BeyondTrust FIPS Object Module for OpenSSL, convert the certificate from PKCS#12 format (*.pfx file) to PEM format (*.pem): openssl pkcs12 –clcerts –in <full_pathname_of_pfx_to_convert> out <full_pathname_of_target_pem> –nodes Securely copy the certificate to the PowerBroker Servers Unix & Linux Master and Logserver hosts. In the PBUL settings file, assign the path and filename of this certificate to the keyword sslrcscertfile. Exporting the BeyondInsight Server SSL Certificate 1. 2. Open the Windows Certificate Manager (certmgr.msc) and expand the Trusted Root Certification Authorities folder. In the details pane, select the BeyondInsight server SSL certificate in the Issued To field. The certificate name contains the hostname of the BeyondInsight server and the text “eEye EMS CA”. Example: RCS hostname is LA-RETINACS-01: The certificate’s name is “LA-RETINACS-01 eEye EMS CA” 3. 4. 5. From the Action menu, select All Tasks > Export. In the Certificate Export Wizard: a. Select No when asked to export the private key, and then click Next. b. Select the DER encoded binary X.509 (*.CER) format, and then click Next. c. Provide the target destination of the certificate, and then click Next. d. Confirm the settings, and then click Finish to export the certificate. Using BeyondTrust FIPS Object Module for OpenSSL, convert the certificate from DER format (*.cer) to PEM format (*.pem) using this command: openssl x509 -inform der -in BeyondInsight Installation Guide 37 © 2018. BeyondTrust Software, Inc. PowerBroker Unix and Linux 6. 7. <full_pathname_of_cer_to_convert> -out <full_pathname_of_target_pem> Securely copy the certificate to the PBUL Master and Logserver hosts. In the PBUL settings file, assign the path and filename of this certificate to the keyword sslrcscafile. For more information about importing the certificates, refer to “Solr Install” in the PowerBroker for Unix & Linux Installation Guide. Configuring Keywords If you have not done so during the for Unix & Linux installation, set the following keywords in pb.settings on the Master and Log server hosts: • rcshost • rcswebsvcport • sslrcscertfile • sslrcscafile • rcseventstorefile For a complete list of keywords that must be configured, refer to the PowerBroker for Unix & Linux product documentation. BeyondInsight Installation Guide 38 © 2018. BeyondTrust Software, Inc. PowerBroker for Windows PowerBroker for Windows To configure PowerBroker for Windows to forward events to BeyondInsight, you must follow the procedures in this section. Ensure that you have the appropriate license key for BeyondInsight. Before proceeding, ensure all PowerBroker for Windows components and BeyondInsight are installed. Generating a Certificate Generate a client certificate using the BeyondInsight Configuration tool. Certificates must be deployed to any asset where you are capturing events with PowerBroker for Windows. After you generate a certificate, you can create an MSI. You can then set up a GPO with the MSI and deploy the certificate to your PowerBroker assets. Note: Do not generate a client certificate if there is one created for either PowerBroker Endpoint Protection Platform or for Retina Network Security Scanner. You can use the existing client certificate for your PowerBroker for Windows assets. To generate a certificate: 1. 2. 3. 4. Run the configuration tool, and then click Certificate Management. Select Generate Certificate, and then select Client Certificate from the Certificate type menu. Enter a password. Click OK. Creating an MSI File To create an MSI file: 1. Run the BeyondInsight Configuration tool. 2. Click Generate Certificate msi. The certinstaller.msi file is created in the following directory: C:\Program Files (x86)\eEye Digital Security\Retina CS\Utilities\msi Configuring PowerBroker for Windows Install the PowerBroker for Windows components. For more information, refer to the PowerBroker Installation Guide. To configure PowerBroker for Windows: 1. 