Getting Started With Halo for Windows For CloudPassage Halo

Similar documents
Getting Started With Halo for Windows

Using GhostPorts Multi-Factor Authentication

Using GhostPorts Two-Factor Authentication

Automating Server Firewalls

MadCap Software. Upgrading Guide. Pulse

System Administration Training Guide. S100 Installation and Site Management

Kaseya Server Instal ation User Guide June 6, 2008

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

Immotec Systems, Inc. SQL Server 2005 Installation Document

WhatsUp Gold v16.1 Installation and Configuration Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

WhatsUp Gold v16.2 Installation and Configuration Guide

Magaya Software Installation Guide

WhatsUp Gold v16.2 MSP Edition Deployment Guide This guide provides information about installing and configuring WhatsUp Gold MSP Edition to central

Sage 200 Web Time & Expenses Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

How To Use Senior Systems Cloud Services

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Version 3.8. Installation Guide

Copyright 2013, 3CX Ltd.

Velocity Web Services Client 1.0 Installation Guide and Release Notes

Monitoring Server File Integrity With CloudPassage Halo


Mobile Device Management Version 8. Last updated:

There are numerous ways to access monitors:

LifeSize Control Installation Guide

SMART Vantage. Installation guide

Crystal Reports Installation Guide

Installation Guide for Pulse on Windows Server 2012

Device LinkUP + Desktop LP Guide RDP

WhatsUp Gold v16.3 Installation and Configuration Guide

Using Avaya Aura Messaging

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Installing and Configuring vcloud Connector

Ekran System Help File

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

2X ApplicationServer & LoadBalancer Manual

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

AVG Business SSO Connecting to Active Directory

Spector 360 Deployment Guide. Version 7

Installation & Configuration Guide

Avaya Video Conferencing Manager Deployment Guide

QUANTIFY INSTALLATION GUIDE

LifeSize Control TM Deployment Guide

Installation Guide for Pulse on Windows Server 2008R2

Desktop Surveillance Help

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Installation Instruction STATISTICA Enterprise Server

Active Directory integration with CloudByte ElastiStor

Kaseya 2. Installation guide. Version 7.0. English

User Guide. Version R91. English

8.7. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.7. Contents

This document is intended to make you familiar with the ServersCheck Monitoring Appliance

Sophos Endpoint Security and Control standalone startup guide

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

Remote Support Jump Client Guide: Unattended Access to Systems in Any Network 3. Deploy Jump Clients During a Support Session or Prior to Support 4

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Remote Support Jump Client Guide: Unattended Access to Systems in Any Network 3. Deploy Jump Clients During a Support Session or Prior to Support 4

XStream Remote Control: Configuring DCOM Connectivity

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

MultiSite Manager. User Guide

To install the SMTP service:

SharePoint Password Change & Expiration 3.0 User Guide

1. Installation Overview

Configuration Guide. BES12 Cloud

OneLogin Integration User Guide

Setting up VMware Server v1 for 2X VirtualDesktopServer Manual

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Education Software Installer 2011

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Global VPN Client Getting Started Guide

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Installing SQL Express. For CribMaster 9.2 and Later

enicq 5 System Administrator s Guide

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.


A-AUTO 50 for Windows Setup Guide

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

Pre-Installation Guide

Core Protection for Virtual Machines 1

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

Installing Policy Patrol on a separate machine

Installation Instruction STATISTICA Enterprise Small Business

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Quick Start Guide for VMware and Windows 7

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Defender Token Deployment System Quick Start Guide

IIS, FTP Server and Windows

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Managing users. Account sources. Chapter 1

WhatsUp Gold v16.2 Database Migration and Management Guide

Important Notes for WinConnect Server VS Software Installation:

ez Agent Administrator s Guide

Transcription:

