RSA envision Windows Eventing Collector Service Deployment Overview Guide

RSA envision Windows Eventing Collector Service Deployment Overview Guide

Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA, the RSA Logo, RSA envision, RSA Event Explorer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.rsa.com/legal/trademarks_list.pdf. License agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-party licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. Portions of this application include technology used under license from Visual Mining, Inc. 2000-2010. Portions of this application include ianywhere technology, 2001-2010. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright 2011 EMC Corporation. All Rights Reserved. Published in the USA. September 2011

Contents Preface... 5 About This Guide...5 Documentation... 5 Getting Support and Service... 6 Before You Call Customer Support... 6 Chapter 1: RSA envision Windows Eventing Collector Service and Windows Event Sources... 7 Windows Eventing Mechanism... 7 RSA envision Windows Eventing Collector Service... 8 Windows Remote Management Service... 9 Chapter 2: System Requirements...11 Supported RSA envision Platforms and Event Sources...11 Firewall Guidelines...11 Firewall Ports... 12 Chapter 3: Deployment of RSA envision Windows Eventing Collector Service on the RSA envision Platform... 13 Single Appliance Site... 13 Multiple Appliance Site... 13 Enhanced Availability Site... 14 Multiple Site Deployment... 15 Chapter 4: Deployment Checklist... 17 Chapter 5: Configuration of the WinRM Service... 19 Configuration Using Group Policy Objects... 19 Configuration Using Scripts... 19 Manual Configuration of WinRM over HTTP... 20 Manual Configuration of WinRM over HTTPS... 20 Chapter 6: Configuration of Collection from the Security Channel.. 21 Chapter 7: SSL Connection to Windows Event Sources... 23 SSL Connection for WinRM over HTTPS... 23 SSL Certificates for Windows Event Sources... 23 Microsoft CA... 24 Auto-Enrollment for SSL Certificates... 25 Third-Party CA... 26 Self-Signed Certificates... 26 SSL Connection... 27 3

Chapter 8: User Account With Least Privileges... 29 Chapter 9: Configuration of Hosted Event Sources... 31 Appendix A: Example of Provisioning SSL Certificates with Microsoft CA... 33 Install an Enterprise Root Certificate Authority on the Domain Controller... 33 Enable Auto-Enrollment for SSL Certificates... 34 Import the Root CA Certificate into the RSA envision Appliance... 35 Appendix B: Example of Provisioning SSL Certificates with a Third- Party CA... 37 Generate a Certificate Signing Request... 37 Submit the Certificate Request to a Third-Party CA... 38 Install the Certificate on the Event Source... 38 Appendix C: Example of Provisioning Self-Signed Certificates... 39 Generate a Self-Signed Certificate... 39 Import the Certificate to the RSA envision Appliance... 40 4

Preface About This Guide This guide describes the configuration required on RSA envision and the Windows event sources to enable event collection in your network using the RSA envision Windows Eventing Collector Service. The guide also briefly explains the need for and scope of each configuration. This guide is intended for RSA envision administrators and Windows administrators using the Windows Eventing Collector Service. This guide contains instructions for configuring a third-party system, in this case Microsoft Windows event sources, certificate services, and domain services. While the instructions provided have been validated in RSA test labs, any Windows system setup may require additional or different configuration steps. For complete information, you can also refer to the Microsoft Windows documentation. Documentation For more information about the RSA envision Windows Eventing Collector Service, see the following documentation: RSA envision Windows Eventing Collector Service Deployment Overview Guide. Provides an overview of the Windows event source configurations and a high-level task map for setting up the RSA envision Windows Eventing Collector Service. Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes. Provides instructions for event source configuration and information about what is new in this release, supported Windows event sources, and known issues for RSA envision Windows Eventing Collector Service. RSA envision Help. Comprehensive instructions on setting up RSA envision processing options and using RSA envision analysis tools. Preface 5

Getting Support and Service RSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity.com www.rsa.com/support www.rsasecured.com RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. SecurCare Online also offers information on new releases, important technical news, and software downloads. The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products. Before You Call Customer Support Make sure that you have direct access to the computer running the RSA envision software. Please have the following information available when you call: The serial number of the appliance. On a 60-series appliance, you can find the seven-character serial number on the chassis tag on the back of the appliance, or open a Dell Openmanage Server Administrator session, and click System > Properties > Summary to find the serial number in the chassis service tag field. RSA envision software version number. The name and version of the operating system under which the problem occurs. 6 Preface