2. Run the Group Policy Management Editor. Go to the Management folder in the Administrative Templates section. BeyondInsight Installation Guide 39 © 2018. BeyondTrust Software, Inc. PowerBroker for Windows 3. Set the following options: Table 2. Management Settings for BeyondInsight Integration Setting Log events to BeyondInsight Enable Asynchronous BeyondInsight Event Logging Configure the BeyondInsight Certificate Name Configure the BeyondInsight heartbeat interval Configure BeyondInsight to Store XML Events on Failure Configure the BeyondInsight Web Service URL Description Activates event forwarding to BeyondInsight. Sends event logs to the System event log when BeyondInsight cannot process the events. Sets the BeyondInsight certificate name, eEyeEmsClient. Enter the interval in minutes. The default interval is every 360 minutes (6 hours). Configure a regular interval to send heartbeat events to ensure there is a connection between PowerBroker and BeyondInsight. In addition to the usual events, when configured to send events to BeyondInsight, a heartbeat event will also be sent (event ID 28701). Create a path for the event data XML file when the file cannot be sent to BeyondInsight. Enter the URL for the BeyondInsight web service. Follow the format: https://myserver/EventService/Service.svc Enter a workgroup name. Configure the PowerBroker workgroup name for BeyondInsight A workgroup name is needed for asset matching in BeyondInsight. Enable BeyondInsight Trace Logging BeyondInsight Installation Guide Enable to create a trace log if events are not flowing into BeyondInsight. 40 © 2018. BeyondTrust Software, Inc. PowerBroker Identity Services PowerBroker Identity Services To configure PowerBroker Identity Services to forward events to BeyondInsight, you must follow the procedures in this section. Ensure that you have the appropriate license key for BeyondInsight. Before proceeding, ensure all PowerBroker Identity Services components and BeyondInsight are installed. Generating a Certificate Generate a client certificate using the BeyondInsight Configuration tool. To generate a certificate: 1. 2. 3. 4. Run the configuration tool, and then click Certificate Management. Select Generate Certificate, and then select Client Certificate from the Certificate type menu. Enter a password. Click OK. Configuring PowerBroker Identity Services You must configure settings from the PowerBroker Identity Services server. To configure: 1. 2. 3. 4. 5. 6. Run the DBUtilities tool. Select the Enable BeyondInsight check box. Enter the URL to the BeyondInsight server. Enter the name of the client certificate generated earlier. Optionally, create a workgroup name. A workgroup name can be used as a unique identifier. Select the Validate client certificate check box, and then click Test Connection to ensure the connection between the servers works properly. BeyondInsight Installation Guide 41 © 2018. BeyondTrust Software, Inc. PowerBroker Identity Services BeyondInsight Installation Guide 42 © 2018. BeyondTrust Software, Inc. Running the Software Removal Tool Running the Software Removal Tool The BeyondTrust Software Removal Tool (SRT) is a standalone application that you can use to uninstall third-party security programs. You must run the SRT on the computer where the applications are installed. You can remove the following antivirus applications: Symantec, McAfee, AVG Technologies, ESET, NOD32, TrendMicro, CA eTrust, Kaspersky, Sophos, WebRoot, AdAware, Malware bytes, Spybot, and ZoneAlarm. Alternatively, you can uninstall applications when you are deploying Retina Protection Agents using BeyondInsight. For more information, refer to the BeyondInsight User Guide. Command Line Syntax /guid -pcode product_code -upar "/norestart /qn" where product_code is the MSI product code of the software that you want to remove. You can also use the following optional commands: /logfile the name (or the entire path) of the log file /password some antivirus products require a password to uninstall (for example, Kaspersky). /restart specifies if the machine will be restarted after completely uninstalling all antivirus products. Possible values: 0 - no restart 1 - restart BeyondInsight Installation Guide 43 © 2018. BeyondTrust Software, Inc. Using the BeyondInsight Configuration Tool Using the BeyondInsight Configuration Tool After you initially configure BeyondInsight, you can change settings using the BeyondInsight Configuration Tool. The options configured during installation are described here, Configuration Wizard Settings. Note that you can turn on SSL settings for Active Directory queries (Authentication node). You can use SSL when creating Active Directory queries or creating Active Directory user groups in the console. For more information, refer to the BeyondInsight User Guide User Guide. Additional Configuration Settings Test Connection Click to test the connection to the SQL Server database. Create Database Select to create a database. Upgrade Database Use this feature to upgrade your database. Manage License Use the License Manager to update your license or transfer the license (remove the license from the installation computer and move to another computer). Certificate Management Certificates are used by the Events Client component to ensure secure data transmission. Generate certificate