STEALTHbits Technologies, Inc. StealthAUDIT v5.1 System Requirements and Installation Notes

STEALTHbits Technologies, Inc. StealthAUDIT v5.1 System Requirements and Installation Notes June 2011

Table of Contents Overview... 3 Installation Overview... 3 Hosting System Requirements... 4 Recommended System Requirements... 4 Additional Steps... 5 Target Hosts... 9 Security... 9 Ports... 10 SMP Data Collector Matrix... 10 Appendix A Installation... 13 Installing the StealthAUDIT Management Platform... 13 Appendix B Solution Permissions & Configuration... 20 SMP for SharePoint Permission Requirements... 20 Exchange 2010 Data Collection... 21 2

Overview This document outlines basic requirements to successfully operate StealthAUDIT to its full capacity. Please note that these requirements represent the optimal configuration to enable full functionality. Failing to meet some requirements may result in StealthAUDIT functioning at a lesser capacity. Installation Overview StealthAUDIT installs to a single workstation or server from which data collection occurs. The application is entirely self-contained and requires access to Microsoft SQL Server (2005 or greater) database to operate. Organizations seeking more advanced data collection capabilities may seek to deploy multiple satellite StealthAUDIT nodes and a centralized Microsoft SQL Server to store collected data (See Figure 1). Figure 1 StealthAUDIT Architecture 3

Hosting System Requirements The system hosting StealthAUDIT requires only modest hardware. Hardware recommendations are heavily influenced by: The size and distribution of the targeted network (quantity and locations of hosts). The complexity of each job (how much data is being returned from each host). The frequency of scheduled job runs. Data retention settings. Recommended System Requirements SMP Console Requirements o Windows Server 2008 (x64) o Dual Core or Multiple CPU (2 GHz +) o o o 4GB or more RAM 30+ GB Available Disk 100/1000Mb Network Connection 4

Additional Steps There are a few additional steps that need to be completed or verified to be successful in building a StealthAUDIT console machine: 1. Verify availability of a Microsoft SQL Server instance a. Supported Versions b. Permissions i. SQL Server 2005 (Express (POC only), Standard, and Enterprise Editions) ii. SQL Server 2008 (Express (POC only), Standard, and Enterprise Editions) 1. Preferred: SQL Server 2008 Enterprise Edition 2. A free copy of SQL Server 2008 Express with Tools Edition is available by clicking here. This instance can reside on the same machine as the StealthAUDIT console, but does not have to. i. StealthAUDIT requires the ability to Create, Delete, Update, Drop, Read, and Join tables within the SQL database in order to function as expected. Full database owner rights are recommended to ensure proper operation. ii. If database owner rights cannot be obtained, the following script can be executed against the StealthAUDIT database to grant the necessary permissions to the appropriate users: USE [<stealthaudit>] GO IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE [type] = 'R' AND [name] = '<SA User ID>') EXEC sp_addrole '<SA User ID>' GO EXEC sp_addrolemember 'db_datareader', '<SA User ID>' GO EXEC sp_addrolemember 'db_datawriter', '<SA User ID>' GO GRANT CREATE TABLE TO [<SA User ID>] GO GRANT CREATE VIEW TO [<SA User ID>] GO GRANT ALTER ON SCHEMA::dbo TO [<SA User ID>] GO GRANT EXECUTE ON SCHEMA::dbo TO [<SA User ID>] GO GRANT INSERT ON SCHEMA::dbo TO [<SA User ID>] GO GRANT UPDATE ON SCHEMA::dbo TO [<SA User ID>] GO 5

c. Authentication i. StealthAUDIT allows for the use of both SQL and Windows Authentication to connect to the database. d. Database Maintenance 2. Install Adobe Flash a. Download b. Additional Info 1. Recommended: Windows Authentication i. StealthAUDIT relies on a SQL backend for data storage for all of its jobs, analysis, and actions. For disaster recovery reasons, the database should be backed up on a scheduled basis that is acceptable for recovery of data collection. Additionally, the backup process will flush any transaction log files. Depending on usage volume, backup schedules should be adjusted to flush and shrink the size of the transaction logs. Please refer to Microsoft or your 3 rd party provider for your Microsoft SQL backup solution on how to configure and schedule backups to clear transaction logs at an interval that meets your needs. i. If Flash is not already installed you can download the software by clicking here. i. STEALTHbits also recommends turning off Windows Internet Explorer Enhanced Security Configuration for the administrator group if you want to be able to render reports on the StealthAUDIT console. 3. For Microsoft Exchange Server data collection only a. Exchange Server 2000/2003 i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object extensions 1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT Exchange MAPI CDO package second. b. Exchange Server 2007/2010 or Mixed 2003/2007/2010 Environment i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object extensions 1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT Exchange MAPI CDO package second. 2. Exchange Management Console (EMC) 2007/2010 with latest updates 6