1 RSA envision Windows Eventing Collector Service and Windows Event Sources Windows Eventing Mechanism RSA envision Windows Eventing Collector Service Windows Remote Management Service Windows Eventing Mechanism The RSA envision Windows Eventing Collector Service is a new collection mechanism that enables collection of events from Windows machines that support the Microsoft Windows Eventing model. Windows Eventing 6.0 is a new event logging and tracing framework included in the operating system beginning with Microsoft Windows Vista and Windows Server 2008 that enables better organization of event data, allowing smarter searches for events of interest. Prior to the release of Windows Vista, events were logged using eventing models such as Event Tracing for Windows (ETW) and Event Logging. For more information, go to http://msdn.microsoft.com/en-us/library/aa363787%28v=vs.85%29.aspx and http://msdn.microsoft.com/en-us/library/aa363652%28v=vs.85%29.aspx. Windows Server 2008 and Windows Vista introduced an eventing model that unifies ETW and Windows Event Log API. For more information, go to http://msdn.microsoft.com/en-us/library/aa385780%28v=vs.85%29.aspx. The components of the Windows Eventing model include: Event providers. Event providers are applications running on Windows that write events into event logs, called channels. Event providers include an instrumentation manifest that clearly defines the nature and structure of events that are generated in an XML format. Event channels. Events are stored in channels, which can be defined based on the event providers. Event providers can write events into the Classic Windows event channels Application, System, and Security for consumption by Windows diagnostic tools such as Windows Event Viewer. For Windows Vista and Windows Server 2008, event providers can also write events to Windows Eventing channels, which can be one of four types: Administration, Operational, Analytic, and Debug. For more information on channels, go to http://msdn.microsoft.com/en-us/library/dd996911%28v=vs.85%29.aspx. Instrumentation manifest. An instrumentation manifest is an XML file that clearly defines the nature and structure of events. This manifest contains the following information about events: Identity of the event provider Channel into which events are written, such as Security, Application, and Information 1: RSA envision Windows Eventing Collector Service and Windows Event Sources 7

Event definition, broken into tasks and opcodes Other metadata for the events Event definition template For more information, go to http://msdn.microsoft.com/en-us/library/dd996930%28v=vs.85%29.aspx. RSA envision Windows Eventing Collector Service You can use the RSA envision Windows Eventing Collector Service to collect events from Windows machines, called Windows event sources, that use the Windows Eventing mechanism. The existing NIC Windows Service can collect events only from the Classic Windows channels: Application, System, and Security. The Windows Eventing Collector Service can collect events from the Classic Windows channels and from the Windows Eventing channels, Administration, Operational, Analytic, and Debug. For more information, see the RSA envision Help topic Windows Eventing Collector Service. The Windows Eventing Collector Service uses the Microsoft Windows Remote Management (WinRM) service to access and retrieve events from event sources that support the Windows Eventing mechanism. The Windows Eventing Collector Service communicates with event sources over HTTP or HTTPS. The following figure shows how RSA envision connects to Windows event sources using the WinRM service. WinRM WinRM HTTP or HTTPS RSA envision WinRM WinRM Intranet Windows event sources 8 1: RSA envision Windows Eventing Collector Service and Windows Event Sources

Windows Remote Management Service The WinRM service is the Microsoft implementation of the WS-Management (WSMAN) protocol. WSMAN is a standard Simple Object Access Protocol (SOAP) that allows hardware and operating systems from different vendors to interoperate. For more information, go to http://msdn.microsoft.com/en-us/library/aa384426%28vs.85%29.aspx. The WinRM service is part of the operating system. You must configure the WinRM listener to enable event collection. 1: RSA envision Windows Eventing Collector Service and Windows Event Sources 9

2 System Requirements Supported RSA envision Platforms and Event Sources Firewall Guidelines Supported RSA envision Platforms and Event Sources The Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes lists the supported RSA envision platforms and Windows event sources. For the latest version of this document, go to the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. Firewall Guidelines Whether you have Windows Firewall, Cisco ACS, or a firewall from any other vendor, you must create firewall rules to enable the Windows Eventing Collector Service to collect events from the Windows event sources. When you enable the WinRM service, the firewall rules open specific ports to allow the RSA envision Windows Eventing Collector Service to collect events from the Windows event sources. You can enable the WinRM service to enable firewall ports using one of the following: Group Policy objects Scripts Windows built-in commands For more information, see Configuration of the WinRM Service on page 19. For detailed instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. If you are using a firewall other than Windows, such as Cisco ACS, contact the system administrator to open the firewall ports. 2: System Requirements 11