and export the certificate to a preferred location. The certificate password must be the same as the Central Policy password. Create an SSL certificate to create a secure connection to IIS. Install SSL Certificate The certificate is not generated by a trusted certificate authority. An invalid certificate message is displayed to browsers connected to IIS. Enable Debug Logging Use this feature when troubleshooting with the BeyondTrust support team. Stop and Start Services Select to start and stop the BeyondInsight services. BeyondInsight Installation Guide 44 © 2018. BeyondTrust Software, Inc. Using the BeyondInsight Configuration Tool Sync Benchmarks Synchronizes the benchmark templates that reside in the database with the templates available on the server. Light writeback is a feature used by the Patch Management module. This ensures that information returned to the Patch Management module indicates that Disable Light Writebacks patches are deployed and items are no longer vulnerable. If you are not using the Patch Management module, you can turn off light writebacks. Create an MSI file that contains a client certificate. Generate Certificate msi You can then set up a GPO with the MSI and deploy the certificate to your PowerBroker assets. Generate Certificate Zip Used with PowerBroker for Unix & Linux Solr installations. Refer to the PowerBroker for Unix & Linux Installation Guide. Import Certificates Used with PowerBroker for Unix & Linux Solr installations. Refer to the PowerBroker for Unix & Linux Installation Guide. Grant Permissions Grants permissions to all stored procedures in the schema so that services and web services can run all stored procedures. Click the link to disable authentication. When set to Disabled, SSL client certificates will be ignored. Client Authentication Click the link again to set to Enabled. SSL authentication is now turned on with the Require setting selected (rather than the Accept setting). Go to the SSL Settings in IIS for the BeyondInsight server to confirm the settings. For environments where there are multiple console installations, you can turn off services to save resources. Click the link to Disabled, in this case. Management Console For example, this scenario might apply to your environment if you are running Password Safe and would like to deploy more than one console. You would not need the services running on the secondary consoles. This setting applies to software installations not hardware appliance installations. Changing the Access URL You can change the default BeyondInsight web site URL. The default access URL is https://<server name>/WebConsole. To change the URL: 1. 2. 3. Start the Configuration tool. Scroll to Web Site Information. Change the URL. Ensure the web site address is prefixed with https:// 4. Click Apply. Configuring Session Timeout A user can remain logged on to the console while inactive for a maximum length of 20 minutes. You can change this value using the Configuration tool. BeyondInsight Installation Guide 45 © 2018. BeyondTrust Software, Inc. Using the BeyondInsight Configuration Tool To change the setting: 1. 2. 3. 4. Start the Configuration tool. Scroll to Web Site Information. Change the session timeout value. Click Apply. BeyondInsight Installation Guide 46 © 2018. BeyondTrust Software, Inc. Licensing Licensing Upgrading Your License Use the BeyondInsight Configuration tool to update your license. You need to upgrade your license to extend your license or to extend the asset count purchased (for example, 500 assets to 1 000 assets). To upgrade your license: 1. 2. 3. 4. 5. 6. Select Start > All Programs > BeyondTrust > BeyondInsight > BeyondInsight Configuration. Click Manage License. On the License Management page, select Update License and click Next. Enter the serial number and click Next. Click Finish. Click Apply to close the BeyondInsight Configuration tool. License Expiry You can continue to log on to the console after the license key expires. However, product updates are no longer provided. BeyondInsight Installation Guide 47 © 2018. BeyondTrust Software, Inc. Configuring Windows Authentication to the Database Configuring Windows Authentication to the Database Windows authentication is recommended for database access. Security best practice for PCI DSS compliance is to use Windows authentication. For more information, see Database Permissions Matrix. Changing Database Authentication Use the following procedure as a guide to setting up Windows authentication on your SQL Server database. To change database authentication to Windows: 1. 2. Log on to SQL Server. Create a SQL Server login. 