SAFETICA INSIGHT INSTALLATION MANUAL
SAFETICA INSIGHT INSTALLATION MANUAL for Safetica Insight version 6.1.2 Author: Safetica Technologies s.r.o. Safetica Insight was developed by Safetica Technologies s.r.o. All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without permission in writing from the author. While every precaution has been taken in the preparation of this document, the publisher and the author assume no responsibility for errors or omissions, or for damages resulting from the use of information contained in this document or from the use of programs and source code that may accompany it. In no event shall the publisher and the author be liable for any loss of profit or any other commercial damage caused or alleged to have been caused directly or indirectly by this document. For more information visit www.safetica.com. Published: 2015
CONTENT Introduction ABOUT SAFETICA INSIGHT 1 Architecture... 5... Safetica Management Service... Safetica Insight Management Console... Safetica Agent... Safetica Endpoint Client... Central database DEPLOYMENT OF SAFETICA INSIGHT Obsah 6 6 7 8 8 3... 9 1 Before installation 10 2 Installation... of Safetica Management Service 11 Microsoft... SQL Server settings Configuring an Existing SQL server... 12 Microsoft SQL Server installation... 13 Installing a new SQL Server Express... 15 Configuring existing SQL Server Express... 17... 18 Installation of Safetica Management Console 3... 18 4 Configuration of Safetica Management Service... 23 5 Installation of Safetica Agent... 24 Installation using GPO... 28 6 Installation of Safetica Endpoint Client... 29 7 After installation INDEX 0 3
1 Introduction Dear user, Congratulations for choosing the Safetica Insight software for your company. In this guide you will find detailed instructions on the whole installation process for all types of supported network environments. Should you face any issues during installation, please consult the Safetica Insight Complete Documentation and if you fail to solve any such issue, please contact technical support at safetica.com/support. Safetica Insight brings a whole new approach to user activity monitoring. It is known for its easy and quick installation and convenient controls. With its user-friendly output, you will instantly have an overview of users' undesirable behavior and risk activities. After successful installation of the product, we recommend carefully reading the Safetica Insight Complete Documentation where you will learn everything from first deployment on the corporate 4 Safetica Insight 6 Help network to examples of how the product can be used to output evaluation and troubleshooting. To find your way among the basic procedures and methods, refer to the Safetica Insight Quick Guide. With thanks, your Safetica Technologies team, Safetica Insight developer 2 ABOUT SAFETICA INSIGHT Safetica Insight protects you from expensive data leaks and unnecessary personnel costs. No other product can protect your business from such a range of human mistakes and malicious actions. Safetica Insight is the only software which can save you time and money through its early detection of dangerous internal activities. With Safetica Insight you get a full-fledged security solution with fast and easy deployment. Major Benefits Protect your company against the consequences of the failings of your own employees. Detect employee behavior that may damage your company in good time. Obtain an overview on the working activity and productivity of your staff. Work with security software that does not disrupt your company s current processes. 4
ABOUT SAFETICA INSIGHT 2.1 5 Architecture The Safetica Insight product is based on a client server architecture. On end workstations, the Safetica Endpoint Client client component runs that communicates with the Safetica Management Service server component and the central database. Together with the Safetica Endpoint Client, also the Safetica Agent runs on the end workstations, which is designed to install, update and manage other client components. To manage, set up and display the obtained data, the Safetica Insight Management Console is used. Data obtained from individual end workstations are stored on a database server. The database also stores the settings for all Safetica Insight components. 5
Safetica Insight enables deployment of multiple servers (Safetica Management Service) and manage them centrally from a single console. Each of the servers can service a part of the company environment, so it is possible to further distribute the load. This architecture makes it possible to support multiple branches and in fact an unlimited number of users and computers. Each of the following parts can be installed on a separate computer. 