Firewall Ports By default, depending on the event source, the WinRM service uses the following ports to enable collection using the RSA envision Windows Eventing Collector Service: Windows Server 2008 over HTTP at port number 80 Windows Server 2008 over HTTPS at port number 443 Windows Server 2008 R2 over HTTP at port number 5985 Windows Server 2008 R2 over HTTPS at port number 5986 Note: If you have configured the WinRM service on any other port, ensure that you enable the firewall rules accordingly. 12 2: System Requirements

RSA envision VMware Collector Service Installation and Configuration Guide 3 Deployment of RSA envision Windows Eventing Collector Service on the RSA envision Platform Single Appliance Site Multiple Appliance Site Enhanced Availability Site Multiple Site Deployment The RSA envision Windows Eventing Collector Service is supported on single appliance sites, multiple appliance sites, enhanced availability sites, and multiple site deployments. All of these deployments support connection to one or more Windows event sources. Single Appliance Site In a single appliance site, you install the RSA envision Windows Eventing Collector Service on the RSA envision appliance. You can configure the Windows Eventing Collector Service to connect to one or more Windows event sources. Multiple Appliance Site A multiple appliance site can have up to three Local Collectors (LCs). You can install the RSA envision Windows Eventing Collector Service on one or more LCs. You can configure each instance of the Windows Eventing Collector Service to connect to one or more Windows event sources. If you install the Windows Eventing Collector Service in a multiple appliance site that has Network Attached Storage (NAS), the user account that the service uses to connect to the event sources must have write privileges to access the NAS. 3: Deployment of RSA envision Windows Eventing Collector Service on the RSA envision Platform13

RSA envision VMware Collector Service Installation and Configuration Guide The following figure shows an RSA envision multiple appliance site. RSA envision Site A-SRV D-SRV Local Collector 1 Windows Eventing Collector Service Local Collector 2 Windows Eventing Collector Service Local Collector 3 Windows Eventing Collector Service Windows event sources Windows event sources Windows event sources Enhanced Availability Site The RSA envision Windows Eventing Collector Service is supported on Enhanced Availability (EA) sites. When you install the Windows Eventing Collector Service on EA deployments, you must ensure that the service is installed on all of the Clustered Appliances in the site even if you do not plan to activate the Windows Eventing Collector Service on all of the Clustered Appliances. If you do not install the Windows Collector Service on all of the Clustered Appliances, unforeseen errors can occur. (If you do not want a Clustered Appliance to collect events, do not configure event sources on the Clustered Appliance.) If you uninstall the Windows Eventing Collector Service from an EA site, you must uninstall the service from all of the Clustered Appliances. 14 3: Deployment of RSA envision Windows Eventing Collector Service on the RSA envision

RSA envision VMware Collector Service Installation and Configuration Guide Multiple Site Deployment A multiple site deployment consists of more than one multiple appliance site. You can install the RSA envision Windows Eventing Collector Service on one or more Local Collectors and Remote Collectors (RCs). You can configure each instance of the Windows Eventing Collector Service to connect to one or more Windows event sources. Site 1 Site 2 Site 3 A-SRV A-SRV D-SRV D-SRV Local Collector 1 Local Collector 2 Local Collector Remote Collector Windows Eventing Collector Service Windows Eventing Collector Service Windows Eventing Collector Service Windows Eventing Collector Service Windows event sources Windows event sources Windows event sources Windows event sources 3: Deployment of RSA envision Windows Eventing Collector Service on the RSA envision Platform 15

4 Deployment Checklist The following table describes the high-level tasks required to set up event collection using the RSA envision Windows Eventing Collector Service. Task Description 1. Obtain the executable files Obtain the following executable files from RSA SecurCare Online at https://knowledge.rsasecurity.com: v4.0sp3_windowseventing_sharedmemory.exe Note: The v4.0sp3_windowseventing_sharedmemory.exe file is only required for RSA envision 4.0 SP3. If you have installed RSA envision 4.0 SP4 or later, do not download this file. RSA_enVision_Windows_Eventing_Collector_Service.exe RSA_enVision_winevent_config.vbs RSA_enVision_winevent_config.ps1 The latest Event Source Update package 2. Prepare the RSA envision appliance You must set up the RSA envision appliance by performing the following tasks: The Windows Eventing Collector Service is compatible only with RSA envision 4.0 SP3 or later. If you are using a prior verison of envision, ensure that you upgrade to RSA envision 4.0 SP3. Install the v4.0sp3_windowseventing_sharedmemory.exe file Note: You need to install v4.0sp3_windowseventing_sharedmemory.exe only for RSA envision 4.0 SP3. If you have installed RSA envision 4.0 SP4 or later, do not install this file. Install the latest Event Source Update For instructions, see the Help topic Preparing to Install Windows Eventing Collector Service. 3. Install the Windows Eventing Collector Service You must install the Windows Eventing Collector Service. For instructions, see the Help topic Install the Windows Eventing Collector Service. 4: Deployment Checklist 17

