Scribd Logo
Upload

Welcome to Scribd!

  • Windows 2008 & 2008 R2 SSIM Integration

    Uploaded by

    Torn Preeya
    15 views9 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    15 views9 pages

    Windows 2008 & 2008 R2 SSIM Integration

    Uploaded by

    Torn Preeya

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 9

    Windows 2008 & 2008 R2 SSIM Integration

    Integration of Windows 2008 Server with SSIM using Domain Account

    The SSIM integration activity consists of two parts as mentioned below :

    1. Activity to be performed on Windows 2008 server

    2. Activity to be performed on SSIM

    1. Activity to be performed on Windows 2008 Server

    OBTAIN THE FQDN (Fully Qualified Domain Name) name of monitored server & OS
    version:

    Use this host name in SSIM’s sensor configuration to fetch the logs through OFF box
    integration. This hostname should contain complete domain name (incase of Member server ) or
    a workgroup name. Note down the FQDN name & OS version details which will be required at
    the time of sensor configuration.

    CHECKING THE WINDOWS FIREWALL STATUS

    You need to determine if the Windows Firewall is running


    To determine if the firewall is running, type the following command from a command prompt:
    netsh advfirewall firewall show rule name=all
     

     If the firewall is running you will see a very long list of the firewall rules, then skip this
    step & move ahead to the next step 3(configure winrm).
     If the firewall is not running you will see an error "An error occurred while attempting
    to contact the Windows Firewall service...", then start the firewall service & under
    Windows firewall settings OFF the firewall status.

    Please refer the below screenshot for more details.


     

    CONFIGURE WINRM

    Run the below commands to configure winrm service on 2008 server

    winrm quickconfigand answer Y to accept changesif it is already configured it will show below
    message.
     

    The command performs the following operations:

     Starts the WinRM service and sets the service startup type to auto-start
     Configures a listener for the ports that send and receive MS-Management protocol
    messages using either the HTTP (5985) protocol or the HTTPS protocol
     Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and
    opens the ports

    Now we will set specific parameters for winrm.

    We will configure winrm to allow unencrypted traffic as we are using HTP for communication &
    not HTTPS:

    From a command prompt:


    winrm set winrm/config/service @{AllowUnencrypted="true"}

    As we are using kerberos authentication we will disable the basic authentication for winrm:

    From a command prompt:


    winrm set winrm/config/service/Auth @{Basic="false"}

    The winrmquickconfig command enables the Remote Shell access by default.

    For security, Symantec recommends that you disable the Remote Shell access.

    When you run winrm set winrm/config, the following message displays:

    AllowRemoteShell Access=true.

    To turn the default off, type the following command:

    winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"}

     
     

    CONFIGURE USER / GROUPS ACCOUNTS

     Open the Server Manager


     Expand Local Users & Groups.
     Expand Groups.
     Add user ssimtest01 id into members of “Event Log Readers” group.

     Add the Network Service account to the Event Log Readers group as winrm service
    isexecuted by network service( Run the following command from command propmt)
    net localgroup "Event Log Readers" /add "NT Authority\Network Service"
     

    CONFIGURE WINDOWS SECURITY DESCRIPTOR

    Network service must be allowed to Read windows security Logs via winrm service  because in
    windows 2008 Security event log is restricted to very few users to do this append the security
    descriptor of network service (A;;0x1;;;S-1-5-20)& )(A;;0x1;;;NS)in channel access by running
    below commands.
     

    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)


    (A;;0x1;;;S-1-5-20)

    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)


    (A;;0x1;;;S-1-5-20)(A;;0x1;;;NS)

    Above command Grants Read only Access to Network service to read security Event log.

    CONFIGURE WINDOWS FIREWALL RULE (If Firewall is enabled)

    After ensuring that the firewall service is enabled and running, you can use the commands
    below.

    netsh advfirewall firewall show rule name=all

    Commands for opening up the Windows Firewall Port


    Enter the following command from the command prompt:

    For Windows Server 2008 with Winrm 1.1


    netsh advfirewall firewall add portopening TCP 80 "Windows Remote Management"

                                                                            OR

    For Windows Server 2008 R2 with Winrm 2.0

    netsh advfirewall firewall add portopening TCP 5985 "Windows Remote Management"

     
    You can also create winrm listner on custom port to avoid any mismatch of ports with existing
    running applications:

    This command will create a winrm listner on custom port 8888:

    Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}

    GET THE FINAL OUTPUT OF FOLLOWING COMMANDS & Reconfirm the settings
    done:

    Type following command from command prompt:

    winrm get winrm/config

    Verify under the Service portion the following


    It should return these settings under the Services section.
    Auth
    Basic = false
    Kerberos = true
    Negotiate = true
    Certificate = false
     

    To determine the port and IP that the listener is active on

    From a command prompt:


    winrm enumerate winrm/config/Listener
    What to inspect
    DefaultPort - the port the service is listening on
    ListeningOn - Verify the port and address that the service is listening on

    Run the wevtutil command to get information about access rights.

    wevtutil gl security

               

    Also note down the following information prior moving to the sensor config.

    1. FQDN of target Server


    2. Server OS version(Windows server 2008 or 2008 R2)
    3. Information for the output of following commands:

    winrm get winrm/config

    winrm enumerate winrm/config/Listener

    wevtutil gl security

     
      

    2. Activity to be performed on SSIM :

    SSIM Sensor Configuration for OFF BOX Collection

    We are creating a new Sensor configuration Under “Microsoft Windows Vista® Event
    collector 4.4” This collector is compatible with Windows 2008 & Vista.

    Step 1: In Monitored host name enter the FQDN name of server to be monitored (Local host, or
    127.0.0.1 or the actual IP will not able to create the connection through winrm service)

    Step 2: In Monitored Host Realm enter the realm on domain (testdom.com) this can be found by
    running Ksetup command from Server from which log needs to be fetched

    Step 3: In Connection port use 80, 5985 for http or 5986 for https communication.
    For https communication to work it is required to install Certificate authority on the domain and
    retrieve the certificate to be used in SSIM Agent configuration for log collection)

    Step 4: In monitored host Account Name enter a domain ID or its equivalent ID to be used for
    log collection. (Use only User ID, do not use domain\username format).

    You might also like