Getting Started With Halo for Windows

Similar documents
Getting Started With Halo for Windows For CloudPassage Halo

Using GhostPorts Multi-Factor Authentication

Automating Server Firewalls

Using GhostPorts Two-Factor Authentication

Monitoring Server File Integrity With CloudPassage Halo

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Kaseya Server Instal ation User Guide June 6, 2008

System Administration Training Guide. S100 Installation and Site Management

MultiSite Manager. User Guide

Mobile Device Management Version 8. Last updated:

Copyright 2013, 3CX Ltd.

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

MadCap Software. Upgrading Guide. Pulse

Installation Guide for Pulse on Windows Server 2012

Spector 360 Deployment Guide. Version 7.3 January 3, 2012


CloudPassage Halo Technical Overview

Desktop Surveillance Help

Device LinkUP + Desktop LP Guide RDP

Installation Guide for Pulse on Windows Server 2008R2

Sophos for Microsoft SharePoint startup guide

NovaBACKUP xsp Version 15.0 Upgrade Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

SMART Vantage. Installation guide

CloudPassage Halo Technical Overview

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Quick Start Guide For Ipswitch Failover v9.0

Server Account Management

Spector 360 Deployment Guide. Version 7

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Kaseya 2. Installation guide. Version 7.0. English

Ekran System Help File

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

SafeNet Authentication Manager Express. Upgrade Instructions All versions

Configuration Guide. BES12 Cloud

Core Protection for Virtual Machines 1

Version 3.8. Installation Guide

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

There are numerous ways to access monitors:

Defender Token Deployment System Quick Start Guide

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

2X ApplicationServer & LoadBalancer Manual

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Comodo LoginPro Software Version 1.5

Installation Instruction STATISTICA Enterprise Server


Contents Notice to Users

enicq 5 System Administrator s Guide

Installation & Configuration Guide

Software Version 1.0 ConnectKey TM Share to Cloud April Xerox ConnectKey Share to Cloud User / Administrator s Guide

NSi Mobile Installation Guide. Version 6.2

WhatsUp Gold v16.1 Database Migration and Management Guide Learn how to migrate a WhatsUp Gold database from Microsoft SQL Server 2008 R2 Express

User Guide. Version R91. English

Endpoint Security Console. Version 3.0 User Guide

Advanced Event Viewer Manual

Contents. VPN Instructions. VPN Instructions... 1

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

MultiSite Manager. Setup Guide

Outpost Network Security

8.7. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.7. Contents

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

MultiSite Manager. Setup Guide

WhatsUp Gold v16.1 Installation and Configuration Guide

without the fixed perimeters of legacy security.

Setting up Hyper-V for 2X VirtualDesktopServer Manual

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

Sage 200 Web Time & Expenses Guide

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

Getting Started with Vision 6

FortKnox Personal Firewall

AVG Business SSO Connecting to Active Directory

WhatsUp Gold v16.2 Database Migration and Management Guide

Basic Exchange Setup Guide

2X SecureRemoteDesktop. Version 1.1

QUANTIFY INSTALLATION GUIDE

How do I set up a branch office VPN tunnel with the Management Server?

Advanced Configuration Steps

ez Agent Administrator s Guide

Installing and Configuring vcloud Connector

TANDBERG MANAGEMENT SUITE 10.0

WhatsUp Gold v16.2 Installation and Configuration Guide

Cloud Director User's Guide

Avaya Video Conferencing Manager Deployment Guide

Administration Quick Start

PrintFleet Local Beacon

Software Version 5.1 November, Xerox Device Agent User Guide

SysPatrol - Server Security Monitor

LifeSize Control TM Deployment Guide

Rev 7 06-OCT Site Manager Installation Guide

Nexio Connectus with Nexio G-Scribe

Immotec Systems, Inc. SQL Server 2005 Installation Document

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Transcription:

Getting Started With Halo for Windows For CloudPassage Halo Protecting your Windows servers in a public or private cloud is much easier and more secure with CloudPassage Halo for Windows. Halo for Windows brings to Windows Server users the same ease of use and strong protection that CloudPassage is known for in the Linux world. With Halo for Windows, you can set up strong, automatically deployed Windows firewall protection for any Windows Server 2008 or 2012 installation. You can create and deploy a security-events policy that notifies you of potentially suspicious events. You can set up file integrity monitoring, to detect file, directory, and registry changes that may indicate an intrusion. And, your server administrators can use GhostPorts multi-factor authentication to achieve maximum security when remotely administering your servers. Just follow the simple steps listed here to implement serious protection for your Windows servers. Contents: Install Halo Daemons New Installation Upgrade Installation Start Using Halo for Windows Create a Server Group Deploy a Windows Firewall Policy Deploy a Special Events Policy Deploy Configuration Security Monitoring Deploy File Integrity Monitoring Use GhostPorts for Secure Server Administration Install Halo Daemons 1