Task 4. Configure the Windows event sources 5. Obtain Windows event source information 6. Configure the Windows Eventing Collector Service 7. Start the Windows Eventing Collector Service Description You must configure the Windows event sources to allow event collection by performing the tasks described in the following sections in the order listed: Configuration of the WinRM Service SSL Connection to Windows Event Sources Configuration of Collection from the Security Channel (Optional) User Account With Least Privileges (Optional) Configuration of Hosted Event Sources For detailed instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on RSA SecurCare Online. You must obtain connection information for each event source from which you want to collect events. For instructions, see the Help topic Obtain the Windows Event Source Information. You must use the Configuration utility to configure the Windows Eventing Collector Service. For instructions, see the Help topic Configuring the Windows Eventing Collector Service. After configuring the Windows Eventing Collector Service for the first time, you must start the service. For instructions, see the Help topic Start the Windows Eventing Collector Service. 18 4: Deployment Checklist

5 Configuration of the WinRM Service Configuration Using Group Policy Objects Configuration Using Scripts Manual Configuration of WinRM over HTTP Manual Configuration of WinRM over HTTPS You can enable the WinRM service on the Windows event sources from a central location using Group Policy objects, by using scripts, or by using manual steps. Note: You must have Administrator privileges on the event sources to enable the WinRM service. Configuration Using Group Policy Objects If you want to configure multiple event sources that are a part of a Windows domain managed by a domain controller, you can use Group Policy objects (GPOs). A Group Policy is a set of rules that controls user accounts, the configuration of applications, and user settings in an Active Directory environment. Microsoft provides a program that allows you to use the Group Policy Snap-in of the Microsoft Management Console (MMC). You can use the graphical user interface (GUI) of the Group Policy Snap-in to configure the WinRM service for HTTP transport mode and enable read access to the Security log channel. If you configure the domain controller using a GPO, all the event sources in the domain are also configured. Configuration Using Scripts You can use the following types of scripts to enable WinRM over HTTP and HTTPS for an event source: Visual Basic (VB) script. You can use a VB script to automatically configure the WinRM service over HTTP or HTTPS on Windows Server 2008 SP 2 and Windows Server 2008 R2. Windows PowerShell (PS) script. You can use a PS script to automatically configure the WinRM service over HTTP or HTTPS on Windows Server 2008 SP2 and Windows Server 2008 R2. On Windows Server 2008 SP 2, you must first install Windows PowerShell 2.0 before executing the script. Note: You must run these scripts on each of the event sources that you need to configure. 5: Configuration of the WinRM Service 19

For instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. Manual Configuration of WinRM over HTTP The default transport mode for the WinRM service configuration is HTTP. In HTTP mode, the information is transferred over the network in an unencrypted or plain text format. For detailed instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. Note: You must perform the manual configuration steps on each of the event sources that you want to configure. Manual Configuration of WinRM over HTTPS Configuration of WinRM over the HTTPS transport mode uses the Secure Socket Layer (SSL) protocol, which ensures that all messages exchanged are confidential. Before you can configure a WinRM listener to establish communication over HTTPS, you must provision an SSL certificate to the Windows event source from which you want to collect events. For more information, see SSL Connection to Windows Event Sources. Note: You must perform the manual configuration steps on each of the event sources that you want to configure. 20 5: Configuration of the WinRM Service

6 Configuration of Collection from the Security Channel The RSA envision Windows Eventing Collector Service cannot collect events from the Security event log channel by default. You must configure the event source to enable event collection from the Security channel. To access Security channel events, the user account that the Windows Eventing Collector Service uses to connect to the event source must be added to the Windows built-in Event Log Reader user group. The creation of a user account with least privileges does not automatically enable collection from the Security channel. You must explicitly configure the event source to enable event collection from Security channel. For instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. 6: Configuration of Collection from the Security Channel 21