3. After the login is created, go to the login properties for the new login, and create a user mapping to the BeyondInsight database and the REM3Admins role. BeyondInsight Installation Guide 48 © 2018. BeyondTrust Software, Inc. Configuring Windows Authentication to the Database SQL Server 2012 If you are using SQL Server 2012, note that the NT AUTHORITY\NETWORK SERVICE account is not created by default. This account is required if you want to use Windows authentication. (This account exists by default on SQL Server 2008 R2). The Application Pool runs as NT AUTHORITY\NETWORK SERVICE. For remote configurations, SQL Server uses the Domain\MachineName$. For same server configurations, SQL Server uses the NT AUTHORITY\NETWORK SERVICE account. In an environment where SQL Server 2012 and BeyondInsight are installed on the same server, you must create the NT AUTHORITY\NETWORK SERVICE account in SQL Server before changing the authentication mode. Permissions assigned on the BeyondInsight database must include: db_owner and REM3Admins (a custom role created by the installer). The BeyondInsight Manager Engine service runs as local system. When SQL Server is local to the BeyondInsight installation grant the same permission to NT AUTHORITY\SYSTEM account. If SQL Server and BeyondInsight are not on the same server, then the default Windows permissions apply. BeyondInsight Installation Guide 49 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates Appendix A: Certificates Certificates are used for secure communication between agents and BeyondInsight. There are two types of certificates used with BeyondInsight and agents: • SSL certificate – Required to encrypt the communication • Client certificate – Required to authenticate a client You can use BeyondInsight certificates or create custom certificates. You can use the BeyondInsight Configuration tool to create certificates. Working with BeyondInsight Certificates The following certificates are used for communication between BeyondTrust solutions and BeyondInsight: • eEyeEmsCA - Certification Authority (CA) certificate The CA certificate generates and validates client and server certificates, and is located on both agent and server in the Trusted Root Certification Authorities in the Local Machine store. • EmsClientCert - Client authentication certificate • eEyeEmsServer - Server authentication certificate When connecting to the BeyondInsight Web Service (for example, PowerBroker for Windows connecting to the Event Service), the EmsClientCert is used to authenticate the client and the SSL certificate is used to encrypt the data. This prevents anonymous connections to the services. Typically, a Certification Authority (CA) such as VeriSign validates anonymous clients. With BeyondInsight, a self-signed CA is created and distributed with the client certificate. BeyondInsight can then work in a variety of environments especially where network connectivity is a problem. This avoids the need to register each system instance with an online CA. Internally, each client certificate contains a private-public key pair. During the SSL handshake the server requests the client certificate. The client authenticates the certificate before initiating the connection and the server again validates when it is received. eEyeEmsServer Certificate Install the eEyeEmsServer certificate on the server in the Local Machine Store, under the Personal Store. To verify that the certificate is valid, double-click the certificate. The following screen capture shows a valid certificate. BeyondInsight Installation Guide 50 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates EmsClientCert Certificate The EmsClientCert certificate is used for the following purposes: • Agent<->Server communications during deployments. Only applies to PowerBroker Endpoint Protection Platform agent deployments. • Agent<->Server communications when sending/receiving events. The certificate is required to send events to BeyondInsight and must be exported from the server and then imported on the agent. Exporting the EmsClientCert Certificate 1. 2. Open the BeyondInsight Configuration Tool. Click the Certificate Management link. BeyondInsight Installation Guide 51 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates 3. 4. 5. 