It's simple and fast to start securing your Windows servers with CloudPassage Halo. The first thing to do is to install the Halo Daemon (a Windows service) on one or more of your servers. You can install the Daemon on Windows Server 2008 R1 or R2. Just follow the five steps below, and you could be up and running in less than 5 minutes. You will need: Administrative access to your Windows cloud server (for example, through Remote Desktop Connection) Registration with CloudPassage and access to the Halo Portal An assigned CloudPassage Daemon registration key (you'll retrieve it from the Portal in Step 3) Note: These installation instructions are also available in the Portal itself, at Servers > Install Windows Daemons. New Installation If you have not previously installed a Daemon on your server, follow these steps. 1 Log into your Windows server Log into your Windows 2008 server using a Windows Remote Desktop Connection client (or using a browser with Remote Desktop Web Access). You'll perform all five steps on your remote server. 2 Start Internet Explorer as administrator To launch Internet Explorer, right-click the Internet Explorer Icon (or Ctrl-Shift-click if your local machine is Macintosh), and choose Run as Administrator. 3 Log into the CloudPassage Halo Portal Using Internet Explorer on your server, go to https://portal.cloudpassage.com and log in with the credentials sent to you when you signed up for Halo. You will need to add *.cloudpassage.com to Internet Explorer's trusted site list in order to log into the Portal. Then navigate to Servers > Install Windows Daemons. (You may also be asked to add other sites, such as Google Analytics or Marketo, to the trusted site list. It is not necessary to do that to download the Daemon installer.) 2

4 Download the Halo Daemon installer On the Daemon installation page for Windows, click the Download cphalo... link. The installer program is copied to whatever location on your cloud server that you specify. 5 Run the installer and enter your Daemon registration key Leaving your Internet Explorer window open, locate the installer file on your server and double-click it. The installation starts. When prompted to enter your Halo Daemon registration key, return to the browser window (at Servers > Install Windows Daemon) and copy the registration key from that page. Then paste the key into the Daemon Registration Key field in the installer. Click Install to complete the installation, then click Finish to leave the installer. Note: You can also assign your server to a server group by specifying a server tag when you run the installer. See Automatically Assign Servers to Groups in the Halo Operations Guide. You're Done! The Halo Daemon is now running as a Windows service on your server. You can close the Remote Desktop session and start configuring and monitoring your server's security through the Halo Portal accessed from your local machine. Or, you can repeat these steps to install Daemons on additional servers. Note: For information on advanced installation techniques and on uninstallation, see Install Windows Daemons From the Command Line, Deploy Daemons in Bulk With Automation Tools and Scripts, and Uninstall Halo Daemons in the Halo Operations Guide. Upgrade Installation Upgrading from a 32-bit Daemon to a 64-bit Daemon If your server currently has an installed 32-bit Halo Daemon (version 2.5.6 or earlier) and you are upgrading to a newer, 64-bit Daemon (version 2.7.8 or later), you will need to uninstall the 32-bit Daemon and then install the 64-bit Daemon as a new installation rather than an upgrade installation. The configuration of your 32-bit server and its server-group assignment will not be carried over to your 64-bit server. Follow these steps to upgrade: 3

