STEALTHbits Technologies, Inc.
StealthAUDIT v5.1
Table of Contents
Overview ... 3
Installation Overview ... 3
Hosting System Requirements ... 4
Recommended System Requirements ... 4
Additional Steps ... 5
Target Hosts ... 9
Security ... 9
Ports... 10
SMP Data Collector Matrix ... 10
Appendix A – Installation... 13
Installing the StealthAUDIT Management Platform ... 13
Appendix B – Solution Permissions & Configuration ... 20
SMP for SharePoint Permission Requirements ... 20
Overview
This document outlines basic requirements to successfully operate StealthAUDIT to its full capacity. Please note that these requirements represent the optimal configuration to enable full functionality. Failing to meet some requirements may result in StealthAUDIT functioning at a lesser capacity.
Installation Overview
StealthAUDIT installs to a single workstation or server from which data collection occurs. The application is entirely self-contained and requires access to Microsoft® SQL Server® (2005 or greater) database to operate. Organizations seeking more advanced data collection capabilities may seek to deploy multiple satellite StealthAUDIT nodes and a centralized Microsoft® SQL Server® to store collected data (See Figure 1).
Hosting System Requirements
The system hosting StealthAUDIT requires only modest hardware. Hardware recommendations are heavily influenced by:
The size and distribution of the targeted network (quantity and locations of hosts). The complexity of each job (how much data is being returned from each host). The frequency of scheduled job runs.
Data retention settings.
Recommended System Requirements
SMP Console Requirementso Windows Server® 2008 (x64) o Dual Core or Multiple CPU (2 GHz +) o 4GB or more RAM
o 30+ GB Available Disk
Additional Steps
There are a few additional steps that need to be completed or verified to be successful in building a StealthAUDIT console machine:
1. Verify availability of a Microsoft® SQL Server® instance a. Supported Versions
i. SQL Server® 2005 (Express (POC only), Standard, and Enterprise Editions) ii. SQL Server® 2008 (Express (POC only), Standard, and Enterprise Editions)
1. Preferred: SQL Server® 2008 Enterprise Edition
2. A free copy of SQL Server® 2008 Express with Tools Edition is available by clicking here. This instance can reside on the same machine as the StealthAUDIT console, but does not have to.
b. Permissions
i. StealthAUDIT requires the ability to Create, Delete, Update, Drop, Read, and Join tables within the SQL database in order to function as expected. Full database owner rights are recommended to ensure proper operation.
ii. If database owner rights cannot be obtained, the following script can be executed against the StealthAUDIT database to grant the necessary permissions to the appropriate users:
USE [<stealthaudit>] GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE [type] = 'R' AND [name] = '<SA User ID>')
EXEC sp_addrole '<SA User ID>' GO
EXEC sp_addrolemember 'db_datareader', '<SA User ID>' GO
EXEC sp_addrolemember 'db_datawriter', '<SA User ID>' GO
GRANT CREATE TABLE TO [<SA User ID>] GO
GRANT CREATE VIEW TO [<SA User ID>] GO
GRANT ALTER ON SCHEMA::dbo TO [<SA User ID>] GO
GRANT EXECUTE ON SCHEMA::dbo TO [<SA User ID>] GO
GRANT INSERT ON SCHEMA::dbo TO [<SA User ID>] GO
c. Authentication
i. StealthAUDIT allows for the use of both SQL and Windows Authentication to connect to the database.
1. Recommended: Windows Authentication d. Database Maintenance
i. StealthAUDIT relies on a SQL backend for data storage for all of its jobs, analysis, and actions. For disaster recovery reasons, the database should be backed up on a scheduled basis that is acceptable for recovery of data collection. Additionally, the backup process will flush any transaction log files. Depending on usage volume, backup schedules should be adjusted to flush and shrink the size of the transaction logs. Please refer to Microsoft or your 3rd party provider for your Microsoft SQL backup solution on how to configure and schedule backups to clear transaction logs at an interval that meets your needs. 2. Install Adobe® Flash®
a. Download
i. If Flash® is not already installed you can download the software by clicking
here. b. Additional Info
i. STEALTHbits also recommends turning off Windows® Internet Explorer® Enhanced Security Configuration for the administrator group if you want to be able to render reports on the StealthAUDIT console.