7 SSL Connection to Windows Event Sources SSL Connection for WinRM over HTTPS SSL Certificates for Windows Event Sources SSL Connection SSL Connection for WinRM over HTTPS If you want to configure a Windows event source to use WinRM over HTTPS, you must establish a Secure Socket Layer (SSL) connection between the Windows event source and RSA envision Windows Eventing Collector Service. SSL creates a secure connection over which you can send data securely. For more information, go to http://technet.microsoft.com/en-us/library/bb727098.aspx. Most organizations use certificates to prove the identity of users or computers, as well as to encrypt data during transmission across unsecured network connections. To establish an SSL connection between the RSA envision platform and a Windows event source, you must perform the tasks described in the following sections: SSL Connection to Windows Event Sources SSL Connection SSL Certificates for Windows Event Sources Most organizations use directory services to manage the identities and relationships of their corporate network and rely on a certificate authority (CA) to issue and manage certificates used in software security systems. A CA is a trusted agency that confirms the identity of users, organizations, and their servers, and then issues certificates that confirm these identities. You can create server certificates by using one of the following: Microsoft CA Third-Party CA Self-Signed Certificates Regardless of your choice of CA, you must manage the server certificates using Certificate Services. Server certificates can expire or be revoked, if necessary. For example, corporate policy may dictate that server certificates expire on an annual basis to ensure that the certificate information is current. You may also want to revoke a certificate when a Windows event source is taken offline. 7: SSL Connection to Windows Event Sources 23

Microsoft CA If you use Active Directory Certificate Services (ADCS), your organization can act as its own CA. Microsoft Windows uses Active Directory to provide identity and access management. The following figure shows an example of how Active Directory Domain Services (ADDS) on host DC1 and ADCS on host CA1 reside on the corporate network along with RSA envision and Windows event sources. DC1 CA1 RSA envision Corpnet Windows event source 1 Windows event source N You can enable SSL on your Windows event sources as follows: 1. Install Certificate Services on a server in the domain, and then generate the root CA certificate. 2. Issue an SSL certificate for each event source in one of the following ways: To issue an SSL certificate manually, you must generate a certificate request file for each event source that has a unique computer name and use the certificate request files to create server certificates for your servers. You must then install the respective certificate and enable SSL on each applicable server. To use auto-enrollment for SSL certificates, see the following section Auto-Enrollment for SSL Certificates. 3. Install the root CA certificate in the Trusted Root Certification Authorities store on the envision appliance, so that the Windows Eventing Collector Service trusts the root CA and all event sources that have server certificates issued by the CA. 24 7: SSL Connection to Windows Event Sources

For a sample procedure to provision SSL certificates using Microsoft CA, see Appendix A, Example of Provisioning SSL Certificates with Microsoft CA. Auto-Enrollment for SSL Certificates You can use Active Directory Domain Services to configure your Windows event sources for auto-enrollment for SSL certificates. For detailed instructions, see Appendix A, Example of Provisioning SSL Certificates with Microsoft CA. The following figure shows how you can use the ADDS to configure Windows event sources for auto-enrollment for SSL certificates. RSA envision CA1 5 Active Directory Certificate Services 4 DC1 3 2 Windows Event Sources Active Directory Domain Services 1 1. Windows event source retrieves the certificate policy contained in a Group Policy from ADDS. 2. Windows event source submits the certificate request to ADCS based on policy. 3. ADCS retrieves the user information from ADDS. 7: SSL Connection to Windows Event Sources 25

Third-Party CA 4. ADCS returns the signed digital certificate to the Windows event source. 5. You must manually install the root CA certificate in the Trusted Root Certification Authorities store on the envision appliance so that the Windows Eventing Collector Service will trust the root CA. You need to import only the public key portion of the certificates. You can use a third-party CA, such as VeriSign, Entrust, Valicert, or Equifax to generate server certificates. When you use a trusted third-party CA, you enable SSL on your Windows event sources as follows: 1. Generate a Certificate Signing Request (CSR) for each Windows event source that has a unique computer name. A CSR is an encrypted text that contains information such as organization name, common name (domain name), locality, country, and the public key that will be included in the certificate.the CSR is generated on the server on which the certificate will be used. A private key is created at the same time that you create the CSR. 2. Submit the certificate request files to the trusted third-party CA. The CA uses the CSR to create your SSL certificate. The certificate created with a particular CSR only works with the private key that was generated with the CSR. If you lose the private key, the certificate is invalid. 3. On each Windows event source, install the respective certificate, and then enable SSL. 4. Install the third-party root CA certificate in the Trusted Root Certification Authorities store on the RSA envision appliance, so that the RSA envision Windows Eventing Collector Service will trust the root CA. For a sample procedure to provision SSL certificates using third-party CA, see Appendix B, Example of Provisioning SSL Certificates with a Third-Party CA. Note: You must be able to use the SSL certificate for Server Authentication. Ensure that the certificate template selected for the Certificate Signing Request includes the Enhanced Key Usage setting where this usage is defined. Self-Signed Certificates A self-signed certificate is an identity certificate that is signed by its creator. That is, the entity that created the certificate also signed off on its legitimacy. If you do not have a CA, you can establish an SSL connection using self-signed certificates. For a sample procedure to provision SSL certificates using self-signed certificates, see Appendix C, Example of Provisioning Self-Signed Certificates. 26 7: SSL Connection to Windows Event Sources

