SecurityIQ SharePoint Server Agent Installation Guide

(1)

SecurityIQ SharePoint Server Agent Installation Guide

SecurityIQ Version: 4.2

(2)

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual or the information included therein, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced, publicly displayed, used to create derivative works, or translated to another language, without the prior written consent of SailPoint Technologies. The information contained in this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S.

Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Government's Specially Designated Nationals (SDN) List; a party prohibited from participation in export or re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software and related documentation.

Copyright and Trademark Notices.

Copyright © 2016 SailPoint Technologies, Inc. All Rights Reserved. All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written materials or in this Internet web site are protected under United States and international copyright and trademark laws and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Technologies, Inc.

“SailPoint Technologies & Design,” “IdentityIQ,” “IdentityNow,” “AccessIQ,” “Identity Cube,” and “Managing the Business of Identity” are registered trademarks of SailPoint Technologies, Inc. “SecurityIQ,” “SailPoint” and the SailPoint logo are trademarks of SailPoint Technologies, Inc. None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons indicated.

(3)

1. A GENT I NSTALLATION & C ONFIGURATION

1.1. Overview

1.1.1. Installation Flow

1. Configure all of the prerequisites.

2. Add a new application to the SecurityIQ Administrative Client.

1.1.2. Install the BAM/Entitlement Collector/Data

Classification (optional) services. Where to Install?

1. Business Application Monitor - Must be installed locally on one of the SharePoint application servers, and run with a dedicated user.

2. SharePoint Entitlements Collector – Must be installed locally on one of the SharePoint application servers, and run with a dedicated user.

3. SharePoint Data Classification – Must be installed remotely on a SecurityIQ monitor application server.

(5)

2. G ENERAL

2.1. Agent Operation Principals

SecurityIQ Agent for SharePoint uses 2 separate mechanisms to audit user activities.

1. Fetch audits from SharePoint's audit facilities

2. The SharePoint audit is used to audit all events except View. Monitoring of View events through the SharePoint audit can cause extreme load on the SharePoint content database, so a different approach is needed. Analyzing IIS logs for View events auditing.

 VIEW events are collected from IIS log files.

 Installation is required on one of the SharePoint farm servers

 SecurityIQ monitors activities from all of SharePoint's farms from a central location (locally on one of the SharePoint farm servers).

 The installation does not require the booting of any SP server.

 Adding a SharePoint backend server does not require any additional configuration.

 Adding a SharePoint front end server requires adding its IIS logs path to SecurityIQ and Read permissions in its folder (if View actions are monitored).

Monitored activities can include audits from the all Site Collections or from

selected Site Collections, as described in the Add Application Wizard section below.

2.2. Entitlements Collector Operation Principle

SecurityIQ connects through SharePoint's Server API and analyzes the local and domain user permissions of its objects.

2.3. Monitored Activities

Table 1. Monitored Activities

Action Meaning

Check In A file was checked in.

Check Out A file was checked out.

Child Delete A file/folder was deleted under a list/folder.

Copy A file was copied.

Delete A file was deleted.

Move The location of an object was changed.

Profile Change An account profile was changed.

Schema Change An SPS schema was changed.

(6)

SecurityIQ for Business User Guide Page 6 of 26 General

Action Meaning

Search A search query was sent using the SharePoint API.

Security Change Security changes were made (such as inheritance breaking, group creation, or group membership changes).

Undelete An object was restored.

Update Object properties were updated.

View A file was accessed/downloaded.

Workflow The workflow was continued.