3. For Microsoft® Exchange Server data collection only a. Exchange Server 2000/2003
i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object extensions
1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT Exchange MAPI CDO package second.
b. Exchange Server 2007/2010 or Mixed 2003/2007/2010 Environment
i. Install Exchange MAPI CDO objects, StealthAUDIT Exchange MAPI CDO object extensions
1. IMPORTANT: Install Exchange MAPI CDO first, then the StealthAUDIT Exchange MAPI CDO package second.
ii. Exchange 2010 Data Collection
1. In order for SMP Exchange Data Collectors to work properly against Exchange 2010, please review the configuration options that need to be set and implement them prior to collection in Appendix B
4. SMP Exchange/BlackBerry/Access Information Center Prerequisites (NOT REQUIRED UNLESS INSTALLING THE EXCHANGE, BLACKBERRY, OR ACCESS INFORMATION CENTERS)
o Microsoft Internet Information Services (IIS) 7
Ensure ASP.NET and Security/Windows Authentication features are installed o Install .NET Framework v3.5
o Install Microsoft SilverLight on the client where you plan to run the browser 5. Install the StealthAUDIT Management Platform (SMP)
a. Console
i. Using the installation media provided to you by your STEALTHbits Account Representative, download the executable to the system StealthAUDIT is to be installed on.
ii. Follow the instructions in the installation wizard to install and configure the application.
1. For more detailed instructions on how to install the StealthAUDIT Management Platform, see Appendix A.
b. License Key
i. Copy and Paste the StealthAUDIT License Key (StealthAUDIT.LIC) into the root of the installation (typically C:\Program Files\STEALTHbits\StealthAUDITV5).
1. NOTE: This key is available from your STEALTHbits Account Representative.
6. StealthAUDIT Credential Sets
a. STEALTHbits recommends using an ID with full administrative privileges to the targeted hosts in order to maximize the amount of data that can be collected by StealthAUDIT; however, this is not required in order for the application to function properly. If full administrative privileges are not available, simply create a StealthAUDIT Connection Profile using credentials with the proper rights to the information you want to collect. Configuring Connection Profiles are performed in the Global Options of StealthAUDIT under the Welcome\Connections node. Connection Profiles can also be created during installation of StealthAUDIT through the installation wizard.
i. Windows® Auditing 1. Local Admin ii. Active Directory
1. Domain Admin iii. Exchange Auditing
1. Exchange Admin and Local Admin
2. Access to System Attendant Account – MAPI Authentication iv. BlackBerry® Auditing
1. Local Admin to the BES Server 2. Read Access to the BES SQL Database v. SharePoint Auditing
1. See Addendum B for full details 7. Publishing Reports
Target Hosts
StealthAUDIT query targets must be Microsoft® Windows® based systems with an OS minimum requirement of Windows® 2000. Windows 9x, NT, or Home Edition hosts will be detected on the network, but are not supported for auditing.
StealthAUDIT also provides limited support for Linux® and UNIX® host detection and auditing. Red Hat, SUSE, and AIX are currently supported, with additional version support coming in the near future. Various 3rd Party storage platforms such as NetApp® Storage Controllers and EMC® Celerra devices are supported for auditing as well. StealthAUDIT does not currently support other non-Windows hosts.
Security
StealthAUDIT leverages a snap-in Data Collector (DC) architecture. Each DC module exposes a discreet data source (for example: the Windows Registry) and is implemented as a .DLL housed in the StealthAUDIT\DC folder.
Each DC must connect to a target host in order to obtain data during an audit. Most Windows® administrative data is obtained via RPC; hence, a shared RPC connection is utilized. StealthAUDIT Data Collectors expose Windows®-based administrative data by calling into the Windows API functions in the same way native Microsoft administration tools do. Thus, StealthAUDIT is in effect never connecting directly to the managed host, but rather the underlying Microsoft API’s. The dependent network layers are communicating with peer layers on the target host; providing transparent communications to the data consumer. These connections are made in the security context of the active logged-on user or in the context of an impersonated user via optionally supplied credentials; both domain level and target host local accounts are supported. Supplied credentials are encrypted in a security profile using MD5 encryption and stored in the local file system.
STEALTHbits Technologies recommends providing StealthAUDIT (either through a logged-in user or impersonation credentials) full administrative access to the target host for greatest availability of data to collect. In some cases where this may not be possible, StealthAUDIT may still be able to successfully obtain data from the remote host depending on the nature of the query. For example, to query large portions of the remote registry, only user access is required.
Netwo rk Trans port Protoc ol Data API Native Tool Data Collec tor Target Host StealthAUDIT Workstation Stealt hAUD IT Optional User Impersonation User Impersonation Logged in User
Microsoft API’s and Network Layers
Firewalls
StealthAUDIT, via the Operating System API’s, establishes direct connections between the StealthAUDIT host and the target host. Any firewalls between the two application layers must be configured to provide trusted, rich access between the two hosts. In most cases where firewalls are encountered, organizations will configure the firewall to trust the IP Address or subnet where StealthAUDIT resides.