SSL Connection You enable SSL connections by enabling WinRM over HTTPS. You can enable WinRM manually or by using scripts that are invoked on all Windows event sources. For instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. 7: SSL Connection to Windows Event Sources 27

RSA envision VMware Collector Service Installation and Configuration Guide 8 User Account With Least Privileges To collect events from Windows event sources, RSA recommends that you create a user account for the RSA envision platform such that the account has minimum privileges and can authenticate to the event sources only for event collection. You can use administrator accounts to collect events if sharing such privileges is not a concern in your deployment. The least-privileged account limits access to the Windows event sources and does not allow remote access of critical resources. To collect events from the Windows event sources, the user account requires permission to do the following: Connect to the WinRM service remotely with read privileges Read the events generated by Windows event source Access to the WMI resource Win32_UTCTime remotely to define a time window for the events that are to be collected in a given time interval Access to the WMI resource Win32_AccountSID remotely to translate the cryptic SID strings in the events to their corresponding human-readable user names You can create a user account with least privileges for a standalone event source or for multiple event sources in a domain using a domain controller. For instructions, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. 8: User Account With Least Privileges 29

RSA envision VMware Collector Service Installation and Configuration Guide 9 Configuration of Hosted Event Sources Hosted event sources are applications running on Windows platforms that use the Windows event framework to record their operational events. You can identify hosted event sources as separate event sources on the RSA envision platform with the same IP address as the Windows server that hosts the application. For the list of supported event sources, see the Microsoft Windows Eventing 6.0 Web Services API Configuration Instructions and Release Notes in the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com. To discover hosted event sources, you must choose the Windows event source as a Multi Device in the administrator user interface in RSA envision. For instructions, see the event source update document for the corresponding hosted event source on the RSA envision Device Configurations page on RSA SecurCare Online at https://knowledge.rsasecurity.com.. 9: Configuration of Hosted Event Sources 31

A Example of Provisioning SSL Certificates with Microsoft CA Install an Enterprise Root Certificate Authority on the Domain Controller Enable Auto-Enrollment for SSL Certificates Import the Root CA Certificate into the RSA envision Appliance Import the Root CA Certificate into the RSA envision Appliance Install an Enterprise Root Certificate Authority on the Domain Controller For domain computers to automatically enroll for certificates through a Group Policy, install a Microsoft Certificate Authority on the domain controller. Note: The following procedure assumes that ADDS and ADCS are installed on the same host. To install a certificate authority on the domain controller: 1. Click Start > Administrative Tools > Server Manager. 2. In the console tree of Server Manager, click Roles. 3. Under Roles Summary, click Add roles, and then click Next. 4. On the Server Roles page, select Active Directory Certificate Services. 5. Click Next twice. 6. On the Role Services page, click Next. 7. On the Setup Type page, select Enterprise, and then click Next. 8. On the CA Type page, select Root CA, and then click Next. 9. On the Private Key page, select Create a New Private Key, and then click Next. 10. On the Cryptography page, click Next. 11. On the CA Name page, click Next. 12. On the Validity Period page, click Next. 13. On the Certificate Database page, click Next. 14. On the Confirmation page, click Install. A: Example of Provisioning SSL Certificates with Microsoft CA 33