2.1.1 Safetica Management Service The Safetica Management Service (SMS) represents the server component of Safetica Insight. It runs as a service on a dedicated server, provides connection between the database and other Safetica Insight components and enables their remote management. On each Safetica Management Service it is possible to assign different rights to individual administrators (or managers) using Safetica Insight Management Console, so the company 6 Safetica Insight 6 Help security control can be divided into different roles (e.g. local admin, enterprise admin, security manager, etc.). Recommended hardware requirements Processor: 2,4 gigahertz (GHz) 32-bit (x86) or 64-bit (x64) dual-core processor RAM: 2 GB Hard disk space requirements: 10 GB reserved space Supported operating systems Microsoft Windows XP SP3 32-bit and 64-bit Microsoft Windows Vista 32-bit and 64-bit Microsoft Windows 7 32-bit and 64-bit. Microsoft Windows 8 32-bit and 64-bit Microsoft Windows Server 2003 SP1 32-bit and 64-bit Microsoft Windows Server 2003 R2 32-bit and 64-bit Microsoft Windows Server 2008 32-bit and 64-bit Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Note: There could be only one instance of Safetica Management Service installed on one PC. 2.1.2 Safetica Insight Management Console The Safetica Insight Management Console (SMC) is used to configure and manage clients (Safetica Endpoint Client) and agents (Safetica Agent) on the client computers, server services (Safetica Management Service), databases and to set up all Safetica Insight functions at the end workstations. It also displays the output of acquired data, statistics and graphs. It can run anywhere 6
where you have access to a managed Safetica Management Service. Recommended hardware requirements Processor: 2.4 (GHz) 32-bit (x86) or 64-bit (x64) dual-core processor RAM: 2 GB Hard disk space requirements: 2 GB reserved space ABOUT SAFETICA INSIGHT Supported operating systems Microsoft Windows XP SP3 32-bit and 64-bit Microsoft Windows Vista 32-bit and 64-bit Microsoft Windows 7 32-bit and 64-bit. Microsoft Windows 8 32-bit and 64-bit Microsoft Windows Server 2003 SP1 32-bit and 64-bit Microsoft Windows Server 2003 R2 32-bit and 64-bit Microsoft Windows Server 2008 32-bit and 64-bit Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Note: Safetica Insight Management Console could be used by multiple users on one PC. 2.1.3 Safetica Agent Safetica Agent (SA) is a Safetica Insight component used for managing the Safetica Endpoint Client on the client computer. It allows its remote installation, updating and other management tasks. Recommended hardware requirements Processor: 2.4 (GHz) 32-bit (x86) or 64-bit (x64) dual-core processor RAM: 2 GB Hard disk space requirements: 2 GB reserved space Supported operating systems Microsoft Windows XP SP3 32-bit and 64-bit 7 7
Microsoft Windows Vista 32-bit and 64-bit Microsoft Windows 7 32-bit and 64-bit. Microsoft Windows 8 32-bit i 64-bit Microsoft Windows 8.1 32-bit i 64-bit 2.1.4 Safetica Endpoint Client Safetica Endpoint Client (SEC) is a client component of Safetica Insight that provides all security and monitoring functions of Safetica Insight at the end workstations. When installing the SEC, the Safetica Agent component is also installed, if not previously installed on the computer. 8 Safetica Insight 6 Help Recommended hardware requirements Processor: 2.4 (GHz) 32-bit (x86) or 64-bit (x64) dual-core processor RAM: 2 GB Hard disk space requirements: 2 GB reserved space Supported operating systems Microsoft Windows XP SP3 32-bit and 64-bit Microsoft Windows Vista 32-bit and 64-bit Microsoft Windows 7 32-bit and 64-bit. Microsoft Windows 8 32-bit i 64-bit Microsoft Windows 8.1 32-bit i 64-bit 2.1.5 Central database The Central database is used to save the settings and records received from all Safetica Insight components. Each Safetica Management Service needs three dedicated databases to store logs, settings and categories of applications, sites and extensions. To save the databases, the following database servers can be used: Microsoft SQL Server 2008 32-bit and 64-bit and higher versions, including Express editions (www.microsoft.com) Note: For hardware and software requirements of the database servers mentioned above, please visit the websites of the manufacturers. 8
3 DEPLOYMENT OF SAFETICA INSIGHT 3.1 Before installation Take the following steps before installation: 1. Check whether the hardware and software requirements of all three Safetica Insight components are met. 2. Analyze your corporate network: o Decide on what PCs you are going to install the Safetica Management Service (SMS) in your environment. When making the decision, take the following into account: The PC with SMS must be able to connect to the SQL server on which the main databases will be stored. DEPLOYMENT OF SAFETICA INSIGHT 9 Depending on the number of SECs connected and the database server type, set how many SMS you wish to install in your environment. The number of SECs that can connect to one SMS is limited by the SQL database which the SMS uses for storing data see below. o Decide on what PCs you are going to install the Safetica Insight Management Console (SMC) in your network. The PC with SMC must be able to connect to all SMS you wish to administer by using the administration console. o Decide on what PCs you are going to install the Safetica Agent (SA) in your network. The PC with SA must be able to connect to some SMS in your environment. o Decide on what PCs you are going to install the Safetica Endpoint Client (SEC) in your network. When making the decision, take the following into account: For every SEC, decide what SMS it will be connected to. Not every PC