Audit Mask Change Audit settings were changed on a SharePoint object

2.4. Supported Versions

 SharePoint 2007 SP2 and above

 32- and 64-bit support

(7)

3. P REREQUISITES

3.1. Software Requirements

 Business Asset Monitor

 SharePoint 2007 and 2010 Microsoft .Net Framework 3.5

 SharePoint 2013 Microsoft .Net Framework 4.5

 Entitlement Collector

 SharePoint 2007 and 2010 Microsoft .Net Framework 3.5

 SharePoint 2013 Microsoft .Net Framework 4.5

 Data Classification

 Microsoft .Net Framework 4.5

 Watchdog (Installed automatically when an Entitlement Collector/Data Classification is installed)

 Microsoft .Net Framework 4.5

Note: If installing on a SharePoint 2007/2010 without .Net Framework 4.5, the Watchdog service will not be installed.

3.2. Permissions

1. Create a designated domain user in the domain in which SharePoint works (for example, siq_wss).

a. Make the user Local Administrator on the front end server in which the agent is installed.

b. Assign that user as a “Site Collection Administrator” for all Site Collection, using the Web Application Policy Rule to assign these permissions.

c. Assign the user permissions to access all IIS Logs on all front ends through UNC

d. Assign that user as the "Site Collection Administrator"

2. Grant database permissions in each of the following SharePoint DBs.

a. Grant the following permissions:

 Admin DB

 DB Data reader

 Execute on DBO schema

 Create tables

 Config DB

 DB Data reader

 Execute DBO schema

 Content DB (can be multiple DBs)

(8)

SecurityIQ for Business User Guide Page 8 of 26 Prerequisites

 DB Data reader

 Execute DBO schema

Note: SailPoint Security Professional Services has a script to generate the required permissions for the database.

(9)

3.3. Configure View Activities Monitoring (Manual Mode Only)

Note: The following step can be skipped when automatic IIS log configuration is enabled in the Add New Application Wizard (see Automatic IIS Log Configuration).

Enable Host field logging on all Frontend IIS servers. For each Frontend server:

1. Open the IIS management console.

2. Locate the SharePoint Web Application site in the IIS.

3. Open the "Logging" options on the IIS management console.

4. Click on "Select Fields":

Figure 1. Logging 5. Check the "cs-host" to select the field.

(10)

SecurityIQ for Business User Guide Page 10 of 26 Prerequisites

Figure 2. Logging Fields

(11)

6. Click on Apply under Action so the changes will take effect.

Note: If the cs-host field was not defined for logging before, View events might take a few hours to start collecting. To make the agent start collecting new view events, stop the iis, delete the last iis log file and start the iis again.

7. When running in a SharePoint farm with multiple Frontend servers, create a dedicated share on each Frontend to the Web Application IIS log directory, and give Read permissions to the user defined in the Permissions section above to access the share. This share will be used after the installation in the configuration of the bamframework.exe.config.

3.4. Communications Requirements

Table 2. Communications Requirements

Requirement Source Destination Port

Database Access BAM/Entitlement Collector server

SecurityIQ DB According to the specific DB definitions SecurityIQ Access BAM/Entitlement

Collector server

SecurityIQ Servers 8000-8008

Data Classification Data Classification Server

SharePoint Farm http & https as required

Access to IIS Logs BAM All SharePoint

Frontend servers

139/445

(12)

SecurityIQ for Business User Guide Page 12 of 26 Add New Application Wizard

4. A DD N EW A PPLICATION W IZARD

1. Navigate to System  Application Monitors.

2. Select New.

The Welcome window of the New Application Monitor Wizard displays.

Figure 3. Welcome Window 1. Select Standard Monitor.

2. Select SharePoint from the Application Type dropdown menu.

3. Click Next.

(13)

The General window of the New Application Monitor Wizard displays.

Figure 4. General Window

1. Type the logical name of the SharePoint application in the Name field.

2. Type a description of the application in the Description field.

3. Select a logical container for the application from the Container dropdown menu.

4. Select an Active Directory Identity Collector from the Identity Collector dropdown menu.

5. Click Next.

(14)

The first Configuration window of the New Application Monitor Wizard displays.