Ports
StealthAUDIT currently supports a range of Windows and industry protocols as documented in the following table. For proper operations, network administrators should ensure that RPC communications are available between the StealthAUDIT console and the target hosts including:
RPC TCP ports 135-139 RPC TCP/UDP Port 445
RPC TCP ports 1024 – 1100 (dynamic) SSH TCP port 22 (UNIX® and Linux® support) Additional optional ports:
ICMP TCP port 7 (Ping)
HTTP TCP Port 80 (MS Patch database download) SMTP TCP 25 (email notification / report submission)
SMP Data Collector Matrix
Data
Collector
Description
Protocols
Ports Used
Recommended
Permissions
Active Directory
Auditing objects published in AD LDAP RPC TCP 389 TCP 135-139 Randomly allocated high TCP Ports Domain Admin
AD Inventory Inventories AD User and Group information for correlation purposes throughout all StealthAUDIT Solution Sets
LDAP RPC TCP 389 TCP 135-139 Randomly allocated high TCP Ports Domain Admin
BlackBerry Auditing BlackBerry properties and BES database information
ODBC
Remote Registry
TCP 1433 TCP 139 and 445
Local Admin to the BES Server
Read Access to the BES SQL Database
Command Line Utility
Provides the ability to remotely spawn, execute, and extract data provided by Microsoft native command line utilities.
RPC Remote Registry TCP 135-139 Randomly allocated high TCP Ports Local Admin
Disk Provides enumeration of disks and their associated properties
RPC TCP 135, Randomly allocated high TCP Ports
Local Admin
DNS Provides information regarding DNS configuration and records
RPC TCP 135, Randomly allocated high TCP Ports
Domain Admin
Controllers E2K (Exchange Configuration) Provides Exchange 2000/2003/2007/2010 admin property extraction RPC LDAP TCP 135-139, Randomly allocated high TCP Ports TCP 389 Optionally TCP 445 Exchange Admin
Domain Admin for Active Directory property collection Exchange Mailbox / Public Folder
Provides statistical, content, and permission reporting on mailboxes and public folders
MAPI over RPC TCP 135, Randomly allocated high TCP Ports
Exchange Admin
Exchange Metrics
Provides metrics information from Exchange tracking logs
RPC TCP 135, Randomly allocated high TCP Ports
Local Admin
Domain Admin
File File and folder enumeration, properties, permissions RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445 Local Admin File System Access (FSAA)
Access rights via Shares, Folders, and Policies RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445 Local Admin Domain Admin
Group Policy Auditing GPO settings and properties LDAP RPC TCP 389 TCP 135-139 Randomly allocated high TCP Ports Domain Admin
INIFile INI and INF file content search and extraction RPC TCP 135-139, Randomly allocated high TCP Ports Optionally TCP 445 Local Admin
LDAP Search for and extract Active Directory and Exchange 5.5 directory properties
LDAP TCP 389 Domain Admin
ODBC Query ODBC compliant databases for tables and table properties
ODBC TCP 1433 Database Read Access
Patch Check Provides patch verification and optional automatic bulletin downloads from Microsoft
RPC HTTP ICMP TCP 135-139 Randomly allocated high TCP Ports TCP 80 TCP 7 Local Admin
Perfmon Performance monitor counter data samples
PRC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
PowerShell Provides PowerShell Script exit from StealthAUDIT
N/A N/A N/A
Registry Enumeration and extraction from remote registries
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Script Provides VB Script exit from StealthAUDIT
N/A N/A N/A
Services Enumeration, status and settings from remote services
RPC TCP 135-139 Randomly allocated high TCP Ports Local Admin SharePoint Access
Assesses access rights throughout the SharePoint infrastructure
SP Web Services MS SQL Remote Registry
MS SQL (connection string) read from Registry on SharePoint Server
SP Web Services (web app urls) read from SharePoint configuration database Remote read access to SharePoint server’s registry Read access to configuration database Read All permissions for each web app policy in SharePoint farm
SharePoint Content
Assesses SharePoint content related information
SharePoint Activity
Assesses access activity details within SharePoint
details from Windows® Event Logs (online or offline) and Microsoft® Internet Information Server® (IIS) logs
allocated high TCP Ports Domain Admin if targeting Domain Controllers SQL SQL database configuration, permissions, and data extraction
ODBC Remote Registry TCP 1433 Local Admin to SQL Server Read access to SQL Database
SystemInfo A collection of various properties RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Text Search Enables searching through text based log files
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Unix Host inventory, Software inventory, logical volume inventory on UNIX® & Linux® platforms SSH TCP 22 User configurable ROOT Users & Groups
Auditing user and group accounts, both local and domain. Extracting system policies
RPC TCP 135-139 Randomly allocated high TCP Ports Local Admin Domain Admin if targeting Domain Controllers
WMI Browsing and extraction of WMI objects and properties
RPC TCP 135-139 Randomly allocated high TCP Ports
Local Admin
Appendix A – Installation
Installing the StealthAUDIT Management Platform
Part 1 of 2 – SMP Installation Wizard
Step 1: After downloading StealthAUDIT, run the installation wizard by double-clicking StealthAUDIT.exe:
Step 3: Choose which product components to install and which directory the application should be installed in:
Step 4: Click “Next” on the “Ready to Install the Application” menu to begin the installation process:
Part 2 of 2 – SMP Configuration Wizard
For first time users, select “I am a first time StealthAUDIT user” and then select OK.