will be connected to all PCs with SMS. The PC with SEC must be able to connect to some SMS in your environment. The PC with SEC must be able to connect also to the SQL server which has the SMS databases. SEC exchanges settings and records from SMS via these databases. o Select and designate SQL servers on which the central databases of the individual SMS will be stored. When making the decision, take the following into account: Every SMS needs three designated databases on the SQL server: one for settings, one for records and one for the category database. The databases of multiple SMS may be stored on a single SQL server, but this can affect the number of SECs which the SQL server can serve. When using the Microsoft SQL Server of the Express edition, the ideal number of connected SECs is 50, with a maximum of 70. These counts apply to the installation of the entire SQL Server. When using the Microsoft SQL Server of the standard edition (Standard, Enterprise, etc.), the ideal number of connected SECs is 200, with a maximum of 300. These counts apply to the installation of the entire SQL Server. 3. Before installing the various Safetica Insight components (SMS, SMC, SEC), ensure they will not be blocked by a firewall or antivirus software. o Add exceptions for incoming connections to the process STAService.exe and the following ports on the PCs on which the Safetica Management Service will be installed: 4438 (communication SEC -> SMS, database). 9
4441 (communication SMC -> SMS). o Add exceptions for the process STAConsole.exe on the PCs on which you will install the Safetica Insight Management Console. o Set exceptions for the following processes on the PCs on which you will install the Safetica Endpoint Client: STCService.exe, STUserApp.exe, Safetica.exe, outgoing and incoming connections. o Set exceptions for port 1433 (default port for database connection) on the PCs on which you will install the databases. 1443 (communication SEC, SMS -> SMS). 4. Download the universal installer with the latest Safetica Insight release. o The universal installer contains all components necessary for installation. 10 3.2 Safetica Insight 6 Help Installation of Safetica Management Service Safetica Management Service is a central server component of Safetica Insight. It ensures that all Safetica Insight clients (SEC), the console (SMC) and the databases are interconnected. To perform the installation, proceed as follows: 1. Launch the universal installer that you have downloaded. After selecting your language, and agreeing to the license terms, go to Installation > Safetica Management Service. 2. Here you several options: o Run the installation directly from the universal installer by clicking on Run Installer. o Extract only the Safetica Management Service installer, which you can then use separately for later installation. Note: In the third part Tools and Components you will find components essential for correct installation of the Safetica Endpoint Client or Microsoft SQL Server 2008 R2 Express. If you are going to install Microsoft SQL Server 2008 R2 Express from this installer, make sure you have installed the Microsoft Installer 4.5 component. If this component is not installed, install it now. 3. After running the installer (either from the universal installer or from the extracted one), select your language once again and accept the license terms. Select the installation folder. 4. Select the Installation Folder. 10
5. This is followed by an important step of configuring Microsoft SQL Server where the installed SMS will store its databases. 6. Before starting the installation, you can allow or disallow category database updates in further steps in the wizard. Category database update is allowed in the default mode. We recommend keeping these settings. 7. Complete the installation. Safetica Management Service will install and then launch automatically. 8. Once the installation has successfully completed, verify that the STAService.exe is running (Task Manager -> Services -> STAService running) 9. Finally, verify that you have added exceptions to your firewall and antivirus for the STAService.exe process and that ports 4438 and 4441 are not blocked. Note: By default, Safetica Insight Management Console normally uses port 4441INSIGHT for connecting DEPLOYMENT OF SAFETICA 11 to Safetica Management Service and port 4438 for connecting to Safetica Endpoint Client. You can change the settings to use different ports here as well. 3.2.1 Microsoft SQL Server settings Next, you must choose the SQL Server on which the SMS installed will store the databases. You can choose from the following options: a. Custom SQL Server If choosing this option, you can use your existing Microsoft SQL Server installation to create the database. Supported Microsoft SQL Servers are listed in the requirements. For a description of the configuration, continue to Configuring an Existing SQL Server. b. New installation of SQL Server Express If choosing this option, you will install Microsoft SQL Server 2008 R2 Express on your existing PC. The new server will be used for creating the SMS databases. For a description of the installation, continue to Installation of New SQL Server Express. c. Use existing SQL Server Express If you have an existing instance of Microsoft SQL Server 2008 R2 Express on the PC where you are going to install SMS, you can choose this last option. The existing SQL Server will be used for storing SMS databases. For a description of the configuration, continue to Configuring an Existing SQL Server. 11