1. Connect to your server through RDP and open Add/Remove Programs. 2. Remove the Daemon from your server by following the steps in Uninstalling a Halo Daemon. 3. In the Halo Portal, note the server group that the (now deactivated) server belongs to. Then move the server into the Retired group, or simply delete it from Halo if you do not want to preserve a record of its configuration or history. 4. Proceed to install the new server as described in New Installation. 5. Back in the Halo Portal, select your server from the Unassigned group and add it back into its appropriate server group. Start Using Halo for Windows Once you have installed Daemons on your servers, you're ready to put them to work. First, you'll create groups of servers that have the same firewall and other security requirements; then you'll create the policies and have Halo deploy them to the servers. Create a Server Group The concept of server groups is fundamental to Halo. A server group is a set of similar servers such as all of the web servers, or all of the load-balancers that can have the same Halo security policy. For example, all servers in a given group will use the same firewall policy. In Halo, you assign a policy to a server group, not to an individual server. So you'll need to create server groups before any of your Halo policies (such as firewalls) can take effect. Once you have installed daemons on a set of similar servers (or maybe just one daemon on a golden master server), follow the instructions below to create a group: 1 Log into the Halo Portal Dashboard. Log into the Halo Portal. (Dismiss the Getting Started With Halo dialog box if it appears.) You are on the Dashboard page, which lists all existing server groups. If you were already in Halo, click the CloudPassage logo or the Servers menu to go to the Dashboard. 2 Create a new server group. Click Add New Group at the bottom of the list of server groups. 4

In the dialog box that opens, give the group a name and click Save. You do not need to fill in any other fields yet. The group now appears in the list of server groups on the Dashboard. 3 Select servers and add them to the group. On the Dashboard page, verify that your new group appears in the server-group list, then look in the Unassigned or All Servers group to find the servers that you want to add to your group. (All Servers includes every server in your installation that has an installed Daemon, whether or not it belongs to a server group. Unassigned includes only servers with daemons that belong to no group.) Only servers that already have installed daemons can appear on this page. Use the checkboxes to select which servers to add, then choose Move Server(s) from the Actions drop-down menu to move them into your server group. Your selected servers are now in your group. As you create policies (see following sections), you can return to the Dashboard page to assign them to this group. Deploy a Windows Firewall Policy Now use CloudPassage Halo to easily create a Windows firewall policy for the server group you just created. Once the policy is active and any server comes online through cloning or re-activation of a server in this group, that new server automatically receives the latest appropriate firewall policy from Halo. 1 Go to the New Windows Firewall Policy page. In Halo, navigate to Policies > Firewall Policies and click Add New Windows Firewall Policy. 5

2 Create firewall rules. 1. Enter a name and optional description for the policy. 2. Create inbound rules: For each rule, specify whether the firewall should accept or drop incoming communication of a specified network service (such as HTTP over TCP port 80) from a specified source (such as a given IP address range or Halo server group). 3. Create outbound rules: For each rule, specify whether the firewall should accept or drop outgoing communication of a specified network service (such as SMTP over TCP port 25) to a specified target (such as a given IP address range or Halo server group). Note: If you create an inbound rule that accepts a connection, you do not need to create an outbound rule that permits return communication on that connection. Halo creates those automatic corollary rules for you. The rules don't appear on the screen, but you can see them if you export the policy. 4. Create as many rules as you need, specify default behaviors (what to do if no rules are matched), choose your logging preferences, and click Apply. 3 Open your server group details. Back on the Halo Dashboard, click your server group's name in the group list, then click Edit Details beneath the name. The Edit Group Details dialog opens. 4 Assign the firewall policy to your server group. In the Firewall Policies area, open the Windows Policy drop-down menu and select the name of the policy that you just created. (Note that Linux policies appear in a different field.) Then click Save. Your firewall policy is deployed automatically to the servers in your server group and it will start protecting them right away. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them. Deploy a Special Events Policy 6

The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall configuration is changed outside of Halo, it could be a signal that something malicious has happened and you may want to be alerted in real time. You control the system by implementing a special events policy and assigning it to a server group. 1 Go to the Add New Special Events Policy page. In Halo, navigate to Policies > Special Events Policies and click Add New Special Events Policy. 2 Choose events for logging and alerting. 1. Enter a name and optional description for the policy. 2. Choose the events to include in the policy. Choose which events are to be logged, which should be flagged as critical on the Security Events History page, and which you want to receive email alerts about when they occur. Note that some events are marked as Linux-only and are not available for Windows servers. 3. When you have added all the events you want to include, click Save. 3 Assign the policy to a server group. On the Halo Dashboard, click the name of a server group that you want this policy to apply to, then click Edit Details beneath the name. The Edit Group Details dialog opens. From the Special Events Policy drop-down menu, select the name of the policy that you just created. Then click Save. Your special events policy is deployed automatically to the servers in your server group and it will immediately start monitoring them for the occurrences you have specified. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them. Note: If a server group has no assigned special events policy, the "global security events policy" is assigned by default. 7