6. Select Export certificate. Select Client Certificate from the Certificate type list. Enter a chosen password and a matching confirmation password. It is recommended to use the existing BeyondInsight Central Policy password. Provide a Path: a. Click the ... button and navigate to your desired location. b. Enter a File name and select "Certifcate files (*.pfx)" as the Save as type. It is recommended to name the certificate “eEyeEmsClient.pfx”. c. Click Save. d. Verify the path has been filled in correctly and then click OK. BeyondInsight Installation Guide 52 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates Troubleshooting BeyondInsight Certificates When troubleshooting certificate issues, check the following: • Is the eEyeEmsCA certificate expired? • Does the certificates store have more than one version of the eEyeEmsCA certificate? • Does the eEyeEmsCA certificate have the correct usage identifiers in place? Use the following screen capture as a guide. • Does eEyeEmsCA exist on the agent and the server? Ensure the certificate on the agent has the same serial number as the certificate on the BeyondInsight server. To view the serial number, double-click the CA certificate in the Certificate Manager to open the dialog box: BeyondInsight Installation Guide 53 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates • Was the eEyeEmsCA certificate regenerated or removed? Regenerating or removing the eEyeEmsCA certificate invalidates any certificate that was generated using the old CA certificate. This breaks the communication between the agents and the server until the Client and Server certificates are regenerated on the server and the new Client certificate is deployed on all agents connecting to BeyondInsight. • Did the Central Policy password change? If you change the password for Central Policy using the BeyondInsight Configuration tool, the password change is not automatically applied to EmsClientCert.pfx. When you deploy PowerBroker Endpoint Protection Platform on a target, the package will include the certificate with the old password. In this scenario, the events communication will not be successfully configured on the target. Using the BeyondInsight Configuration tool, generate a new client certificate with a new password that matches the Central Policy password. • To ensure the client certificate works properly with BeyondInsight, the certificate must have correct usage identifiers and the private key present. Using a Domain PKI for BeyondInsight Communication This section is intended to highlight key points to creating a custom certificate. For detailed procedures on creating a custom domain certificate refer to Microsoft’s documentation. Keep the following considerations in mind if you are creating a custom template to use for BeyondInsight. • You can modify templates using the Certificate Templates Console (certtmpl.msc). BeyondInsight Installation Guide 54 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates • The default Computer template meets the requirements for BeyondInsight communication. However, you must create a copy of the Computer template and update any particular BeyondInsight configuration settings in the copy. • To issue the new template, use the certsrv.msc snap-in. Prerequisites Ensure the following is in place in your environment before proceeding. • Domain member server with Active Directory Certificate Services installed and configured. • Certificate Authority Web Enrollment role installed http://technet.microsoft.com/en-us/library/cc731183.aspx Requirements 1. The certificates must be configured as Server Authentication and Client Authentication in the Intended Purposes section of the certificate. 2. The Subject key must contain common text for all client certificates. In the following example the common text is Test. BeyondInsight Installation Guide 55 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates Assigning the SSL Web Service Certificate in BeyondInsight 1. 2. 3. Start the BeyondInsight Configuration Tool. Scroll to Web Service in the list. Select the domain PKI certificate from the list, and then click Apply. BeyondInsight Installation Guide 56 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates Configuring a Client Certificate for PowerBroker for Windows 1. 2. 3. 4. Edit the GPO that you are using to deploy policy to your PowerBroker for Windows targets. In Group Policy Management Editor, go to Administrative Templates > BeyondTrust > PowerBroker for Windows > System > Management. Double-click the Configure the BeyondInsight Certificate Name setting. Enter the common text in the client certificate Subject key. BeyondInsight Installation Guide 57 © 2018. BeyondTrust Software, Inc. Appendix A: Certificates Configuring Auto Enrollment To configure auto enrollment for the certificate: 1. 2. 3. 4. In GPME, edit the GPO that applies to your PowerBroker for Windows targets. