How to install the Microsoft Windows Vista collector to remotely collect from a Windows 2008 Server Domain Controller via off-box agent
search cancel

How to install the Microsoft Windows Vista collector to remotely collect from a Windows 2008 Server Domain Controller via off-box agent

book

Article ID: 177710

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

How do I collect remotely from a Windows 2008 Server Domain Controller using an off-box agent / collector?

 

Resolution


This is the recommended method of setting up the Microsoft Windows Vista collector. Please wait on installing the collector to the agent.

The collector is to be installed last

Things to note before starting. The following roles need to be installed on the server, otherwise you will be unable to add a certificate or collect from the Domain Controller.

Roles that are needed on the Windows 2008 Server Domain Controller
 

  • Active Directory Certificate Services
  • Active Directory Domain Services


Note: Adding roles can be done in Server Manager > Role Summary > Add Roles

Making the necessary changes to the Windows 2008 Server Domain Controller

In order for the Symantec Security Information Manager (SSIM) 4.7 Event Agent to communicate with a Windows 2008 Server Domain Controller remotely, the following will need to be performed below.

Receiving a certificate
 

  1. At Start > Run, type: mmc.
  2. In the console, go to File > Add/Remove Snap-in.
  3. Then Add the Snap-in for Certificates.
  4. Select Computer account, click Next.
  5. Select Local computer, click Finish.
  6. In the Add or Remove Snap-ins window, verify that the Certificates (Local Computer) is present in the Selected snap-ins pane, then click OK.
  7. In the Microsoft Management Console (MMC), expand the Certificates (Local Computer) tree, select the Personal subfolder.
  8. On the Personal folder, right click and select All tasks > Request New Certificate.
  9. Select Domain Controller, then click Enroll.

  10. Select the Details on the right side of the Window.
  11. Click View Certificate, then click on the Details tab.
  12. Click Copy to File on the bottom right.
    This will launch the Certificate Export Wizard.
  13. Click Next at the Welcome to the Certificate Export Wizard window.
  14. At the Export Private Key window, 'No, do not export the private key' should be checked, Click Next.
  15. Select DER encoded binary X.509 (.CER), then click Next.
  16. At the File to Export window, click the Browse button.
  17. Choose a location and name for the certificate, then click Next.
  18. At the Completing the Certificate Export Wizard window, click Finish. Confirm “The export was successful” window by clicking OK.
  19. Click the OK button for the Certificate window, then click the Finish button for the Certificate Enrollment window.
  20. Exit the mmc window: save the console to a name and location of your choosing.


Adding a security descriptor

For the collector to access the Event Log through WinRM, a security descriptor must be added to the monitored Vista or Windows 2008 system. The security descriptor allows a particular named user to access WinRM services on that system. WinRM services must be enabled for the user that will be entered into in the Sensor configuration.

To add the security descriptor you must update the Windows Registry.

A default registry key entry can be found in utils/customsd.reg in the Microsoft Vista Event Collector Installation package. This registry key works for many environments but may not for all.

If you wish to use the default customsd.reg file, do the following.
 

    1. Browse to where the Microsoft Vista Event Collector installation package was extracted.
    2. Right click the customsd.reg file and select Merge.


If you merged the default customsd.reg key above, you have configured a security descriptor. You can proceed on to the firewall configurations.

If you are going to configure your sensor with a user other than "Administrator" you must follow these steps:
 

    1. Determine the SDDL of the user you intend to use.
      For assistance with this, see description of Security Descriptor String Format at:
      http://msdn2.microsoft.com/en-us/library/aa379570(VS.85).aspx
      Please note that Symantec support cannot assist you in getting the SDDL of your desired user.
    2. Click on Start > Run, then type in regedit, click ok.
    3. Navigate to:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security.
    4. Add a new value CustomSD.
    5. Enter the SDDL string for the User you want to use.
      Example SDDL: The following SDDL string is from the customsd.reg provided with the collector.
      O:BAG:SYD:(A;;0x01;;;ER)S:(ML;;0x1;;;LW)


Configuring Windows Firewall to work with the collector

In the Windows Firewall, you must allow TCP ports inbound 80,443,636,5998.