ii. Exchange 2010 Data Collection 1. In order for SMP Exchange Data Collectors to work properly against Exchange 2010, please review the configuration options that need to be set and implement them prior to collection in Appendix B 4. SMP Exchange/BlackBerry/Access Information Center Prerequisites (NOT REQUIRED UNLESS INSTALLING THE EXCHANGE, BLACKBERRY, OR ACCESS INFORMATION CENTERS) o Microsoft Internet Information Services (IIS) 7 Ensure ASP.NET and Security/Windows Authentication features are installed o Install.NET Framework v3.5 o Install Microsoft SilverLight on the client where you plan to run the browser 5. Install the StealthAUDIT Management Platform (SMP) a. Console b. License Key 6. StealthAUDIT Credential Sets i. Using the installation media provided to you by your STEALTHbits Account Representative, download the executable to the system StealthAUDIT is to be installed on. ii. Follow the instructions in the installation wizard to install and configure the application. 1. For more detailed instructions on how to install the StealthAUDIT Management Platform, see Appendix A. i. Copy and Paste the StealthAUDIT License Key (StealthAUDIT.LIC) into the root of the installation (typically C:\Program Files\STEALTHbits\StealthAUDITV5). 1. NOTE: This key is available from your STEALTHbits Account Representative. a. STEALTHbits recommends using an ID with full administrative privileges to the targeted hosts in order to maximize the amount of data that can be collected by StealthAUDIT; however, this is not required in order for the application to function properly. If full administrative privileges are not available, simply create a StealthAUDIT Connection Profile using credentials with the proper rights to the information you want to collect. Configuring Connection Profiles are performed in the Global Options of StealthAUDIT under the Welcome\Connections node. Connection Profiles can also be created during installation of StealthAUDIT through the installation wizard. b. Permission Requirements 7

7. Publishing Reports i. Windows Auditing 1. Local Admin ii. Active Directory 1. Domain Admin iii. Exchange Auditing 1. Exchange Admin and Local Admin 2. Access to System Attendant Account MAPI Authentication iv. BlackBerry Auditing 1. Local Admin to the BES Server 2. Read Access to the BES SQL Database v. SharePoint Auditing 1. See Addendum B for full details a. STEALTHbits recommends leveraging a Microsoft IIS Server to publish the HTML website and associated reports that StealthAUDIT creates for you. StealthAUDIT supports publishing to a share within the file system as well, but please note that performance can be affected when rendering reports containing high volumes of data due to native browser limitations. 8

Target Hosts StealthAUDIT query targets must be Microsoft Windows based systems with an OS minimum requirement of Windows 2000. Windows 9x, NT, or Home Edition hosts will be detected on the network, but are not supported for auditing. StealthAUDIT also provides limited support for Linux and UNIX host detection and auditing. Red Hat, SUSE, and AIX are currently supported, with additional version support coming in the near future. Various 3 rd Party storage platforms such as NetApp Storage Controllers and EMC Celerra devices are supported for auditing as well. StealthAUDIT does not currently support other non-windows hosts. Security StealthAUDIT leverages a snap-in Data Collector (DC) architecture. Each DC module exposes a discreet data source (for example: the Windows Registry) and is implemented as a.dll housed in the StealthAUDIT\DC folder. Each DC must connect to a target host in order to obtain data during an audit. Most Windows administrative data is obtained via RPC; hence, a shared RPC connection is utilized. StealthAUDIT Data Collectors expose Windows -based administrative data by calling into the Windows API functions in the same way native Microsoft administration tools do. Thus, StealthAUDIT is in effect never connecting directly to the managed host, but rather the underlying Microsoft API s. The dependent network layers are communicating with peer layers on the target host; providing transparent communications to the data consumer. These connections are made in the security context of the active logged-on user or in the context of an impersonated user via optionally supplied credentials; both domain level and target host local accounts are supported. Supplied credentials are encrypted in a security profile using MD5 encryption and stored in the local file system. STEALTHbits Technologies recommends providing StealthAUDIT (either through a logged-in user or impersonation credentials) full administrative access to the target host for greatest availability of data to collect. In some cases where this may not be possible, StealthAUDIT may still be able to successfully obtain data from the remote host depending on the nature of the query. For example, to query large portions of the remote registry, only user access is required. Logged in User StealthAUDIT Data Collector Native Tool Optional User Impersonation Data API Protocol Transport Network Microsoft API s and Network Layers User Impersonation StealthAUDIT Workstation Target Host Figure 2 - Security and Connection Illustration 9