3.2.1.1 Configuring an Existing SQL server If you choose your own SQL server during Safetica Management Service (SMS) installation, you need to check first if this server is correctly set for storing SMS databases. Check whether SQL Server authentication is set to mixed mode SQL Server authentication and Windows authentication (Microsoft SQL Server Management Studio -> Server settings > Security -> SQL Server and Windows Authentication mode). The SQL server must be available in the network via the TCP/IP protocol (SQL Server Configuration Manager -> SQL Server Network Configuration -> TCP/IP Enabled). A user with administration rights (sysadmin) must be created in the SQL server. Apply this user when entering the data. If you have no SQL server installed, follow the instructions and go to Installation of User's Own SQL 12 Safetica Insight 6 Help Server. If you have the SQL Server installed and it meets all criteria set the opening section, you can begin the configuration: 1. First complete the following: o IP or address enter the IP address or SQL Server name here. The SQL server must be available via this address or name both for newly installed SMS and for clients (Safetica Endpoint Client SEC) that will connect via this SMS. When filling this in, you can specify the SQL Server instance (e.g. 192.168.100.1\InstanceName). If entering a plain IP address or name, the default SQL server instance will be applied. o User name enter the name of the user for the SQL server. The user must have administration rights (sysadmin). The user will be applied for creating and connecting to all three databases that will be automatically created on the SQL server after SMS installation. o Password SQL server user name. o Database name prefix adds a prefix in front of the database name. For instance, when using the db prefix, the resulting database names will be db_main, db_log and db_category. 2. Click Verify and save. 3. Click Next, continue and finish Safetica Management Service installation. After completing the SMS installation, three databases will be created on the SQL server: o safetica_main used for storing and sharing settings between SMS and SEC. 12
o safetica_data used for storing data recorded from clients (SEC). o safetica_category used for storing applications, websites and appendices categories. Note: You can later change the connection to the Safetica Management Service via the Safetica Insight Management Console in the SMS settings section. The configuration of this connection is described in the section Safetica Management Service Configuration. Microsoft SQL Server installation If you don't have SQL Server installed proceed as follows when installing new SQL Server: 1. Install MS SQL on your server from the following components. DEPLOYMENT OF SAFETICA INSIGHT 13 2. Set up Mixed mode authentication in the relevant installation step 3. Make sure that you have the MS SQL server set to listen, for example, on port 1433. You can do this using the Sql Server Configuration Manager tool 13
14 Safetica Insight 6 Help 4. Create a new MS SQL user with sufficient rights to create databases using the Sql Server Management Studio tool. Select the authentication type in the setup as SQL Server authentication and enter a new password. 14
The connection of Safetica Management Service to these databases is set via Safetica Insight DEPLOYMENT OF SAFETICA INSIGHT 15 Management Console in section SMS settings. For a description of how to configure this connection, see the section Configuration of Safetica Management Service 3.2.1.2 Installing a new SQL Server Express If you do not own any SQL Server, you can install Microsoft SQL Server 2008 R2 Express from this installer. Note: The Express edition comes with the following restrictions: It uses only one processor. It uses maximum 1 GB of RAM. The maximum database size is 10 GB. Due to these restrictions to the Express edition of the SQL Server, the ideal number of SECs connected to SMS with this SQL server is 50, with a maximum of 70. In the configuration of the new SQL Server the following settings are entered by default: The SQL server instance name is MSSQLSERVER. The default password for the user "sa" is set to "safetica". The "sa" user will be applied for access to all three databases. After clicking the Use default values button, you can change the data shown above. For security reasons, we recommend using a different name for the user "sa". 15