4 Create and assign an alert profile. When an event occurs on a server, an alert is sent to the Halo users listed in all of the alert profiles assigned to that server's group. If you wish to receive alerts, you must create an alert profile and assign it to your group. 1. Go to Policies > Alert Profiles, and click Add New Alert Profile. 2. Name the profile and choose the Halo users to add to it. 3. Specify who receives which levels of alerts, and save the profile. 4. Go to the Dashboard, select your server group, and click Edit Details beneath its name. 5. On the Edit Group Details page, select your profile from the Alert Profiles drop-down list, then save your changes. Note: If a server group has an assigned special-events policy but no assigned alert profile, any alerts generated through the policy are sent to all of your company's users that are Halo site administrators. Deploy Configuration Security Monitoring Use the configuration security monitoring feature (available with a Halo Professional subscription) to scan your servers for any mis-configured or unsecurely configured settings or registry keys, to keep your systems properly secured against attack. Note: Configuration security monitoring for Windows is currently in beta release. 1 Set up a configuration policy Halo provides a set of "Core" OS-specific configuration policies that you can apply to your servers to immediately harden them from attack - no customization needed. For even tighter protection, you can also add Halo's "Extended" versions of the policies. And beyond that, you can create your own custom policies. 1. Navigate to Policies > Configuration Policies. 8

2. Above the Configuration Policies list, click Policy Templates. 3. Find a policy template that was designed for your servers' versin of Windows for example, "OS Core (Windows 2008 R2) v1". Click Actions > Clone to copy the template to your Configuration Policies list. 2 Assign the policy to a server group 1. Navigate to the Dashboard by clicking the Servers menu or the CloudPassage logo. 2. In the server group list, locate the name of the group that you want to assign the configuration policy to, click the group name, and click Edit Details below the group name. 9

3. On the Edit Group Details view, select the configuration policy or policies that you want to assign. Then click Save. 3 Run a scan and view the results To view results after a configuration scan completes, go to Servers > Configuration Security Monitoring, Select your server group, then click an individual server name. Or go to Servers > Security Events History and filter the search results to show just Security rule matched event types. 10

For detailed instructions on setting up a configuration policy and running scans, see Monitoring Server Configuration Security With CloudPassage Halo. Deploy File Integrity Monitoring Use the file integrity monitoring feature (available with a Halo Professional subscription) to scan your servers for any alterations to critical system files, directories, or registry keys or any removal or addition of those objects any of which could indicate malicious tampering. Note: File integrity monitoring for Windows is currently in beta release. 1 Set up a file integrity policy 1. Navigate to Policies > File Integrity Policies, and click either Policy Templates or Add New Windows Policy. 2. Get started filling in the the policy: If you clicked Policy Templates, locate the Windows file integrity policy that you want to use, and select Clone from its Actions drop-down menu. The Add New Policy page opens, with the content of the template filled in. If you clicked Add New Windows Policy, you are taken directly to the Add New Policy page. 3. On the Add New Policy page, create (or optionally customize, if it's a cloned template) the set of "targets" for the policy to monitor configuration files, system files, directories, or registry keys whose presence and integrity are vital to secure system functioning. Also, for each directory target: If you want to scan all files at all levels within the directory and its subdirectories, select Recurse. To scan only files at the top level in the directory, leave Recurse unselected. If you want to scan only a certain file or set of files within the target directory, click Add Pattern, 11

move the slider to Inclusion, and name the file or specify a wildcard pattern (such as *.exe) to define the set of files that you do want to scan. If you don't want to scan a certain file or set of files within the target directory, click Add Pattern, move the slider to Exclusion, and name the file or enter a wildcard pattern (such as *.log) to define the set of files that you don't want to scan. 2 Run a baseline scan, assign it to the policy 1. Save the policy, then click Add Baseline or Request Baseline Now to set the baseline server for the policy and to perform the initial baseline scan, against which future scans of a server group will be compared. 3 Assign the policy to a server group 1. Navigate to the Dashboard, click the name of a server group to assign the policy to, and click Edit Details below the group name. 2. In the File Integrity Policies field, add your new policy to the group by selecting it from the dropdown list. 12