Step 2: In the “Welcome: Initial Settings” wizard, select “next” to begin the process of setting up a database profile, connection credentials, and an initial discovery query to identify systems in the environment:
Step 3: In the “SQL Server Settings” menu, enter the following information to create a StealthAUDIT Database Profile:
methods. If using SQL Authentication, input a User Name and Password, otherwise, SMP will leverage the credentials currently running the application through Windows Authentication.
Database – Choose to create a new database or leverage an existing StealthAUDIT database if present.
Step 5: In the “Query Sources – Host Discovery Source” menu, select the method you’d like to use for discovering your environment. Your choices at initial setup are limited to the
following:
Scan your IP network
Browse your Windows Network Neighborhood
Query an Active Directory Server
o General AD Query – Best used for discovering machines contained in multiple locations within the AD structure (i.e. Desktops and Servers) o Exchange Servers Only – Best used for discovering just Exchange Servers o Domain Controllers Only – Best used for discovering just Domain
Controllers
*If you’d like to import your machine listings from a text file, .csv file, or another database, hit cancel and configure your discovery query through the Host Management node in the left-side tree menu.
Step 6: In the “Instant Job” menu, select the instant solutions you’d like to install into your job tree.
Appendix B – Solution Permissions & Configuration
SMP for SharePoint Permission Requirements
The following details the permissions that need to be granted to a domain user in order for them to be used as the connection profile account of StealthAUDIT to run the SharePoint jobs. These instructions assume administrative knowledge of SharePoint and access to the servers which are hosting the SharePoint farms which need to be audited.
To configure your SharePoint connection profile user you must do the following:
Add it as a member of local Backup Operator group on a SharePoint application server for the farm that will be audited in order to access registry remotely. By default only members of Local Administrators and Backup Operators has access to remote registry so Backup Operators group provides least privilege.
Add it as a member of local WSS_WPG group on the same SharePoint application server(s). Members of this group have read access to system resources used by Microsoft SharePoint Foundation 2010.
Grant the user Full read on every web application through a web application policy. This is done through Central Administration. I can show you how to do this if you need.
Add the user as a Site Collection administrator in Central Administration site collection in case if you need scan Central Administration (also do this for the Help site collection in SharePoint 2010). If the customer doesn’t care about monitoring Central Admin then this can be skipped. Grant the user WSS_Content_Application_Pools role and db_datareader role in configuration
database for each farm.
Grant the user the db_datareader role on every content database for a farm.
Execute the following script against every content database in the farm, replacing “DOMAIN\USER” with the account being configured:
grant execute on proc_ListAllWebsOfSite to "DOMAIN\USER"
grant execute on proc_GetWebId to "DOMAIN\USER"
grant execute on proc_SecListSiteGroupMembership to "DOMAIN\USER"
grant execute on proc_SecListAllSiteMembers to "DOMAIN\USER"
grant execute on proc_SecListAllWebMembers to "DOMAIN\USER"
grant execute on proc_SecListSiteGroups to "DOMAIN\USER"
grant execute on proc_SecGetRoleAssignments to "DOMAIN\USER"
grant execute on proc_SecGetRoleBindingsForAllPrincipals to "DOMAIN\USER"
Exchange 2010 Data Collection
For Microsoft Exchange Server 2010, all communication to the private and public stores must go through a Client Access Server. Due to these changes, additional properties have been added to SMP Data Collectors requiring configuration changes that need to be set before being able to collect data from Exchange 2010 servers.
Welcome Settings:
A user alias needs to be set for each query that requires this information. This can be done at the top level for job configuration. The user alias can be any mail-enabled Exchange 2010 account that is utilized for connection to the Exchange Server. It does not need escalated privileges to Exchange.
Public Folder Queries:
In the Public Folder data collector, specific settings need to be set for the Public Folder data collection to work properly against Exchange 2010.
2. A Client Access Server needs to be set so the data collector can connect to it to access the public store for Exchange 2010.
3. The Option to “Process folders that physically reside on the target server only” needs to be
unchecked. Since Exchange 2010 supports public folders in a different manner than previous
Exchange Mailbox Data Collection
Data collection for Exchange Mailboxes for 2010 is similar to how the Public Folder data collection works. 1. The user alias will need to be set unless it has been set at the Global Level
Exchange2k Data Collection
The following categories within the Exchange2K data collector need the properties set for data collection from Exchange 2010 servers.
Exchange Organization o Users Mailbox Stores Public Folders OrphanedMailboxes OrphanedPublicFolders
1. The user alias will need to be set unless it has been set at the Global Level