Firewalls StealthAUDIT, via the Operating System API s, establishes direct connections between the StealthAUDIT host and the target host. Any firewalls between the two application layers must be configured to provide trusted, rich access between the two hosts. In most cases where firewalls are encountered, organizations will configure the firewall to trust the IP Address or subnet where StealthAUDIT resides. Ports StealthAUDIT currently supports a range of Windows and industry protocols as documented in the following table. For proper operations, network administrators should ensure that RPC communications are available between the StealthAUDIT console and the target hosts including: RPC TCP ports 135-139 RPC TCP/UDP Port 445 RPC TCP ports 1024 1100 (dynamic) SSH TCP port 22 (UNIX and Linux support) Additional optional ports: ICMP TCP port 7 (Ping) HTTP TCP Port 80 (MS Patch database download) SMTP TCP 25 (email notification / report submission) SMP Data Collector Matrix Data Collector Description Protocols Ports Used Recommended Permissions Active Directory AD Inventory BlackBerry Command Line Utility Disk DNS Event Log Auditing objects published in AD Inventories AD User and Group information for correlation purposes throughout all StealthAUDIT Solution Sets Auditing BlackBerry properties and BES database information Provides the ability to remotely spawn, execute, and extract data provided by Microsoft native command line utilities. Provides enumeration of disks and their associated properties Provides information regarding DNS configuration and records Provides search and extraction of details from event logs on target system LDAP RPC LDAP RPC ODBC Remote Registry RPC Remote Registry RPC RPC RPC TCP 389 TCP 135-139 TCP 389 TCP 135-139 TCP 1433 TCP 139 and 445 TCP 135-139 TCP 135, Randomly allocated high TCP Ports TCP 135, Randomly allocated high TCP Ports TCP 135, Randomly allocated high TCP Ports Domain Admin Domain Admin Local Admin to the BES Server Read Access to the BES SQL Database Local Admin Local Admin Domain Admin Local Admin Domain Admin if targeting Domain 10

E2K (Exchange Configuration) Exchange Mailbox / Public Folder Exchange Metrics File File System Access (FSAA) Group Policy INIFile LDAP ODBC Patch Check Perfmon PowerShell Registry Script Services SharePoint Access SharePoint Content SharePoint Activity Provides Exchange 2000/2003/2007/2010 admin property extraction Provides statistical, content, and permission reporting on mailboxes and public folders Provides metrics information from Exchange tracking logs File and folder enumeration, properties, permissions Access rights via Shares, Folders, and Policies Auditing GPO settings and properties INI and INF file content search and extraction Search for and extract Active Directory and Exchange 5.5 directory properties Query ODBC compliant databases for tables and table properties Provides patch verification and optional automatic bulletin downloads from Microsoft Performance monitor counter data samples Provides PowerShell Script exit from StealthAUDIT Enumeration and extraction from remote registries Provides VB Script exit from StealthAUDIT Enumeration, status and settings from remote services Assesses access rights throughout the SharePoint infrastructure Assesses SharePoint content related information Assesses access activity details within SharePoint RPC LDAP MAPI over RPC RPC 11 TCP 135-139, TCP 389 Optionally TCP 445 TCP 135, Randomly allocated high TCP Ports TCP 135, Randomly allocated high TCP Ports RPC TCP 135-139, Optionally TCP 445 RPC TCP 135-139, Optionally TCP 445 LDAP RPC TCP 389 TCP 135-139 Controllers Exchange Admin Domain Admin for Active Directory property collection Exchange Admin Local Admin Domain Admin Local Admin Local Admin Domain Admin Domain Admin RPC TCP 135-139, Optionally TCP 445 Local Admin LDAP TCP 389 Domain Admin ODBC TCP 1433 Database Read Access RPC TCP 135-139 Local Admin HTTP ICMP TCP 80 TCP 7 PRC TCP 135-139 Local Admin N/A N/A N/A RPC TCP 135-139 Local Admin N/A N/A N/A RPC TCP 135-139 SP Web Services MS SQL Remote Registry MS SQL (connection string) read from Registry on SharePoint Server SP Web Services (web app urls) read from SharePoint configuration database Local Admin Remote read access to SharePoint server s registry Read access to configuration database Read All permissions for each web app policy in SharePoint farm SMARTlog Provides search and extraction of RPC TCP 135, Randomly Local Admin

