Symantec ediscovery Platform Security Outline

(1)

This document is provided for informational purposes only. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Symantec eDiscovery Platform 7.1.4

Security Outline

This document is to provide an outline of some of the security aspects of Symantec eDiscovery Platform from the view of a security officer

If you have any feedback or questions about this document please email them to [email protected]stating the document title.

(2)

(3)

Page 1 Symantec eDiscovery Platform 7.1.4 Security Outline

Purpose

The Symantec eDiscovery Platform is the industry leading, single pane of glass application which answers each phase of the eDiscovery reference model in an intuitive manner with utilities to consolidate traditional Legal Hold methodology, and agentless and targeted approach Identification and Collections, a powerful and flexible Processing engine, and a rich and robust Review and Analytics solution. The Symantec eDiscovery Platform is an appliance based solution with an Oracle MySQL database backend integrated with web services from Apache Tomcat to provide an easy to deploy and manage web based solution for both technology and legal team perspectives.

Scanning - tools and validation

Qualys and Cenzic

Retina – Nessus – Hyperion (Government Standard Tools)

 GOVT. Common Process o Deploy Solution o Schedule Scan

o Review Vulnerabilities and resolve

o Rescan (and repeat as necessary – typically this has been a single scan iteration for success, leaving Windows Updates to the customer to apply)

Symantec performs vulnerability scanning annually to determine high and medium vulnerabilities and work to remediate any issues found:

 Vulnerability

 DB Vulnerabilities

 OS Vulnerabilities

 Network Related Vulnerabilities

DISA STIG Security Documentation

Government Standard delivered by DISA to provide specialized, required application security settings to be met for solution to be approved for addition to production networks regardless of network security classification (unclassified – top secret)

(4)

 OS Level

 Web Application Level

 Database level

 Third Party Application Level

o Method of disabling Lotus Notes client until updated to newest version with product.

Anti-virus

Symantec eDiscovery Platform does not bundle an anti-virus solution with its appliances. Furthermore, there does not seem to be such a need in certain configurations.

Why does the Symantec eDiscovery Platform not need A/V during

processing

Unlike Worms, viruses need to be activated, for example, by launching an executable or invoking a script. In due processing an email, attachment or loose file, we may well encounter an infected

document, but so long as we don't actually run the attachment, or attempt to evaluate any embedded javascript during processing we should be safe. Opening an attachment as a file is safe, such as what Stellant would, but asking the OS or JVM to run it is not.

Symantec eDiscovery Platform does support native file printing, for example printing a spreadsheet by launching MS Excel. Virus protect is a concern for native file printing. See “CW Virus Scanning

Guidelines” for more information on scanning the directory used for native document viewing.

 Note – If the Symantec eDiscovery Platform environment is not licensed for native document review the native file printing directory will not exist and therefore is not a potential virus gateway.

 Symantec eDiscovery Platform interacting with Virus

o The Symantec eDiscovery Platform is compatible with the anti-virus application of choice, but there are a number of exceptions that must be kept in mind to ensure that the appliance is properly protected. One of the basic tenants of eDiscovery is the collection, processing, and review of case data. This data comes from many sources such as file shares and email.

(5)

o Collected email and other file types are sometimes found to have phony links and malicious spyware which may be needed for a particular case or matter. To use this data and have it available to be processed and then reviewed by the legal team is necessary – but there is a risk that reviews could inadvertently click links or open files containing these types of files within the case data population.

o Configuring the Anti-Virus client is simple with a provided Anti-virus setup guide, available on request.

o It is possible to configure the path for attachment directory by using the property "esa.altAttachmentsDir". By default the value would be empty and it defaults to d:\CW\<current_version>\scratch\temp\esadb\attCacheDir\.

Protecting our users

Although the Symantec eDiscovery Platform application should continue to function normally in the presence of viruses, the end users/reviewers are at risk. A user can get infected if he/she downloads an attachment (for example, after a Search) for native viewing such as with MS Word or QuickView Plus.

Users responsibility

The first responsibility remains with our users. We assume our users have scanned all documents and emails provided to Symantec eDiscovery Platform for indexing. However, sometimes this is not possible. For example, although many anti-virus software applications will scan zip files, they may not scan PST files, or WINMAIL.DAT files, or CAB files, or various other container files.

It is recommended that all user desktops have an anti-virus application actively scanning for any user viewing attachments and loose files natively outside of the Symantec eDiscovery Platform.

No worms

Although this section is not about worms, they do deserve a mention. Worms, unlike viruses, are not activated: they are programs that are self-activated (for example from a startup folder), or trick the user and/or the OS into activating them. Once activated they can cause damage to the local machine and/or propagate themselves outwards through open ports or various tools such as email clients.