Getting Started With Halo for Windows For CloudPassage Halo Protecting your Windows servers in a public or private cloud has become much easier and more secure, now that CloudPassage Halo is available for Windows. Halo for Windows brings to Windows server users the same ease of use and strong protection that CloudPassage is known for in the Linux world. With Halo for Windows, you can set up strong, automatically deployed Windows firewall protection for any Windows Server 2008 installation. You can also create and deploy a security-events policy that notifies you of potentially suspicious events. And, your server administrators can use GhostPorts multifactor authentication to achieve maximum security when remotely administering your servers. Just follow the simple steps listed here to implement serious protection for your Windows servers. Contents: Install Halo Daemons New Installation Upgrade Installation Start Using Halo for Windows Create a Server Group Deploy a Windows Firewall Policy Deploy a Special Events Policy Use GhostPorts for Secure Server Administration Advanced Techniques for Windows Daemons Uninstalling a Halo Daemon Performing Unattended Installations Installing a Daemon on Your Gold Master Server Using Halo Server Tags to Populate Server Groups 1

Install Halo Daemons It's simple and fast to start securing your Windows servers with CloudPassage Halo. The first thing to do is to install the Halo Daemon (a Windows service) on one or more of your servers. You can install the Daemon on Windows Server 2008 R1 or R2. Just follow the five steps below, and you should be up and running in less than 5 minutes. You will need: Administrative access to your Windows cloud server (for example, through Remote Desktop Connection) Registration with CloudPassage and access to the Halo Portal An assigned CloudPassage API key (you'll retrieve it from the Portal in Step 3) Note: These installation instructions are also available in the Portal itself, at Servers > Install Windows Daemons. New Installation If you have not previously installed a Daemon on your server, follow these steps. 1 Log into your Windows server. Log into your Windows 2008 server using a Windows Remote Desktop Connection client (or using a browser with Remote Desktop Web Access). You'll perform all five steps on your remote server. 2 Start Internet Explorer as administrator. To launch Internet Explorer, right-click the Internet Explorer Icon (or Ctrl-Shift-click if your local machine is Macintosh), and choose Run as Administrator. 3 Log into the CloudPassage Halo Portal. Using Internet Explorer on your server, go to https://portal.cloudpassage.com and log in with the credentials sent to you when you signed up for Halo. You will need to add *.cloudpassage.com to Internet Explorer's trusted site list in order to log into the Portal. 2

Then navigate to Servers > Install Windows Daemons. (You may also be asked to add other sites, such as Google Analytics or Marketo, to the trusted site list. It is not necessary to do that to download the Daemon installer.) 4 Download the Halo Daemon installer. On the Daemon installation page for Windows, page, click Download cphalo-2.4.2-win32.exe. The installer program is copied to whatever location on your cloud server that you specify. 5 Run the installer and enter your API key. Leaving your Internet Explorer window open, locate the installer file on your server and double-click it. The installation starts. When prompted to enter your Halo API key, return to the browser window (at Servers > Install Windows Daemon) and copy the API key from that page. Then paste the key into the API Key field in the installer. Click Install to complete the installation, then click Finish to leave the installer. Note: You can also assign your server to a server group by specifying a server tag when you run the installer. See Using Halo Server Tags to Populate Server Groups. You're Done! The Halo Daemon is now running as a Windows service on your server. You can close the Remote Desktop session and start configuring and monitoring your server's security through the Halo Portal accessed from your local machine. Or, you can repeat these steps to install Daemons on additional servers. Note: For information on advanced installation technique and uninstallation, see Advanced Techniques for Windows Daemons. Upgrade Installation If your server already has an installed Halo Daemon, follow these steps to upgrade: 1. Connect to your server through RDP and proceed with the installation just as described previously, up through the point of double-clicking the installer file to launch the wizard. If the existing Daemon is running, the installer will stop it before performing the upgrade. Within seconds, the Upgrade Success screen appears: 3

Note that you are not able to change the installation location or specify a server tag during an upgrade. 2. Click Finish to leave the installer. Start Using Halo for Windows Once you have installed Daemons on your servers, you're ready to put them to work. First, you'll create groups of servers that have the same firewall and other security requirements; then you'll create the policies and have Halo deploy them to the servers. Create a Server Group The concept of server groups is fundamental to Halo. A server group is a set of similar servers such as all of the web servers, or all of the load-balancers that can have the same Halo security policy. For example, all servers in a given group will use the same firewall policy. In Halo, you assign a policy to a server group, not to an individual server. So you'll need to create server groups before any of your Halo policies (such as firewalls) can take effect. Once you have installed daemons on a set of similar servers (or maybe just one daemon on a golden master server), follow the instructions below to create a group: 1 Log into the Halo Portal Dashboard. Log into the Halo Portal. (Dismiss the Getting Started With Halo dialog box if it appears.) You are on the Dashboard page, which lists all existing server groups. If you were already in Halo, click the CloudPassage logo or the Servers menu to go to the Dashboard. 2 Create a new server group. Click Add New Group at the bottom of the list of server groups. 4