SQL details from Windows Event Logs (online or offline) and Microsoft Internet Information Server (IIS) logs SQL database configuration, permissions, and data extraction ODBC Remote Registry allocated high TCP Ports SystemInfo A collection of various properties RPC TCP 135-139 Text Search Unix Users & Groups WMI i Enables searching through text based log files Host inventory, Software inventory, logical volume inventory on UNIX & Linux platforms Auditing user and group accounts, both local and domain. Extracting system policies Browsing and extraction of WMI objects and properties RPC TCP 135-139 SSH TCP 22 User configurable RPC TCP 135-139 RPC TCP 135-139 Domain Admin if targeting Domain Controllers TCP 1433 Local Admin to SQL Server Read access to SQL Database Local Admin Local Admin ROOT Local Admin Domain Admin if targeting Domain Controllers Local Admin 12

Appendix A Installation Installing the StealthAUDIT Management Platform Step 1: Part 1 of 2 SMP Installation Wizard After downloading StealthAUDIT, run the installation wizard by double-clicking StealthAUDIT.exe: Step 2: Accept the End User License Agreement to advance to the next step in the installation process. 13

Step 3: Choose which product components to install and which directory the application should be installed in: Step 4: Click Next on the Ready to Install the Application menu to begin the installation process: Step 1: Part 2 of 2 SMP Configuration Wizard After the installation has completed, the following screen will appear allowing for the configuration of a new StealthAUDIT instance or the migration/upgrade of a previous version installed on the same system. 14

For first time users, select I am a first time StealthAUDIT user and then select OK. Step 2: In the Welcome: Initial Settings wizard, select next to begin the process of setting up a database profile, connection credentials, and an initial discovery query to identify systems in the environment: Step 3: In the SQL Server Settings menu, enter the following information to create a StealthAUDIT Database Profile: Server Name The name of the SQL Server you plan to create a database on Instance Name The name of the SQL Instance the database will be created on Authentication Mode SMP supports both Windows and SQL Authentication 15

methods. If using SQL Authentication, input a User Name and Password, otherwise, SMP will leverage the credentials currently running the application through Windows Authentication. Database Choose to create a new database or leverage an existing StealthAUDIT database if present. Step 4: In the Connection Settings menu, choose to either leverage the credentials currently being used to the log into the StealthAUDIT console server or create a connection profile containing different credentials such as a service account created for StealthAUDIT: 16

Step 5: In the Query Sources Host Discovery Source menu, select the method you d like to use for discovering your environment. Your choices at initial setup are limited to the following: Scan your IP network Browse your Windows Network Neighborhood Query an Active Directory Server o General AD Query Best used for discovering machines contained in multiple locations within the AD structure (i.e. Desktops and Servers) o Exchange Servers Only Best used for discovering just Exchange Servers o Domain Controllers Only Best used for discovering just Domain Controllers *If you d like to import your machine listings from a text file,.csv file, or another database, hit cancel and configure your discovery query through the Host Management node in the left-side tree menu. After selecting your method of discovery, configure the options to define which machines you d like StealthAUDIT to discover and inventory (See Active Directory example below) 17

Step 6: In the Instant Job menu, select the instant solutions you d like to install into your job tree. Step 7: Click FINISH in the Summary menu and then FINISH again when the Instant Solution has finished its installation. 18

Step 8: Finally, select whether or not you d like the Host Discovery query to run now or later to finish the initial configuration process. 19