After accepting the License Terms of Microsoft SQL Server 2008 R2 Express, you can click Next to launch the SQL server installation. After completion of SQL Server Express installation, click Next and enter the SQL server user name and password for the server that will be used for database access. The default user is safetica with password safetica. For security reasons, we recommend changing the default user password safetica. 16 Safetica Insight 6 Help Click Next. When SQL server configuration has been completed, click Next and confirm the settings for SQL server connection in the following dialog by clicking Verify and save. Click Next. Continue and finish Safetica Management Service installation. After successful completion of the SMS installation, three databases will be created on the SQL server: safetica_main used for storing and sharing settings between SMS and SEC. safetica_data used for storing data recorded from clients (SEC). safetica_category used for storing applications, websites and appendices categories. Note: You can later change the connection to the Safetica Management Service via the Safetica Insight Management Console in the SMS settings section. The configuration of this connection is described in the section Safetica Management Service Configuration. 16
3.2.1.3 Configuring existing SQL Server Express If you have Microsoft SQL Server 2008 R2 Express already installed on the PC where you are installing the Safetica Management Service, you can use it for creating the databases. The installer will automatically re-configure the existing SQL server installation on that PC. SMS will automatically connect to this instance and create the respective databases after installation. Note: The Express edition comes with the following restrictions: It uses only one processor. It uses maximum 1 GB of RAM. The maximum database size is 10 GB. Due to these restrictions to the Express edition of the SQL Server, the ideal number of SECs connected to SMS with this SQL server is 50, with a maximum of 70. DEPLOYMENT OF SAFETICA INSIGHT 17 In the first dialog enter the SQL server user name and password for the server that will be used for database access. The default user is safetica with password safetica. For security reasons, we recommend changing the default user password safetica. Click Next. When SQL server configuration has been completed, click Next and confirm the settings for SQL server connection in the following dialog by clicking Verify and save. Click Next. 17
Continue and finish Safetica Management Service installation. After successful completion of the SMS configuration, three databases will be created on the SQL server: safetica_main used for storing and sharing settings between SMS and SEC. safetica_data used for storing data recorded from clients (SEC). safetica_category used for storing applications, websites and appendices categories. Note: You can later change the connection to the Safetica Management Service via the Safetica Insight Management Console in the SMS settings section. The configuration of this connection is described in the section Safetica Management Service Configuration. 3.3 Installation of Safetica Management Console Insightpoint 6 Help The18 consolesafetica is the central for managing the software. It is used for setting up and managing both Safetica Endpoint Clients (SEC) and Safetica Management Services (SMS) as well as for database management, and of course for the management of Safetica Insight functions. The console also shows statistics, charts, and monitoring outputs. By using the Safetica Insight Management Console (SMC), you can manage multiple instances of SMS. All you need is a SMC running on any computer that can access the managed SMS. Neither the number of console installations nor the number of its users is limited by the license. Proceed with the installations as follows: 1. Launch the universal installer that you have previously downloaded. After selecting your language and agreeing to the license terms, go to Installation -> Safetica Insight Management Console. 2. Here you several options: o Run the setup directly from the universal installer by clicking on the Run installer button. o Extract only the SMC installer, which you can then use separately for later installation. Note: In the third part Tools and Components are components that are necessary for proper function of Safetica Enpoind Client or Microsoft SQL Server 2008 R2 Express. If you will be installing Microsoft SQL Server 2008 R2 Express from the installer, make sure you have installed the component Microsoft Installer 5.4. If not, install it from here. 3. After running the installer (either from the universal installer or from the extracted one), select your language once again and accept the license terms. Select the installation folder and complete the installation. 4. Finally, verify that you have added exceptions to your firewall and antivirus for the STConsole.exe process. 3.4 Configuration of Safetica Management Service After successful installation of the Safetica Insight Management Console and Safetica Management Service, the whole system must be set accordingly before you begin installing the Safetica Endpoint Client on the workstation. When launching the Safetica Insight Management Console for the first time, a wizard will appear and guide you step by step through the settings. Overview of main configuration steps: 1. Launch the Safetica Insight Management Console and enter the access password. A wizard will appear when it is launched for the first time. 18