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings. Right-click in the right pane, and select New > Automatic Certificate Request. Go through the wizard. On the Certificate Template page, select the custom template. Refer to the following technet article for more details: http://technet.microsoft.com/en-us/library/cc731522.aspx BeyondInsight Installation Guide 58 © 2018. BeyondTrust Software, Inc. Appendix B: Permissions Appendix B: Permissions This section is designed for more advanced deployments where local admin or administrator privileges might not be desired for installing or using BeyondInsight. Analytics and Reporting Installation Permissions Minimum permissions needed for the BeyondInsight account. SQL Server database access Ideally, assign the account installing BeyondInsight the sysadmin Server Role. Otherwise, ensure at least the following SQL Server permissions are assigned to the account: ALTER database BULKINSERT CREATE Role CREATE Application Role CREATE Schema CREATE Type CREATE Table ALTER Table UPDATE Table CREATE UNIQUE NONCLUSTERED INDEX CREATE NONCLUSTERED INDEX CREATE PROCEDURE ALTER PROCEDURE EXECUTE PROCEDURE CREATE VIEW ALTER VIEW GRANT EXEC, SELECT, INSERT, UPDATE, DELETE Analytics and Reporting Permissions Permissions Required for BeyondInsight Configuration User Account entered on this page of the configuration wizard: Step 1: Installation Credentials • Local administrator rights to the SQL Analysis Services – this is needed to deploy the Analysis Services cube. • Permission to create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\EEYE • Log on as Batch Job security policy on the SQL Server computer. 1. BeyondInsight Configuration Database Roles Member in Role Database Sysadmin BeyondInsight reporting Required to: • install the SQL job and the SSIS packages. BeyondInsight Installation Guide 59 © 2018. BeyondTrust Software, Inc. Appendix B: Permissions • create the BeyondInsight reporting database. • view SQL job statuses and details. Alternatively, add the configuration user to the SQLAgentRole of the MSDB database on the BeyondInsight server for lower privileges. db_owner BeyondInsight Required to install the stored procedures for BeyondInsight reporting to synchronize data from the BeyondInsight management console. System User This role is at the root of SQL Reporting Services management website and is required to read information from SSRS. Browser This role is on the root folder settings for the SQL Report Services management website and is required to read and run reports deployed to SSRS. Content Manager This role is on the root folder settings for the SQL Report Services management website and is required to deploy the reports to SSRS. Permissions Required for the Web Proxy User Note: These permissions are automatically set up during installation if the installing user has permissions to. Account entered on this page of the configuration wizard: Step 5: Web Service Credentials 2. Web Proxy User Roles Member in Role Database RetinaInsightReader BeyondInsight reporting RetinaInsightUser BeyondInsight management console RetinaInsightReader BeyondInsight reporting cube in SQL Analysis Services System User This role is at the root of SQL Report Services management website and is required to deploy the reports to SSRS. Browser This role is on the root folder settings for the SQL Report Services management website and is required to read and run reports deployed to SSRS. Permissions Required for the SSRS Proxy User Note: These permissions are automatically set up during installation if the installing user has permissions to. Account entered on this page of the configuration wizard: Step 3: SQL Reporting Services (SSRS) 3. SSRS Proxy User Roles Member in Role Database RetinaInsightReader BeyondInsight reporting RetinaInsightUser BeyondInsight management console RetinaInsightReader BeyondInsight reporting cube in SQL Analysis Services BeyondInsight Installation Guide 60 © 2018. BeyondTrust Software, Inc. Appendix B: Permissions Permissions Required for the SQL Agent Service Running the Daily Sync Job Permission to process the BeyondInsight SSAS database. 