In the dialog box that opens, give the group a name and click Save. You do not need to fill in any other fields yet. The group now appears in the list of server groups on the Dashboard. 3 Select servers and add them to the group. On the Dashboard page, verify that your new group appears in the server-group list, then look in the Unassigned or All Servers group to find the servers that you want to add to your group. (All Servers includes every server in your installation that has an installed Daemon, whether or not it belongs to a server group. Unassigned includes only servers with daemons that belong to no group.) Only servers that already have installed daemons can appear on this page. Use the checkboxes to select which servers to add, then choose Move Server(s) from the Actions drop-down menu to move them into your server group. Your selected servers are now in your group. As you create policies (see following sections), you can return to the Dashboard page to assign them to this group. Deploy a Windows Firewall Policy Now use CloudPassage Halo to easily create a Windows firewall policy for the server group you just created. Once the policy is active and any server comes online through cloning or re-activation of a server in this group, that new server automatically receives the latest appropriate firewall policy from Halo. 1 Go to the New Windows Firewall Policy page. In Halo, navigate to Policies > Firewall Policies and click Add New Windows Firewall Policy. 5

2 Create firewall rules. 1. Enter a name and optional description for the policy. 2. Create inbound rules: For each rule, specify whether the firewall should accept or drop incoming communication of a specified network service (such as HTTP over TCP port 80) from a specified source (such as a given IP address range or Halo server group). 3. Create outbound rules: For each rule, specify whether the firewall should accept or drop outgoing communication of a specified network service (such as SMTP over TCP port 25) to a specified target (such as a given IP address range or Halo server group). Note: If you create an inbound rule that accepts a connection, you do not need to create an outbound rule that permits return communication on that connection. Halo creates those automatic corollary rules for you. The rules don't appear on the screen, but you can see them if you export the policy. 4. Create as many rules as you need, specify default behaviors (what to do if no rules are matched), choose your logging preferences, and click Apply. 3 Open your server group details. Back on the Halo Dashboard, click your server group's name in the group list, then click Edit Details beneath the name. The Edit Group Details dialog opens. 4 Assign the firewall policy to your server group. In the Firewall Policies area, open the Windows Policy drop-down menu and select the name of the policy that you just created. (Note that Linux policies appear in a different field.) Then click Save. 6

Your firewall policy is deployed automatically to the servers in your server group and it will start protecting them right away. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them. Deploy a Special Events Policy The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall configuration is changed outside of Halo, it could be a signal that something malicious has happened and you may want to be alerted in real time. You control the system by implementing a special events policy and assigning it to a server group. 1 Go to the Add New Special Events Policy page. In Halo, navigate to Policies > Special Events Policies and click Add New Special Events Policy. 2 Choose events for logging and alerting. 1. Enter a name and optional description for the policy. 2. Choose the events to include in the policy. Choose which events are to be logged, which should be flagged as critical on the Security Events History page, and which you want to receive email alerts about when they occur. Note that some events are marked as Linux-only and are not available for Windows servers. 3. When you have added all the events you want to include, click Save. 3 Assign the policy to a server group. On the Halo Dashboard, click the name of a server group that you want this policy to apply to, then click 7

Edit Details beneath the name. The Edit Group Details dialog opens. From the Special Events Policy drop-down menu, select the name of the policy that you just created. Then click Save. Your special events policy is deployed automatically to the servers in your server group and it will immediately start monitoring them for the occurrences you have specified. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them. Note: If a server group has no assigned special events policy, the "global security events policy" is assigned by default. 4 Create and assign an alert profile. When an event occurs on a server, an alert is sent to the Halo users listed in all of the alert profiles assigned to that server's group. If you wish to receive alerts, you must create an alert profile and assign it to your group. 1. Go to Policies > Alert Profiles, and click Add New Alert Profile. 2. Name the profile and choose the Halo users to add to it. 3. Specify who receives which levels of alerts, and save the profile. 4. Go to the Dashboard, select your server group, and click Edit Details beneath its name. 5. On the Edit Group Details page, select your profile from the Alert Profiles drop-down list, then save your changes. 8