Then click Save. 4 Run a scan and view the results To view results after a file integrity scan completes, go to Servers > File Integrity Monitoring, select your server group, then click an individual server name. Or go to Servers > Security Events History and filter the search results to show just File Integrity object... event types. For detailed instructions on setting up a file integrity policy and running scans, see Monitoring Server File Integrity With CloudPassage Halo. Use GhostPorts for Secure Server Administration If you have a NetSec or Professional subscription to Halo, you can use GhostPorts multi-factor authentication to achieve strong protection of network access to your Windows servers. It is the most secure way to control access to administrative services on cloud servers, and it has the flexibility to allow authorized, secure access from anywhere. With GhostPorts, your administrators can lock down all administrative ports, then use a firewall policy to dynamically 13

open only specific ports for a specific authenticated user from a given IP address, for a defined period of time. The ports then automatically close when the time period expires. GhostPorts works with either SMS transmission of authentication codes over a mobile phone, or with a USB device called a YubiKey from Yubico. You can order the keys directly from Yubico. Note: GhostPorts multi-factor authentication is available only to Halo users with a NetSec or Professional subscription. To take advantage of GhostPorts' extra protection for your Windows servers, follow these steps: 1 Enable a GhostPorts user. For each user that is to have GhostPorts access, do this on the Invite New User page (at [Site Administrator menu] > Site Administration > Users > Invite New User) or Edit User page (at [Site Administrator menu] > Site Administration > Users > username > Edit) in the Halo Portal: 1. Select the checkbox to enable GhostPorts access for that user. 2. Specify the multi-factor authentication requirement SMS code (one-time password transmitted by phone) plus Halo credentials, or YubiKey (hardware device) plus Halo credentials. 3. Configure the authentication method: For SMS authentication, enter the user's phone number (must be a mobile account with textmessaging enabled). For YubiKey authentication, Insert the user's YubiKey into your computer's USB port, place the cursor in the User YubiKey field on the page, and lightly touch circle on the top of the YubiKey to enter its value into the field. For SMS, the user now must log into Halo and verify the phone number before authenticating to GhostPorts; for YubiKey, the user can authenticate as soon as you provide the user with the configured YubiKey. Either method ensures highly secure, multi-factor authentication for accessing and administering a cloud server. 2 Set up firewall rules to handle GhostPorts users. In the firewall policy for each server group in which you want to implement GhostPorts support, create an inbound rule that specifies that administrative access (for example, RDP for Remote Desktop Protocol) to the server through the port used (for example, 3389) is allowed only for the GhostPorts user that you have set up in Step 1. (The user appears in the Source drop-down list.) The policy should not have any other ACCEPT rules for administrative access. When that GhostPorts user authenticates, Halo dynamically replaces the policy rule with one that allows access from the specific IP address of the computer that the user just logged in from. After a time window passes, access from even that IP address is disallowed until the user authenticates to GhostPorts again. 3 GhostPorts user: complete your authentication setup. SMS: If you are an SMS-enabled GhostPorts user, you first need to log into Halo and go to the Open GhostPorts page. Follow the instructions to verify your phone number, after which you will be able to log in and authenticate to GhostPorts. YubiKey: Each YubiKey-enabled user needs to have the specific YubiKey configured for that user. As soon as you obtain your device from your Halo site administrator, you will be able to log in and authenticate to GhostPorts. 14

4 GhostPorts user: access a remote server. If you are a server administrator (or other user) whose GhostPorts access has been enabled, take these steps to access your server: 1. Log into the Halo Portal and click Open GhostPorts to go to the Open GhostPorts page. 2. Authenticate to GhostPorts: For SMS authentication: a. Click Send Authentication Code to instruct Halo to send an SMS code to your phone. b. When you receive the code on your phone, enter it into the Authentication Code field on the GhostPorts page, then click Submit. You have 5 minutes to enter the received SMS code into the field. The code typically arrives on your phone in less than a minute. For YubiKey authentication: a. Place your YubiKey into your computer's USB port, and click in the blank field on the GhostPorts page. b. Lightly touch the circle on the top of your YubiKey to transfer a one-time password value into the field. 3. Within a few minutes, the administrative ports on your server will be open. From this computer, launch Remote Desktop Connection or other remote-access tool, and log into your cloud server as you normally do. Your access to your cloud servers is now open, but only from the IP address of the machine you authenticated from, and only for four hours (or less, if you click Close GhostPorts in the Portal to manually close them sooner than that). Copyright 2013 CloudPassage Inc. All rights reserved. CloudPassage and Halo are registered trademarks of CloudPassage, Inc. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information