DEPLOYMENT OF SAFETICA INSIGHT 19 2. Connect the Safetica Insight Management Console (SMC) to the respective server part of the Safetica Management Service (SMS) by using the default login settings: username is safetica and password is S@fetic@2004. You can administer the connection via SMC in Settings -> Connection. 3. We recommend changing the password to the safetica service account and for the console connection to the SMS. The default password is S@fetic@2004. After the change, other consoles will need to connect to the SMS by using a service account and new password. 19
20 Safetica Insight 6 Help 4. If no console has ever been connected to the SMS, you need to reconfigure the SMS. First, connect the SMS to three databases for records, settings and categories. The details will already be filled in if you entered them when installing the SMS. In this case just check the connection and continue. 5. In this step you can activate automatic maintenance of the database in which data collected from workstations is stored. Enter the maximum database size in gigabytes in the box. After Safetica Insight has exceeded this size, it will delete some records in the database. The deletion progresses from the oldest records to the newest ones. 20
DEPLOYMENT OF SAFETICA INSIGHT 21 6. In this step you can import users from the Active Directory of your company into Safetica Insight. This is possible only if the PC with the SMS is in the domain. In the left column the structure of your Active Directory will be displayed. Just mark the respective node you wish to import and confirm it with Import node. 7. Here you can set the connection to the SMTP server to be used for sending automatic notifications and reports. 21
22 Safetica Insight 6 Help 8. In this step you have the chance to input a license key for Safetica Insight. 9. Here you can choose from three predefined monitoring profiles. Select the corresponding profile by clicking one of the Activate buttons. You can also click on Apply own settings and select the desired functions manually. You can change the function settings later in the SMC via Settings -> Functions settings. 22
DEPLOYMENT OF SAFETICA INSIGHT 23 10.The initial configuration is now finished. After clicking Finish, the SMS user interface will open. 3.5 Installation of Safetica Agent The Safetica Agent is used to install, update and manage the Safetica Endpoint Client (SEC) at the end workstations. For manual installation of the Safetica Agent at the end workstation, proceed as follows: 1. Open the universal installer and select your language. Confirm the license conditions and go to Installation > Safetica Agent. 2. Here you have several options: o Launch the installation directly from the universal installer by using the Run installer button. o Extract only the Safetica Agent installer that you can use separately for later installations. Note: In the third part - Tools and Components you will find components essential for correct SEC or Microsoft SQL Server installation. If you are installing the Safetica Endpoint Client on a computer with Windows XP, make sure that you have installed the Microsoft.NET Framework 3.5 component. If this component is not installed, install it from here. 3. In the next step, fill in the following information for proper Safetica Agent connection to SMS: o Server address SMS address to which the Safetica Agent will connect. Note: You can also enter multiple addresses that can be used by the Safetica Agent to connect to one SMS. This is useful is scenarios where the Safetica Agent is installed on a laptop being used also outside the company premises where it will have a different address for SMS connection. If you enter more addresses, separate them with the symbol. Example: 192.168.100.2 158.142.12.10 145.65.87.22. o Port the port where SMS will be listening. The default port is 4438. Click on Next. 23
24 Safetica Insight 6 Help 4. After the configuration is saved, the Safetica Agent installer will launch. After clicking on Next, the Safetica Agent will install on the end workstation and then connect to the SMS. Successful Safetica Agent installation can be verified from SMC, where the user tree will show the icon with the end workstation name. SEC can be remotely installed on the end workstation with the Safetica Agent installed. Note: The Safetica Agent component will be automatically installed along with the SEC. 3.5.1 Installation using GPO If you are using Active Directory, you can bulk install the Safetica Agent using a Group Policy. To use the bulk installation, it is necessary to extract the relevant MSI package of the Safetica Agent component from the universal package. The installation will be described on an example of installation using the Group Policy in Windows Server 2008 R2. Described names and some steps may vary slightly depending on the version of the server system. 1. Start the Safetica Insight universal installer. 2. Go to Installation -> Safetica Agent -> Extract installer. In the installer configuration, enter the SMS address and port to which the Safetica Agent will connect. Save the installation package on a shared disk or shared directory in the corporate network and set access rights (read and run will be sufficient) to this folder for the desired group (probably default Domain Users and Domain Computers). 3. Go to Administrative Tools -> Group Policy Management. 24