Note: If a server group has an assigned special-events policy but no assigned alert profile, any alerts generated through the policy are sent to all of your company's users that are Halo site administrators. Use GhostPorts for Secure Server Administration If you have a NetSec or Professional subscription to Halo, you can use GhostPorts multi-factor authentication to achieve strong protection of network access to your Windows servers. It is the most secure way to control access to administrative services on cloud servers, and it has the flexibility to allow authorized, secure access from anywhere. With GhostPorts, your administrators can lock down all administrative ports, then use a firewall policy to dynamically open only specific ports for a specific authenticated user from a given IP address, for a defined period of time. The ports then automatically close when the time period expires. GhostPorts works with either SMS transmission of authentication codes over a mobile phone, or with a USB device called a YubiKey from Yubico. You can order the keys directly from Yubico or by filling out the form on the CloudPassage public site, at cloudpassage.com/ghost. Note: GhostPorts multi-factor authentication is available only to Halo users with a NetSec or Professional subscription. To take advantage of GhostPorts' extra protection for your Windows servers, follow these steps: 1 Enable a GhostPorts user. For each user that is to have GhostPorts access, do this on the Invite New User page (at Settings > Site Administration > Users > Invite New User) or Edit User page (at Settings > Site Administration > Users > username > Edit) in the Halo Portal: 1. Select the checkbox to enable GhostPorts access for that user. 2. Specify the multi-factor authentication requirement SMS code (one-time password transmitted by phone) plus Halo credentials, or YubiKey (hardware device) plus Halo credentials. 3. Configure the authentication method: For SMS authentication, enter the user's phone number (must be a mobile account with textmessaging enabled). For YubiKey authentication, Insert the user's YubiKey into your computer's USB port, place the cursor in the User YubiKey field on the page, and lightly touch circle on the top of the YubiKey to enter its value into the field. For SMS, the user now must log into Halo and verify the phone number before authenticating to GhostPorts; for YubiKey, the user can authenticate as soon as you provide the user with the configured YubiKey. Either method ensures highly secure, multi-factor authentication for accessing and administering a cloud server. 2 Set up firewall rules to handle GhostPorts users. In the firewall policy for each server group in which you want to implement GhostPorts support, create an inbound rule that specifies that administrative access (for example, RDP for Remote Desktop Protocol) 9

to the server through the port used (for example, 3389) is allowed only for the GhostPorts user that you have set up in Step 1. (The user appears in the Source drop-down list.) The policy should not have any other ACCEPT rules for administrative access. When that GhostPorts user authenticates, Halo dynamically replaces the policy rule with one that allows access from the specific IP address of the computer that the user just logged in from. After a time window passes, access from even that IP address is disallowed until the user authenticates to GhostPorts again. 3 GhostPorts user: complete your authentication setup. SMS: If you are an SMS-enabled GhostPorts user, you first need to log into Halo and go to the Open GhostPorts page. Follow the instructions to verify your phone number, after which you will be able to log in and authenticate to GhostPorts. YubiKey: Each YubiKey-enabled user needs to have the specific YubiKey configured for that user. As soon as you obtain your device from your Halo site administrator, you will be able to log in and authenticate to GhostPorts. 4 GhostPorts user: access a remote server. If you are a server administrator (or other user) whose GhostPorts access has been enabled, take these steps to access your server: 1. Log into the Halo Portal and click Open GhostPorts to go to the Open GhostPorts page. 2. Authenticate to GhostPorts: For SMS authentication: a. Click Send Authentication Code to instruct Halo to send an SMS code to your phone. b. When you receive the code on your phone, enter it into the Authentication Code field on the GhostPorts page, then click Submit. You have 5 minutes to enter the received SMS code into the field. The code typically arrives on your phone in less than a minute. For YubiKey authentication: a. Place your YubiKey into your computer's USB port, and click in the blank field on the GhostPorts page. b. Lightly touch the circle on the top of your YubiKey to transfer a one-time password value into the field. 3. Within a few minutes, the administrative ports on your server will be open. From this computer, launch Remote Desktop Connection or other remote-access tool, and log into your cloud server as you normally do. Your access to your cloud servers is now open, but only from the machine you authenticated from, and only for four hours (or less, if you click Close GhostPorts in the Portal to manually close them sooner than that). 10