Figure 5. Configuration Window I 1. Complete the Connection Details fields:

 Base Address (the URL for users to access the portal)

 User Domain (the user defined in the prerequisites)

 User (the user defined in the prerequisites)

 Password (the user defined in the prerequisites)

 Repeat Password (the user defined in the prerequisites)

Note: User Domain, User and Password are used for Data Classification to call the SharePoint web service

 Leave Audit On (whether to leave the SharePoint audit on when the service is off)

 Purge Old Events (deletes audits older than a given number of days from the SharePoint Content database, using the SharePoint API)

 IIS Log Configuration (whether to specify IIS log folders manually or automatically, via monitor identification)

 Choose Manual (control which sites to monitor)

Fill in the IIS Log Folder Paths list with the UNC path for each wanted IIS site log folder.

Note: Perform this step for each monitored server.

(15)

 Choose Automatic to let the monitor identify all site log folders. This mode also sets the IIS Host field logging for each monitored server for not-yet- enabled fields.

Fill in the Servers to Exclude list (not shown above) If servers do not require monitoring, where each entry may be a server name or address

2. Complete the Monitor Behavior fields:

 Polling interval (Activity fetching interval [in seconds])

 Report Interval (BAM Health reporting interval [in seconds])

 Local Buffer Size (Local buffer size for activities [ in MB])

Note: This cyclic buffer stores activities on the BAM machine in case network errors prevent activities from being sent.

3. Select the relevant Entitlements Collection items:

 Skip Identities Sync (Skip identity synchronization before running entitlement collection tasks when the identity collector is common to many different agents)

 Calculate Effective Permissions (Calculate the effective permissions during the Entitlements Collection run.)

 Calculate Riskiest Permissions (Calculates the riskiest permission on a resource – for example, Full Control is riskier than Read permissions if both are on a resource)

4. Click Next.

(16)

The second Configuration window of the New Application Monitor Wizard displays.

Figure 6. Configuration Window II

1. Select the relevant items under When an activity from a new resource is detected:

 Store the activity (Full Auto-Learning Mode) (Monitor all activities from all site collections, which automatically creates new site collections in the Business Resources Tree.)

 Discard the activity (No Auto-Learning Mode) (Manually define the site collections to be monitored, including all of their sub-objects.)

2. Click Next.

(17)

The Data Enrichment window of the New Application Monitor Wizard displays.

Figure 7. Data Enrichment Window

1. Select the data enrichment connectors (DECs) to enrich monitored activities from the Available DECs text box, and use the > or >> arrows to move them to the Current DECs text box.

Note: Chapter 6 of the SecurityIQ Administrative Client User Guide provides more information on Data Enrichment Connectors, including what they are, how to configure them, and how they fit in the Activity Flow.

2. Click Next.

(18)

The Crawler window of the New Application Monitor Wizard displays.

Figure 8. Crawler Window 1. Check the Create a Schedule check box.

2. Type a name for the crawling scheduling task in the Name field.

3. Select a scheduling frequency from the Schedule dropdown menu.

4. Fill in the relevant date and time fields (which differ, depending upon the scheduling frequency selected).

5. Check the Active check box if relevant.

6. Type in the names of folders to exclude from the crawling process in the Exclude Paths by Regex field.

7. Click Next.

Note: Chapter 7 of the SecurityIQ Administrative Client User Guide provides more information on the Crawling Process.

The Access Fulfillment window of the New Application Monitor Wizard displays.

8. Click Next.

Note ii: Chapter 8 of the SecurityIQ Administrative Client User Guide provides more information on access fulfillment.

(19)

The Installation File window of the New Application Monitor Wizard displays.

Figure 9. Installation File Window

1. Browse and select the destination file (used for installing the BAM/Entitlement Collector/Data Classification services) in the Destination field.

2. Click Finish.

(20)

SecurityIQ for Business User Guide Page 20 of 26 Installation of Services

5. I NSTALLATION OF S ERVICES

5.1. Entitlement Collector Installation

1. Run the "SecurityIQ Agent Installer" as an Administrator.

The Agent Configuration File window displays.