(6)

With the use of the Firewall and other measures worms should not be able to infect the network.

Open Ports / Protocols / Encryption Standards

This is list of ports to manipulate when provisioning an internet-facing or firewalled secured instance of the Symantec eDiscovery Platform. Be aware that not all ports are required to stay open after a specific port-related task(s) is complete, for example, Windows activation using port 53

Port Protocol Description Optional Misc.

22 TCP SSH, SCP/SFTP Y 25 TCP SMTP Y 53 TCP/UDP DNS Y 80 TCP HTTP 443 TCP HTTPS 3389 TCP Microsoft RDP Y 21 ftp 626 Ldap-s Y 88 kerberos Y 123 ntp 389 LDAP Y 135-139

Required by NETBIOS that enables various network related

communications:

Microsoft file sharing SMB: User Datagram Protocol (UDP) ports and Transmission Control Protocol (TCP) ports

Used for File Share Collection & Desktp Collection. Must be Bi -Directional.

3306 Used by MySQL to enable remote

database access. Must be used with a Symantec eDiscovery Platform cluster or if a separate MySQL server is being used

445 For File Share and PC Collections we

use the SMB or CIFS protocol, which uses TCP port 445

Required for file sharing and needed to allow sharing files across a network. Must be Bi-Directional.

(7)

application port for inter-appliance communication

135 Used by various windows critical

services including the Firewall Service. Symantec eDiscovery Platform utilizes the native Windows Firewall on the appliance to "harden" the Symantec eDiscovery Platform.

Table 1

Auditing & reporting

Symantec eDiscovery Platform provides a number of logs and auditing services within the User Interface (UI) as well as locally on the appliance. If necessary, these logs are able to be compressed and retained according to local retention and preservation policies.

The jobs are listed by name (see below) with the corresponding data and time appended in the name for ease of use and troubleshooting.

The location of the logs on the local appliance is:

 D:\CW\Vx.x\Logs (Vx.x denotes the latest installed version of the Symantec eDiscovery Platform – if the deployed is version 7.1.4 the path would be D:\CW\V714\Logs)

o Access Logs

 Provides information on application access times on login. o Catalina Logs

 Provides information on the Apache Tomcat webserver jobs as well as any errors for ease in troubleshooting

o Server Logs

 Provides information on server related tasks and errors for ease in troubleshooting

o Jobs Logs

o Crawler\Retriever

 These log files are related to collections tasks within the collections module and rendering tasks in the review module. These are listed by specific name such as PSTCrawler, PSTRetriever, etc.

(8)

o Processing

 These logs provide detail into processing tasks within the Collections module. NOTE: Logs are managed by the system and are overwritten

Services

This section reviews all of the necessary Symantec eDiscovery Platform specific services providing descriptions of each. Symantec eDiscovery Platform specific services are denoted in the services console with the prefix ESA. For accounts related to running these services, please reference the Accounts section of this document.

 EsaApplicationService:Firedaemon

o Controls the Symantec eDiscovery Platform Application Server, which is responsible for indexing the incoming documents and processing search requests. This service depends on the MySQL service. No configuration is required, except in the following cases:

 To crawl PST files or loose files on a network share that requires a username and password, this service must run under a login account with those permissions.  To crawl an Active Directory domain other than the domain of the Symantec

eDiscovery Platform, this service must run under a login account in that domain (used mainly for lab tests).

 EsaEvCrawlerService & EsaEvRetrieverService

o Responsible for crawling and retrieving documents on Symantec Enterprise Vaults. The login user name must match the name used by the Symantec services (generally the “Vault Service Account”).

 EsaExchangeCrawlerService & EsaExchangeRetrieverService

o Responsible for crawling and retrieving documents on Exchange servers. The login user must have the following permissions:

 Read  Execute  Read permissions  List contents  Read properties  List objects

 Open mail send queue  Read metabase properties  Administer information store

(9)

 View information store status  Receive As

 EsaPstCrawlerService & EsaPstRetrieverService

o Responsible for crawling and retrieving PST data stores. Note the following:

 If the PST files are on a network share that requires a username and password, these services must run under a login account with read and write access to the network share. –If the PST files are on a storage device attached to the

Symantec eDiscovery Platform, then only local permissions are required.  The Symantec eDiscovery Platform requires different accounts but similar

privileges for each of the PST crawler, and retriever services. Setting up separate accounts avoids potential memory contention and management issues with Microsoft’s MAPI interface which could result in sub-optimal performance.