Enable Auto-Enrollment for SSL Certificates Configure the root CA so that computer certificates are issued automatically through Group Policy to all the domain member computers and to the domain controller. To configure auto-enrollment for SSL certificates: 1. Click Start > Administrative Tools > Group Policy Management. 2. In the console tree, open the domain containing the computers to be configured for auto-enrollment of certificates. 3. In the console tree, right-click Default Domain Policy, and then click Edit. Note: You may choose to edit an existing Group Policy or create a new one for auto-enrollment for certificates. 4. In the console tree of the Group Policy Management Editor, expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. 5. To enable auto-enrollment for SSL certificates for the domain members, follow these steps: a. In the details pane, right-click Automatic Certificate Request Settings, select New, and then click Automatic Certificate Request. b. In the Automatic Certificate Request Wizard, click Next. c. On the Certificate Template page, click Computer, click Next, and then click Finish. 6. To enable auto-enrollment for an SSL certificate for the domain controller, follow these steps: a. In the details pane, right-click Automatic Certificate Request Settings, select New, and then click Automatic Certificate Request. b. In the Automatic Certificate Request Wizard, click Next. c. On the Certificate Template page, click Domain Controller, click Next, and then click Finish. 7. Close the Group Policy Management Editor and Group Policy Management consoles. 8. To enable and update the policy for the domain members and the domain controller, do one of the following: Run the gpupdate command on the individual domain members. Wait for the Group Policy update to happen automatically. Note: If you installed a new CA on your Active Directory domain controller, you might need to restart the existing domain members to enable auto-enrollment for certificates. 34 A: Example of Provisioning SSL Certificates with Microsoft CA

Import the Root CA Certificate into the RSA envision Appliance You must install the root CA certificate in the Trusted Root Certification Authorities store on the RSA envision Collector so that the RSA envision Windows Eventing Collector Service trusts the root CA. You export the certificate from the domain controller and then import the certificate to the envision Collector where the Windows Eventing Collector Service is installed. If you have an envision deployment with Enhanced Availability, you must import the root certificate to each of the Cluster Appliances, so that collection can resume on any appliance after a failover. To export the root CA certificate from the domain controller: 1. On the domain controller on which the certificate is provisioned, open Internet Explorer. 2. Click Tools > Internet Options. 3. On the Content tab, select Certificates. 4. On the Trusted Root Certification Authorities tab, select the certificate that has just been provisioned. The Issued To and Issued By fields must have the same name, which ends with -CA. 5. Click Export to open the Certificate Export Wizard. 6. Click All Tasks > Next twice. 7. Browse to the location where you want to store the exported certificate. 8. Click Next. 9. Click Finish. To import the root certificate of the CA: 1. On the Collector, follow these steps to add the Certificates Snap-in to the Microsoft Management Console: a. Click Start > Run, type mmc, and click OK. b. Click File > Add/Remove Snap-in. c. On the Standalone tab, click Add. d. Select Certificates, and click Add. e. Select Computer Account, and click Next. f. Select Local Computer, and click Finish. g. Click Close, and then click OK to return to the Console Root dialog box. 2. Follow these steps to import the root certificate: a. In the Console Root dialog box, select Certificates > Trusted Root Certificates > Certificates. b. Right-click and select All Tasks > Import to open the Certificate Import Wizard. A: Example of Provisioning SSL Certificates with Microsoft CA 35

c. Click Next, and browse to the location of the certificate. d. Click Next, and accept all the defaults for the remainder of the wizard. 3. In an Enhanced Availability deployment, repeat steps 1 and 2 on each of the Cluster Appliances. 36 A: Example of Provisioning SSL Certificates with Microsoft CA

B Example of Provisioning SSL Certificates with a Third-Party CA Generate a Certificate Signing Request Submit the Certificate Request to a Third-Party CA Install the Certificate on the Event Source Generate a Certificate Signing Request Each event source that has a unique computer name must have a separate certificate. The first step in the certificate creation process is to generate a certificate request. The following instructions describe how to use the Windows certreq command to generate a Certificate Signing Request. If you want to use a different method for creating CSRs, contact your security administrator. To generate a certificate request: 1. Follow these steps to create a file with the.inf extension: a. On the event source, open a text editor, such as Notepad. b. Copy and paste the following text into your text editor: [NewRequest] Subject = "CN = machine-code" MachineKeySet = True [RequestAttributes] CertificateTemplate = MyTemplate where: machine-code is the hostname or FQDN of the event source. MyTemplate is the certificate template that must be created at the CA. Note: You must be able to use the SSL certificate for Server Authentication. Ensure that the certificate template selected for the Certificate Signing Request includes the Enhanced Key Usage setting where this usage is defined. c. Save this file with the.inf extension, for example, request.inf. 2. Open a command window, and change directories to the directory to which you saved the.inf file. B: Example of Provisioning SSL Certificates with a Third-Party CA 37