DEPLOYMENT OF SAFETICA INSIGHT 25 4. Right-click the organizational unit to which you want to deploy the Safetica Agent and select Create a GPO in this domain and link it here... 5. Give an arbitrary name to the new object (for example, Safetica Deployment). 6. Select your newly created group policy and right-click to select Edit. 25
26 Safetica Insight 6 Help 7. In the window that opens, navigate to Computer Configuration -> Policies -> Software Settings and click on Software installation. 8. Right-click on the window with a list of software and select New Item -> Package... 9. In the MSI package selection dialog box, navigate to the shared network folder where you copied the MSI package with the Safetica Agent, and select it. 26
DEPLOYMENT OF SAFETICA INSIGHT 27 10. In the next dialog window, select Assigned and confirm. 11. Next, open Computer Setup -> Management Templates -> Windows Components -> Windows Installer. There, you should find the item Always install with elevated privileges and set it to Enabled. This ensures that the Safetica Agent will be installed on end workstations properly and without problems. 27
28 Safetica Insight 6 Help 12. After rebooting client computers for which the policy was created, the Safetica Agent will automatically install. To enforce policy updates, enter the gpupdate /force command on a client workstation. 13. Policy configuration is completed and the distribution of the Safetica Agent is ready now. When the client computers are started, the Safetica Agent installs. 3.6 Installation of Safetica Endpoint Client Safetica Endpoint Client (SEC) is the last component of the Safetica Insight product that you need to install. It is an essential component. On the client computers, it ensures the enforcement of security policies and ensures that all the functions configured in Safetica Insight Management Console (SMC) run properly. For end users, it can also provide a set of security tools for their own use. Recommended installation procedure 1. Install the Safetica Agent on the end workstation. 2. SEC installation should be performed remotely over SMC -> Settings -> Endpoint Management. Follow the instructions in the Endpoint Management section. Manual installation using the universal installer 1. Launch the universal installer that you have previously downloaded. After selecting your language and agreeing to the license terms, go to Installation > Safetica Management Client x86 or x64 this depends on which operating system version is installed on the endpoint. 2. Here you several options: o Run the setup directly from the universal installer by clicking on the Run installer button. o Extract only the SEC installer, which you can then use separately for later installation. Note: In the third part Tools and Components are components that are necessary for proper function of Safetica Enpoind Client or Microsoft SQL Server 2008 R2 Express. If you will be installing Microsoft SQL Server 2008 R2 Express from the installer, make 28
sure you have installed the component Microsoft Installer 5.4. If not, install it from here. 3. You will be asked to enter the following information before extraction or running the installer: o Server address address of SMS for SEC to connect to. Note: You can enter multiple addresses that SEC can use for connecting to a single SMS. This is useful in scenarios where SEC is installed on a laptop that is used also outside company premises, where it will have a different address for SMS connection. If you enter multiple addresses, separate them with the symbol. Example: 192.168.100.2 158.142.12.10 145.65.87.22. o Port port on which the SMS listens. The default is 4438. DEPLOYMENT OF SAFETICA INSIGHT 29 4. After running the installer (either from the universal installer or from the extracted one), select your language once again and accept the license terms. 5. Select the installation folder. 6. After successfully completing the installation, verify that the STCService.exe service is running (Windows Task Manager > Services > STCService running). 7. Finally, make sure that in your firewall and antivirus you have established exceptions for the following processes: STCService.exe, STUserApp.exe, and Safetica.exe. To configure SEC as well as the whole Safetica Insight product, proceed by reading the After Installation chapter and by carrying out the configuration. 3.7 After installation Once you have installed all Safetica Insight components, you are left with just a few final steps to take before you can start using Safetica Insight. 1. First, verify that all Safetica Endpoint Clients (SEC) are connected to the server Safetica Management Server (SMS). In the user tree, both users and computers will be shown in color. o SEC is online and connected to SMS. 29
o SEC is offline and not connected to SMS. 2. Use the License management to assign licenses to clients. Each computer will show a check mark if license has been successfully assigned. Without assigned licenses, Safetica Insight functions will not be active. 30 Safetica Insight 6 Help 3. Try activating some of the functions (e.g., Application monitoring) to see if they work properly and are collecting data. At this point, Safetica Insight is now ready to use. 30