 EsaNsfCrawlerService & EsaNsfRetrieverService

o Responsible for crawling and retrieving NSF data stores. These services must be configured with the permissions needed to access NSF files over the network. Note the following:

 If the NSF files are on a network share that requires a username and password, these services must run under a login account with read and write access to the network share.

 If the NSF files are on a storage device attached to the Symantec eDiscovery Platform appliance, then only local permissions are required.

 Make sure that these two services are configured to use the same account.  Notes client must be activated to work with this account.

o EsaRissCrawlerService & EsaRissRetrieverService

 Responsible for crawling and retrieving documents on the Hewlett-Packard IntegratedArchive Platform (IAP), formerly called the Reference Information Storage System (RISS).

 To properly start and run, the account used for this service must be setup with access the RISS shares.

o MySQL Services

 Services operate in a traditional manner, providing for operation stability of the Symantec eDiscovery Platform MySQL database.

Processes

Services

BDLGenServer.exe

EsaApplicationService : FireDaemon

BelsService.exe

EsaIGCBravaLicenseSrvice

(10)

EVCrawler.exe

EsaNsfCrawlerService

EVRetriever.exe

EsaNsfRetrieverService

ExchangeCrawler.exe

EsaPstCrawlerService

ExchangeRetriever.exe

EsaPstRetrieverService

FileFilter.exe

FireDaemon.exe

Java.exe

JPConsole.exe

JPService.exe

MySqld-nt.exe

Mysqldump.exe

NSFCrawler.exe

NSFRetriever.exe

NSFScan.exe

PSTCrawler.exe

PSTRetriever.exe

PSTScan.exe

PSTWriter.exe

RISSCrawler.exe

RISSRetriever.exe

fragmon.exe

cscript.exe

perl.exe

Table 2

There are some specific rights needed to be granted to services within the Symantec eDiscovery Platform prior to the installation. A comprehensive list of these is available in the installation guide which can be found here

(11)

Identification and collections

The Symantec eDiscovery Platform was created with an all in one, very intuitive ease of use in mind to provide a more efficient workflow for eDiscovery needs. The Identification and Collection module was created with a targeted and agentless approach. There are no agents to be installed and then

repeatedly managed and QC’ed throughout the infrastructure.

Symantec eDiscovery Platform is able to directly collect from a multitude of sources out of the box, with the only requirement being a managed user account with proper access to the targeted source for collection purposes.

Accounts typically need a higher level of access to properly collect necessary case data such as:

 Read – Read rights are necessary for the designated account to see the data that is to be requested to be collected.

 List – List Rights are needed for the designated account to present the data to the Symantec eDiscovery Platform.

 Write – Write rights are necessary for the destination account so that the data requested to be collected can be written in a forensically sound manner (very much like ROBOCOPY) to the designated data store and keep the content and metadata sound an in its original format.

Accounts

Traditionally, software will come shipped with default username and password credentials out of the box, and the Symantec eDiscovery Platform is no different. These accounts are completely configurable and the passwords are able to updated, renamed, and changed on the fly as needed.

Local Accounts

Symantec eDiscovery Platform comes configured out the box ready for immediate use with local accounts (listed below); these credentials are able to be renamed and passwords changed to fit the needs and policies of our customer environment.

 CWAppAdmin

o One of the default accounts that comes as a default configuration of the Symantec eDiscovery Platform. If using this local account, it MUST be a local administrator as it is used to run necessary ESA Services (see ESA service description above) and will need

(12)

admin level access locally on the appliance to access all of the necessary directories to ensure that each module and function within the Symantec eDiscovery Platform will operate at optimum levels. The username and password are able to be configured to necessary security standards and policies as needed, and on the fly.

 CWPSTRetriever

o One of the default accounts that comes as a default configuration of the Symantec eDiscovery Platform. If using this local account, it MUST be a local administrator as it is used to run necessary ESA Services (see ESA service description above) and will need admin level access locally on the appliance to access all of the necessary directories to ensure that each module and function within the Symantec eDiscovery Platform will operate at optimum levels. The username and password are able to be configured to necessary security standards and policies as needed, and on the fly. This account is typically used to run the ESAPSTRetriever service, as a requirement for the Symantec eDiscovery Platform is to have a separate account running the ESAPST Crawler service to prevent MAPI profile corruption.

 IGCAdmin

o This account is used typically used to allow the BRAVA IGC third party application to run in conjunction with the Symantec eDiscovery Platform.

o This account is also used to install the Symantec eDiscovery Platform and all necessary updates and upgrades. This is necessary as during the installation phase, if IGC Services (BRAVA) are being updated this will allow for a very simple update of the application, without the need for running a separate installation package to update these credentials. o If the IGCAdmin credentials are to be used for running the IGC Services – there are very

specific steps that must be followed to update the username and password – as if this account is assigned to run these services – changes of the credentials must be done in a specific concentrated effort to ensure that services can be successfully restarted.