4. SSAS Proxy User Roles Member in Role Database RetinaInsightSSIS BeyondInsight RetinaInsightUser BeyondInsight management console BeyondInsight Installation Guide 61 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors Appendix C: Event Collectors The event collector role collects events and serves policy for BeyondTrust integrations, including: Retina, PowerBroker Endpoint Protection, PowerBroker for Windows, PowerBroker for Unix & Linux, PowerBroker Mac, and PowerBroker Identity Services. You can deploy additional event collectors to scale BeyondInsight to accommodate for regional deployments in larger environments. However, it is not a typical installation scenario. It is recommended that BeyondTrust's Professional Services advise you on whether this installation scenario is suited to your BeyondInsight deployment. This section does not apply to UVM appliance deployments. Overview Review the following sections to learn more about the event collectors and dependencies. License Keys The license key for all event collectors must match the license key for the main BeyondInsight installation. Event Collectors There are two types of event collectors currently used by BeyondInsight: • A standalone collector that runs as a Windows service. This service collects events and serves policy from Central Policy. Used by Retina and PowerBroker Endpoint Protection Platform (EPP). • A BeyondInsight event collector that runs as a web service. Used by PowerBroker for Windows, PowerBroker for Mac, PowerBroker for Unix & Linux. Authentication and Encryption Product Encryption Authentication Port PowerBroker for Unix & Linux SSL Client certificate 443 PowerBroker for Windows SSL Client certificate 443 PowerBroker for Mac SSL Client certificate 443 PowerBroker Endpoint Protection Platform SSL Retina SSL - Client certificate 21690 (to send - Central policy password (to get events) policy) 443 (to get policy) - Client certificate BeyondInsight Installation Guide 21690 (to send - Central policy password (to get events) policy) 443 (to get policy) 62 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors High Level Installation Use the following instructions to deploy BeyondInsight and the event collectors. The following install files are needed: • BeyondInsight • Event Server and patches - Confirm the latest version with BeyondTrust. A license is required. • Retina Network Security Scanner All files can be downloaded from the client portal. 1. 2. 3. 4. 5. 6. 7. 8. Install BeyondInsight and run through the configuration as if it were a standard BeyondInsight installation. Set the database to external database on the BeyondInsight UVM. (For Central Policy). Set up the crypto keys. For instructions, see Crypto Key. a. Export the crypto key from the primary BeyondInsight server. b. Import the key to all Event Server machines. Set up the certificates. For instructions, see Certificates. a. Export the 3 certificates with private keys from primary BeyondInsight. b. Import the certificates to all event collector machines. Start the BeyondInsight Configuration tool and disable Management Console. See Software Install. Run the latest Event Collector installer and run through the configuration. Install any available Event Collector patch files. Start the BeyondInsight Configuration tool (Start > All Programs > BeyondTrust > Tools > BeyondInsight Configuration). Click Grant Permissions and then click Apply. You must also click Grant Permissions and Apply on the primary BeyondInsight server after the standalone servers are set up. 9. Configure Retina scanners to point to the Central Policy and send Retina events to the event collector in each region. 10. If using Windows authentication, the event collector machine name must be added to a local group created on the SQL Server host. For more information, see Windows Authentication. Software Install For the software install, ensure the following are in place. For the Event Collector service, set Subsequent failures and Reset fail count after as shown: BeyondInsight Installation Guide 63 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors For a software install, you must turn off the management console on any secondary event collectors. A secondary event collector is a server that is not hosted on a BeyondInsight server that is also serving as the console role. To turn off the management console on the event collectors: 1. 2. Start the BeyondInsight Configuration tool. Click the Management Console:Enabled link, and then click Yes to continue. The status is now displayed as Disabled: BeyondInsight Installation Guide 64 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors 3. The services must be restarted after this change. Click the Stop Services link, and then click the Start Services link. Certificates The following BeyondInsight certificates must be exported from the primary BeyondInsight server and then imported on the standalone event collectors. • eEyeEmsCA - the root certificate • EmsClientCert - client authentication certificate • eEyeEmsServer - server authentication certificate Exporting the Certificate To export the certificate using the Certificates snap-in: 1. 2. 3. 4. 5. 6. 7. 