Advanced Techniques for Windows Daemons Uninstalling a Halo Daemon You can uninstall the Halo Daemon using Add/Remove Programs. 1. In the Start menu, select Control Panels. 2. Open the Services control panel, locate the Halo Daemon service, and stop it if it is running. 3. Open the Add/Remove Programs control panel. 4. Select the Halo Daemon service from the list, and click Uninstall. The Halo installer launches, displaying the Uninstall page: 5. Click Uninstall. The Halo Daemon is removed from your server. Performing Unattended Installations You can use the CloudPassage installer in a non-interactive mode to install a Halo Daemon without user intervention. This capability allows you schedule installs, perform remote installs without a remote administrator, and use a single command to bulk-provision an entire server installation with Halo Daemons. 1. Run a command-prompt window as administrator: right-click the command-prompt icon (for example, in the Start menu) and select Run as administrator from the context menu. 2. Change the current directory to the folder that contains the Halo installer file. 11

3. Execute a command with the following syntax: cphalo-2.4.2-win32.exe /S /API-KEY APIkey [/D installdir] [/TAG servertag] [/NOSTART] where S = Specifies that the installation should be silent (unattended). Must be uppercase. APIkey = Your 32-character Halo API key. installdir = (optional) The directory into which to install the daemon. If you specify nothing, the daemon is installed in either Program Files or Program Files (x86). servertag = (optional) This daemon's server tag. See Using Halo Server Tags to Populate Server Groups. NOSTART = (optional) Specifies that the daemon should not start up after installation. By default, the daemon starts when installation completes. Installing a Daemon on Your Gold Master Server If you use local "gold master" versions of your servers as templates from which to create cloud instances, you may want to install Halo Daemons on the gold masters. Then, when you create server instances, each will already have an installed daemon. The installation process is the same as for installing on a cloud server. And CloudPassage recommends that you start the Halo Daemon service after installing, by leaving the Start CloudPassage Halo Daemon now checkbox selected. Doing that will ensure that any cloud instances created from the gold master will have unique Halo IDs and will receive all updated Halo policies. Using Halo Server Tags to Populate Server Groups In the Halo Portal, the procedure for adding servers to a Halo server group is to select them manually on the Portal Dashboard and execute a command to move them into the server group of your choice. Halo allows you to automate this process and bypass manual assignment. When you create or edit a server group in the Halo Portal, you can specify a server tag for that group. The server tag is a string of your choice. Then, when you install a Halo Daemon on a server, you can optionally specify a server tag to be associated with that daemon whenever it starts up. If a daemon's server tag matches that of any existing server group, that server is automatically assigned to the group. Note: A server tag can contain only alphanumeric characters plus dots, dashes, and underscores. No spaces or other characters are allowed. 12

There are several ways to assign a server tag: When running the installer wizard The installer includes a screen that you can enter the tag into. When executing an unattended install Use the /TAG servertag option on the command line. By using the Windows Service Manager after installation a. Open the Services control panel. For example, from the Start menu, select Administrative Tools and then Services. b. Right-click the line for the CloudPassage Halo Daemon service, then select Properties from the drop-down menu. c. In the Properties dialog, enter the tag assignment in the Start parameters field, using this format: /tag=tagname d. Now start the service by clicking Start. 13

Important: Do not click OK without first clicking Start. If you click OK first, the tag will not be assigned to the Daemon. Note that it is also possible to add servers to groups programmatically. If you are interested, follow the Halo API Documentation link on the Support Resources page of the Halo Portal to obtain the documentation. Copyright 2012 CloudPassage Inc. All rights reserved. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information