Note: For further security you can specify the SSIM appliance as the destination IP for ports 443 and 636.
For port 5998, you can set the Source IP as the SSIM appliance. For ports 80 and 25 are for LiveUpdate and a rule can be setup to limit by the Symantec LiveUpdate servers hostnames.
 

    1. Click Start -> All Programs -> Administrative Tools -> Windows Firewall with Advanced Security
    2. Click Inbound Rules.
    3. In the right pane, click New Rule.
      This will launch the New Inbound Rule Wizard
    4. Click Port, then click Next.
    5. Enter the ports 80, 443, 5998, 8086 within Specified local ports text box.


    6. Click Next.
    7. In the Action step, click Allow the connection, and then click Next.
    8. In the Profile step, check the boxes next to Domain, Private and Public, then click Next.
    9. In the Name step, specify a rule name, and then click Next.


Configuring WinRM to work with the collector
 

  • Windows Remote Management must be installed and configured on the machine you intend to monitor before you continue. For more information on installing and configuring the WinRM please see this link:

http://msdn.microsoft.com/en-us/library/aa384372(VS.85).aspx

  • A certificate must be installed before you use the HTTPS protocol.

(See "Receiving a Certificate" above).

  • If you are not running under the local computer Administrator account, you must either select Run as Administrator from the Start menu or use the Runas command at a command prompt.
  • You should execute step 4 only if you use a local account for monitored host name. Vista should be included in a domain before you configure WinRM.


To configure WinRM to work with the collector

1. Type the following command at the command prompt to run WinRM with HTTP:
 

      winrm quickconfig
      To run WinRM using HTTPS, type:
      winrm quickconfig -transport:https
            The command performs the following operations:
            • Starts the WinRM service and sets the service startup type to auto-start
            • Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP protocol or the HTTPS protocol
              A WinRM listener must be configured for the collector to work properly. By default, no WinRM listener is configured.
            • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports

2. You may receive a message: "WinRM is not set up to allow remote access to this machien for management. The following changes must be made:..."
When the tool displays Make these changes, type:
 

      y


3. At the prompt, type:
 

      winrm set winrm/config/service @{AllowUnencrypted="true"}


4. If you use a local account for monitored host name at the prompt, type:
 

      winrm set winrm/config/service/Auth @{Basic="true"}


 

      • You can observe and confirm these settings by typing:
      winrm get winrm/config
      • You can use the WinRM command to locate listeners and addresses. At the command prompt type:
          winrm enumerate winrm/config/listener


Making the necessary changes to the 4.7 SSIM Agent

The Symantec Event Agent should already be installed on the machine that you intend to install the collector to.

If the agent is not yet installed
 

    1. Click Start > Run.
    2. In the Open text box, type cmd and click OK.
    3. Change directories to

      C:\Program Files\Symantec\Event Agent\jre\bin
    4. Copy the the certificate you created from the Windows 2008 server to this machine <name>.cer. (This certificate was created in the section titled Making the necessary changes to the Windows 2008 Server Domain Controller, above)
    5. Run the following command,

      keytool.exe -importcert -trustcacerts -alias <cert-alias-name> -file <Location of exported certificate file> -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass <password>


NOTE: The <cert-alias-name> can be anything you want. The <Location of exported certificate file> is the location of the .CER file you created earlier.

Installing the Collector: Running the install.bat

The Microsoft Vista and Microsoft Windows 2008 Server operating systems require
the user to run the install.bat from the Administrator command prompt. If the
user does not run the install.bat from the Administrator command prompt, the
installer does not have sufficient permissions to properly install the collector.

To run the install.bat
 

    1. Click Start > All Programs > Accessories.
    2. Right-click the command prompt and then select Run as Administrator.
    3. In the User Account Control dialog box, click Continue.
    4. In the Administrator: Command prompt, navigate to the install\ subdirectory of the collector install directory.
    5. Type install.bat, and then press Enter.




References
 

Original Documentation

SEC_for_MS-Vista_44.pdf


 


Powered by Wolken Software