Appendix B Solution Permissions & Configuration SMP for SharePoint Permission Requirements The following details the permissions that need to be granted to a domain user in order for them to be used as the connection profile account of StealthAUDIT to run the SharePoint jobs. These instructions assume administrative knowledge of SharePoint and access to the servers which are hosting the SharePoint farms which need to be audited. To configure your SharePoint connection profile user you must do the following: Add it as a member of local Backup Operator group on a SharePoint application server for the farm that will be audited in order to access registry remotely. By default only members of Local Administrators and Backup Operators has access to remote registry so Backup Operators group provides least privilege. Add it as a member of local WSS_WPG group on the same SharePoint application server(s). Members of this group have read access to system resources used by Microsoft SharePoint Foundation 2010. Grant the user Full read on every web application through a web application policy. This is done through Central Administration. I can show you how to do this if you need. Add the user as a Site Collection administrator in Central Administration site collection in case if you need scan Central Administration (also do this for the Help site collection in SharePoint 2010). If the customer doesn t care about monitoring Central Admin then this can be skipped. Grant the user WSS_Content_Application_Pools role and db_datareader role in configuration database for each farm. Grant the user the db_datareader role on every content database for a farm. Execute the following script against every content database in the farm, replacing DOMAIN\USER with the account being configured: grant execute on proc_listallwebsofsite to "DOMAIN\USER" grant execute on proc_getwebid to "DOMAIN\USER" grant execute on proc_seclistsitegroupmembership to "DOMAIN\USER" grant execute on proc_seclistallsitemembers to "DOMAIN\USER" grant execute on proc_seclistallwebmembers to "DOMAIN\USER" grant execute on proc_seclistsitegroups to "DOMAIN\USER" grant execute on proc_secgetroleassignments to "DOMAIN\USER" grant execute on proc_secgetrolebindingsforallprincipals to "DOMAIN\USER" grant execute on proc_secgetsecurityinfo to "DOMAIN\USER" 20

Exchange 2010 Data Collection For Microsoft Exchange Server 2010, all communication to the private and public stores must go through a Client Access Server. Due to these changes, additional properties have been added to SMP Data Collectors requiring configuration changes that need to be set before being able to collect data from Exchange 2010 servers. Welcome Settings: A user alias needs to be set for each query that requires this information. This can be done at the top level for job configuration. The user alias can be any mail-enabled Exchange 2010 account that is utilized for connection to the Exchange Server. It does not need escalated privileges to Exchange. Public Folder Queries: In the Public Folder data collector, specific settings need to be set for the Public Folder data collection to work properly against Exchange 2010. 1. The user alias will need to be set unless it has been set at the Global Level 21

2. A Client Access Server needs to be set so the data collector can connect to it to access the public store for Exchange 2010. 3. The Option to Process folders that physically reside on the target server only needs to be unchecked. Since Exchange 2010 supports public folders in a different manner than previous versions of Exchange, the data collector currently targets the entire hierarchy of the public folders. Since this is the case, the query only needs to be run against one public folder server that contains the entire hierarchy. 22

Exchange Mailbox Data Collection Data collection for Exchange Mailboxes for 2010 is similar to how the Public Folder data collection works. 1. The user alias will need to be set unless it has been set at the Global Level 2. A Client Access Server needs to be set so the data collector can connect to it to access the private store for Exchange 2010. Once the CAS server is entered, you can choose Select from this Server: and type in a mailbox server to connect and view the mailboxes on that server. Alternatively, navigate back to the Welcome page of the query and type in a mailbox server in the Test Connection Setting box to test your connection to Exchange. 23

Exchange2k Data Collection The following categories within the Exchange2K data collector need the properties set for data collection from Exchange 2010 servers. Exchange Organization o Users Mailbox Stores Public Folders OrphanedMailboxes OrphanedPublicFolders 1. The user alias will need to be set unless it has been set at the Global Level 2. A Client Access Server needs to be set so the data collector can connect to it to access the private store for Exchange 2010. 24

i STEALTHbits and StealthAUDIT are trademarks of STEALTHbits Technologies, Inc. BlackBerry and BES are trademarks of Research In Motion Limited. Microsoft, Active Directory, Exchange, and Windows are registered trademarks of Microsoft Corporation in the United States and other countries. Celerra is a trademark of the EMC Corporation. All other trademarks are the trademarks or registered trademarks of their respective owners. 25