 Symantec eDiscovery Platform default usernames o Superuser

 This is the out of the box application administrator account that comes with the Symantec eDiscovery Platform. This should be utilized as the backup administrator

(13)

account for the Symantec eDiscovery Platform User Interface and cannot be deleted.

 The password is able to be updated to align with security standards and should be changed once the installation of the appliance is complete and management of the appliance is transferred to local staff.

 It is imperative that the account credentials are maintained to ensure that in case of loss of LDAP connection, the superuser can be used to login locally. This is considered to be like a windows local admin account and used in last case circumstances.

o Default Password

 These are available upon request to the support team, account representative, or system engineer.

Domain Accounts

 Symantec eDiscovery Platform has the capacity to use domain accounts within an existing infrastructure to increase scalability, provide better ease of management, and provide additional auditing with existing tools and infrastructure.

Default Roles

Symantec eDiscovery Platform comes with a list of default roles which in most cases are suitable for the majority of uses. Custom roles can be created by the system administrator as required.

Role Description Default Assigned Rights

Case Admin Administrator-level

access to one or more cases (includes case admin capabilities plus all case user rights)

General Rights

Allow analysis tags dashboard access Allow access to management charts Allow reports access

Allow mobile access

Document Access Rights Allow viewing

Allow tagging

Allow move or removing from folders Allow bulk tagging

Allow smart tagging

Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes

(14)

Allow redacting

Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting

Allow printing

Allow native download Allow caching for review

Allow searching and filtering by processing flags

Case Administration Rights

All case admin rights

System Administrative Settings

Case Manager

Manager-level access to one or more cases (includes case admin capabilities (except source setup rights) plus all case user rights)

General Rights

Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access

Allow mobile access

Collection Rights Legal Holds Rights

Allow Legal Hold access Legal Hold management

Document Access Rights

Allow viewing Allow tagging

Allow smart tagging

Allow redacting

Allow printing

(15)

Allow case status access Allow user management Allow activity report access

Allow group and topic management Allow tag definition

Allow folder setup

Allow folder check-out management Allow production folder management Allow custodian management Allow participant management View exceptions

Manage exceptions Allow OCR processing

Other case management functions (e.g. jobs, batches, etc.) Access to all other case management functions not otherwise specified. This includes: batches, jobs, logs, and schedules.

Case User Search, tagging, and

print dashboard rights to one or more cases

General Rights

Allow analysis tags dashboard access Allow access to management charts

Collection Rights Legal Holds Rights Document Access Rights

Allow redacting

Prompt for reason code Allow tag history viewing Allow tag history searching Allow printing

(16)

No case admin rights

Collection Admin Administrator-level collection set management General Rights

Allow integrated analytics access Allow reports access

Allow mobile access

Collection Rights

Allow collections access Data map management Collections management Collection sets management

Legal Holds Rights

Document Access Rights Case Administration Rights

Allow Case Home and All Cases Dashboard Access

eDiscovery Admin

Administrator-level access to one or more cases as well as well as collection set

management and integrated analytics

General Rights

Allow mobile access

Legal Holds Rights

(17)

Allow smart tagging

Allow redacting

Allow printing

Allow Case Home and All Cases Dashboard Access Legal Hold Admin Administrator-level legal hold management General Rights

Allow integrated analytics access Allow mobile access

Collection Rights Legal Holds Rights

Document Access Rights Case Administration Rights

Allow Case Home and All Cases Dashboard Access System Manager Unrestricted rights to manage entire Symantec eDiscovery Platform system, including administrator-level access to all cases

General Rights

Allow mobile access

(18)

Allow smart tagging

Allow redacting

Allow printing

Allow Case Home and All Cases Dashboard Access Allow system management

Allow support access

Allow new case creation, case backup, restore, deletion, template creation

Allow collections and data map backup, restore Allow user management

Allow admin user and role management

(19)

About Symantec:

Symantec is a global leader in

providing security, storage, and

systems management solutions to

help consumers and organizations

secure

and

manage

their

information-driven world. Our

software and services protect

against more risks at more points,

more completely and efficiently,

enabling confidence wherever

information is used or stored.

Headquartered in Mountain View,

Calif., Symantec has operations in

40 countries. More information is

available at

www.symantec.com

.

For specific country offices and contact numbers, please visit our Web site: www.symantec.com

Symantec Corporation World Headquarters 350 Ellis Street

Mountain View, CA 94043 USA +1 (650) 527 8000

+1 (800) 721 3934

Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.