Figure 10. Agent Configuration File Window

2. Browse and select the XML installation file (generated in the last step of New Application Wizard) in the Configuration file field.

3. Click Next.

(21)

The SecurityIQ Features window displays.

Figure 11. SecurityIQ Features Window

4. Check the "Entitlements Collector" check box under Select components to be installed.

5. Click Next.

(22)

The Microsoft SharePoint Configuration window displays.

Figure 12. Microsoft SharePoint Configuration 6. Select the correct Microsoft SharePoint version.

7. Click Next.

(23)

The Service Credentials window displays.

Figure 13. Service Credentials Window 8. Uncheck the Run as LocalSystem check box.

9. Enter the Username defined in the Permissions prerequisites section in the form of domain\user and click on ‘Find User’

10. The username should appear with an underline.

11. Enter the Password for the user 12. Repeat the Password for the user 13. Click Next.

(24)

The Installation Folder window displays.

Figure 14. Installation Folder Window 14. Browse and select the location of the target folder for installation.

15. Browse and select the location of the folder for system logs.

16. Click Next.

The system begins installing the selected components.

17. Click Finish (which displays after all of the selected components have been installed).

Note: Chapter 8 of the SecurityIQ Administrative Client User Guide provides more information on Entitlements Collection.

(25)

5.2. Run the Crawling Task

Note: Before beginning monitoring, it is mandatory to run the SharePoint endpoint crawler.

1. Open the administrative console and navigate to System  Scheduled Tasks.

2. Search for the Crawling task name defined in the endpoint Add Application Wizard.

3. Right click and select Run Now to run the scheduled task.

4. Verify that the first level of the SharePoint site collections have been crawled before beginning monitoring.

5.3. Business Application Monitor Installation

1. Follow Steps 1-3 of the Entitlement Collector Installation procedure.

2. Select "Business Application Monitor" in Step 4 of the Entitlement Collector Installation procedure.

Note: Chapter 6 of the SecurityIQ Administrative Client User Guide provides more information on Activity Monitoring.

5.4. Data Classification Installation

2. Select "Data Classification" in Step 4 of the Entitlement Collector Installation procedure.

Note i: Assure the selection of a unique port for each Data Classification service if more than one Data Classification service is installed on the same physical server. Different services use this unique port as a User Interface Service to communicate with the Data

Classification service.

Note ii: Chapter 9 of the SecurityIQ Administrative Client User Guide provides more information on Data Classification.

(26)

SecurityIQ for Business User Guide Page 26 of 26 Verification

6. V ERIFICATION

6.1. Services

6.2. Agents Services

 SecurityIQ Business Asset Monitor—<Application_Name> service is running.

 SecurityIQ Entitlements Collection—<Application_Name> service is running.

 SecurityIQ Data Classification —<Application_Name> service is running.

 SecurityIQ Watchdog—<Application_Name> service is running.

6.3. Logs

 “%SIQ_HOME_LOGS%\WSS - <Application_Name>.log" does not contain errors.

 “%SIQ_HOME_LOGS%\RoleAnalytics-<Application_Name>.log" does not contain errors.

 “%SIQ_HOME_LOGS%\DataClassification-<Application_Name>.log" does not contain errors.

 “%SIQ_HOME_LOGS%\Watchdog-<Application_Name>.log" does not contain errors.

6.4. Monitored Activities

1. Simulate activities on the SharePoint.

2. Wait a minute (approximately).

3. Query for activities in the Administrative Client by <BAM_Name>.

4. Verify that the activities display in the Administrative Client.

6.5. Entitlements Collection

1. Run the Crawler and Entitlements Collector tasks in the SecurityIQ Administrative Client.

2. Verify that:

 The tasks completed successfully

 Business resources were created on the BRs tree Entitlements display in the Entitlement Forensics window

SecurityIQ SharePoint Server Agent Installation Guide