3. To generate a certificate request file using the information in the.inf file, type: certreq.exe -new request.inf mycert.req where: request.inf is the.inf file that you created in step 1. mycert.req is the CSR generated from the information in request.inf. For detailed information on the certreq.exe command syntax and options, go to http://technet.microsoft.com/en-us/library/cc736326%28ws.10%29.aspx. Submit the Certificate Request to a Third-Party CA After you create a CSR, submit the CSR to a third-party certificate authority, such as Entrust, Equifax, Valicert, or VeriSign. For more information, go to http://support.microsoft.com/kb/931351. Install the Certificate on the Event Source After you receive the certificate from the certificate authority, you must install the certificate on the event source. To install the certificate: 1. To add the Certificates Snap-in to the Microsoft Management Console, follow these steps: a. Click Start > Run, type mmc, and click OK. b. Click File > Add/Remove Snap-in. c. Select Certificates, and click Add. d. Select Computer Account, and click Next. e. Select Local Computer, and click Finish. f. Click Close, and then click OK to return to the Console Root dialog box. 2. To import the SSL certificate, follow these steps: a. In the Console Root dialog box, select Certificates > Personal > Certificates. b. Right-click and select All Tasks > Import to open the Certificate Import Wizard. c. Click Next, and browse to the location of the certificate that you received from the third-party CA. d. Click Next, and accept all the defaults for the remainder of the wizard. Note: You must install the SSL certificate on the same server on which you generated the CSR or with the same private key. 38 B: Example of Provisioning SSL Certificates with a Third-Party CA

C Example of Provisioning Self-Signed Certificates Generate a Self-Signed Certificate Import the Certificate to the RSA envision Appliance Generate a Self-Signed Certificate You can create a self-signed certificate using tools such as RSA BSAFE SSL-C or SelfSSL. The following instructions describe creating a self-signed certificate using SelfSSL, which is included in the Internet Information Services Resource Tool Kit. To install SelfSSL: 1. Download the IIS Resource Kit from http://www.microsoft.com/downloads/details.aspx?familyid=56fc92ee-a71a- 4c73-b628-ade629c89499&displaylang=en. 2. Run iis60rkt.exe to open the InstallShield Wizard. 3. On the Welcome page, click Next. 4. Accept the license agreement, and click Next. 5. On the Setup Type page, select Custom, and click Next. 6. Specify the location to install the IIS 6.0 Resource Kit Tools, and click Next. 7. On the Select Features page, select SelfSSL, and click Next. 8. Review the settings on the Start Copying Files page, and click Next. 9. Click Finish on the InstallShield Wizard Complete page. To create a self-signed certificate: To create a self-signed certificate with the CN matching the FQDN of the system, open a command prompt, and type: selfssl.exe /N:CN=hostname /T /V:days where: hostname is the FQDN of the event source for which you are generating the certificate. /T adds the self-signed certificate to the Personal and the Trusted Root certificate stores on the event source. /V specifies the validity of the certificate in days. days specifies the number of days, for example, 365. C: Example of Provisioning Self-Signed Certificates 39

Import the Certificate to the RSA envision Appliance You must import the self-signed certificate to the trusted certificate store on the RSA envision Collector so that the RSA envision Windows Eventing Collector Service can trust the certificate. You export the certificate from the event source and then import the certificate to the Trusted Root Certification Authorities store on the envision appliance. To export the self-signed certificate from the event source: 1. On the event source, follow these steps to add the Certificates Snap-in to the Microsoft Management Console: a. Click Start > Run, type mmc, and click OK. b. Click File > Add/Remove Snap-in. c. Select Certificates, and click Add. d. Select Computer Account, and click Next. e. Select Local Computer, and click Finish. f. Click OK to return to the Console Root dialog box. 2. To export the self-signed certificate, follow these steps: a. In the Console Root dialog box, select Certificates > Personal > Certificates. b. Right-click the self-signed certificate, and select All Tasks > Export to open the Certificate Export Wizard. c. Click Next three times. d. Enter a suitable filename for the certificate file, and click Next. e. Click Next, and click Finish. f. In the certificate export successful dialog box, click Ok. To import the self-signed certificate on to the RSA envision platform: 1. To install the Certificate Snap-in, follow these steps: a. Click Start > Run, type mmc, and click OK. b. Click File > Add/Remove Snap-in. c. On the Standalone tab, click Add. d. Select Certificates, and click Add. e. Select Computer Account, and click Next. f. Select Local Computer, and click Finish. g. Click Close, and then click OK to return to the Console Root dialog box. 40 C: Example of Provisioning Self-Signed Certificates

2. To import the self-signed certificate, follow these steps: a. In the Console Root dialog box, select Certificates > Trusted Root Certificates > Certificates. b. Right-click and select All Tasks > Import to open the Certificate Import Wizard. c. Click Next, and browse to the location of the certificate that you exported. d. Click Next, and accept all the defaults for the remainder of the wizard. C: Example of Provisioning Self-Signed Certificates 41