8. Run mmc.exe. Select File > Add/Remove snap-in. Select Certificates, and then click Add. Select Computer Account, and then click Next. Select Local Computer, and then click Finish. Click OK. Expand Certificates. Expand Personal, and then select Certificates. BeyondInsight Installation Guide 65 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors 9. Right-click eEyeEmsClient > All Tasks > Export. a. Click Next. b. Select Yes, export the private key. c. Select the check boxes: Include all certificates in the certification path if possible and Export all extended properties. d. Enter a password. The password is needed when you import the certificate. e. Click browse, save the file with a .pfx extension, and then click Next. f. Click Finish. 10. Copy the exported file to a network share. Importing the EmsClientCert and eEyeEmsServer Certificates The EmsClientCert and eEyeEmsServer certificates must be imported on every Event Server you are deploying. These certificates are imported to the Personal store. To import the certificate using the Certificates snap-in. BeyondInsight Installation Guide 66 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors 1. 2. 3. 4. 5. Open the Certificates snap-in. Right-click the Personal folder, and then select All Tasks > Import. Click Next on the first page of the import wizard. Click Browse. On the Open dialog box, ensure that the file type is selected from the list. The certificate file has a .pfx extension. 6. 7. 8. Find the file and click Open. Click Next. Enter the certificate password. This is the password that you created when you exported the certificate. Ensure the Include all extended properties check box is selected. 9. Click Next. The certificate must be imported to the Personal store. Click Next. 10. Click Finish. Importing the eEyeEmsCA Certificate To import the eEyeEmsCA certificate to the Trusted Root store: BeyondInsight Installation Guide 67 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors 1. 2. 3. 4. 5. 6. Open the Certificate manager snap-in. Expand Trusted Root Certification Authorities. Right-click the Certificates folder, and then select All Tasks > Import. Click Next on the first page of the import wizard. Click Browse. On the Open dialog box, ensure that the file type is selected from the list. The certificate file has a .pfx extension. 7. Enter the certificate password. This is the password that you created when you exported the certificate. 8. Ensure the Include all extended properties check box is selected. 9. Click Next. The certificate must be imported to the Trusted Root store. Click Next. 10. Click Finish. BeyondInsight Installation Guide 68 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors Confirm Certificates Confirm certificates on the BeyondInsight server and Event Servers are the same by reviewing the information in the Thumbprint for the certificate. Double-click the certificate, and then select the Details tab. Crypto Key The crypto key is used for Retina credentialed scans and password change actions. Note that you must run xmltodatabasesynctool.exe as Administrator. Exporting the Key On the primary BeyondInsight server: 1. 2. 3. 4. Go to the BeyondInsight installation directory. For example, by default: \Program Files (x86)\eEye Digital Security\Retina CS\. Run xmltodatabasesynctool.exe. Click Cryptography Key. Verify Export Key is selected. BeyondInsight Installation Guide 69 © 2018. BeyondTrust Software, Inc. Appendix C: Event Collectors 5. 6. 7. Enter a password. Click Export. Copy RetinaCS.eKey to a network share. Importing the Key On each event collector server, import the crypto key: 1. 2. 3. 4. 5. 6. 7. 8. Access the network share where you exported the crypto key and copy to the Event Server computer. Run xmltodatabasesynctool.exe. Click Cryptography Key. Select Import Key. Enter the password that you created when you exported the key. Click Import. Find the key and then click Open. After you import a crypto key, you must set the following values to NULL in the dbo.Version table: Access code and Expiry. In SQL Server Management Studio, run the following query on the BeyondInsight database: update version set AccessCode = null, Expiry = null Windows Authentication If you are using Windows authentication for an event collector, a local group must already have been created on the SQL Server host. This group requires db_owner access to the BeyondInsight database and is assigned the REM3Admins role. You must add each event collector machine name to this local group. For example, DomainName\EventServerMachineName$. For more information, see Configuring Windows Authentication to the Database. BeyondInsight Installation Guide 70 © 2018. BeyondTrust Software, Inc.
