Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

About the Device

RRAS provides a remote user with access to an internal network via a secured virtual private network (VPN) connection. This connectivity can be deployed using typical IP-based VPN over the Internet. Or, like an Internet service provider (ISP), it can be deployed through dial-up services by allowing remote users to connect with the organizational network after authentication

The Routing and Remote Access service (RRAS) in Windows Server supports remote user or site-to-site connectivity by using virtual private network (VPN) or dial-up connections. 

Device Information

 Entity

Particulars

Vendor Name

Microsoft

Product Name

Windows Remote Management

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Windows Event

WINEVTLOG

API-Pull

CyberHub

Device Configuration

To Configure WinRM

To Add the domain root certificate to the keystore

To use encryption for WinRM service, the HTTPS connection protocol should be defined. The default port for HTTP protocol is 5985 and for HTTPS protocol the default port is 5986.

If you do not use the HTTPS protocol, you do not need a certificate.

Every computer that has its logs read should have an SSL certificate. The Domain Certificate Server provides the certificate which should be signed with a domain root certificate. Machine collector read events should be included in the domain and should have domain user access. Both the domain computer and target computer should not be in the 169.XXX.XXX.XXX network.

The domain root certificate should be imported to the Cyberhub certificate keystore.

To add the domain root certificate to the keystore

  1. Copy the certificate file to the C:\Program Files\Symantec\Event Agent\jre\bin directory.

  2. At a command prompt, type the following: 

    keytool -importcert -trustcacerts -alias Symc-CA -file Symc-CA.cer -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass changeit.

Symc-CA is an alias for the domain root certificate Symc-CA.cer is a file with the domain root certificate. C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts is the path to the default Java certificate keystore. The default password for the certificate keystore is changeit

Adding a security descriptor

For the collector to access event logs through WinRM, a security descriptor must be added to the monitored Windows Vista, Windows 2003, Windows 2003 R2, or Windows 2008 system. The security descriptor was added as a component of Windows Vista SP1. A security descriptor needs to be modified to read the Security Event Log.

To add a security descriptor on the Windows 2008 or Windows 2008 R2 system:

  • Update the Windows Registry.

For a user that does not have administrative privileges, you can create a new user and add the record to the Event Log Readers group. To do this, first run the

wevtutil

command to get information about access rights. For example, to get settings for the security log, you can run the command: 

wevtutil gl security

This command will provide the following output:

  • name: security

  • enabled: true

  • type: Admin

  • owningPublisher:

  • isolation: Custom

  • channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

  • logging:

  • logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

  • retention: false

  • autoBackup: false

  • maxSize: 20971520

  • publishing:

Make a note of channnelAccess which returns the SDDL string that is set for the Security Log. In the example above, the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group. The ACE string of RootSDDL grants read access to the Event Log Readers: (A;;GR;;;ER).

If cutomsd.reg was imported, or you had set the CustomSD in the registry, you can access the Registry and delete the CustomSD key. This restores the default setting. To be able to collect the Security log from a Windows 2008 machine via WinRM  (access to the Security log is restricted to only a few users). 

To be able to read the Security log via WinRM, the Network Service account must be given read access to the Security log. The Network Service is the default account which the WinRM service uses to run. There are two ways to give the Network Service account the right permission: 

  • Add the account to the Event Log Readers group from which you want to collect the Security log: From the Administrator's command prompt, type the following: 

net localgroup "Event Log Readers" "NT Authority\Network Service" /add
  • Provide the Network Service account read access to the Security log by changing the channel access: 

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY) (A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;NS).

Windows Server 2003/2003 R2 or Windows Server 2008/2008 R2 with domain level 2003 does not have the EventLogreaders group. You must manually add permissions to the registry. 

For Windows Server 2003 client computers, set the registry key CustomerSD as follows: 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Security as O:BAG:SYD:(A;;0x01;;;NS) 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/System as O:BAG:SYD:(A;;0x01;;;NS) 

  • HKLM/SYSTEM/CurrentControlSet/Services/EventLog/Application as O:BAG:SYD:(A;;0x01;;;NS)

Windows Server 2003 does not have the wevtutil command, the changes must be done through regedit.

To Disable the Remote Shell Access 

You may want to disable the Remote Shell Access, particularly if your company's policy states that Remote Shell Access is not allowed. After running winrm quickconfig, the Remote Shell Access is enabled.

To disable the Remote Shell Access for WinRM, run the following command:

winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"} 

To Configure Windows Firewall

If Windows Firewall is enabled on the server, you must configure the Windows Firewall to allow the Cyberhub to read events. 

  1. On the collector computer, from the Start menu, navigate to Control Panel > Administrative Tools > Windows Firewall with Advanced Security.

  2. In the left pane, click Windows Firewall with Advanced Security, and then, to expand the Configuration options, click the down arrow next to Windows Firewall with Advanced Security.

  3. In the left pane, under Windows Firewall with Advanced Security, click Inbound Rules.

  4. In the right pane, click New Rule

  5. On Windows 2008 Server R2, in the New Inbound Rule Wizard, complete the following steps:​

  • For the Rule Type, click Port, and then click Next

  • In the Protocol, select TCP

  • In the Local port, select Specific ports, and then specify the port values based on whether WinRM 1.1 or WinRM 2.0 is being used. 

    • WinRM 1.1 uses port 80 for HTTP and port 443 for HTTPS by default. 

    • WinRM 2.0 uses port 5985 for HTTP and port 5986 for HTTPS by default. 

  • Click Next.

  • In Action, click Allow the connection, and then click Next

  • In Profile, click all check boxes, and then click Next

  • In Name, specify a rule name, and then click Next.

To Configure WinRM to work with the Cyberhub

If Windows Remote Management is not installed and configured, WinRM scripts do not run. The WinRM command-line tool cannot perform data operations. On Windows Vista, start the WinRM service manually. By default, no WinRM listener is configured. You can use the WinRM command to locate listeners and addresses.

A certificate must be installed before you use the HTTPS protocol. To configure a Vista computer, you must log on as the local administrator. You can either select Run As Administrator from the Start menu or use the RunAs command at a command prompt.

You should execute step 4 only if you use a local account for monitored host name. Vista should be included in a domain before you configure WinRM.

Type the following command at a command prompt to run WinRM with HTTP: 

winrm quickconfigTo run WinRM using HTTPS, type:  winrm quickconfig -transport:https

The command performs the following operations: 

  • Starts the WinRM service and sets the service startup type to auto-start.

  • Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP protocol or HTTPS protocol.

  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports.

When the tool appears, Make these changes: type: y

  1. At the prompt, type: winrm set winrm/config/service @{AllowUnencrypted="true"} ​

  2. At the prompt, type: winrm set winrm/config/service/Auth @{Basic="true"}​

  3. The winrm quickconfig command enables the Remote Shell access by default. When you run winrm set winrm/config, the following message appears:

AllowRemoteShell Access=true.

For security, Accenture recommends that you disable the Remote Shell access.

 To delete an HTTP listener 

  • ​Type the following at the command prompt:

winrm delete winrm/config/Listener? Address=IP:+Transport=HTTP

For example, if your listener has the IP Address 192.168.2.1, type the following command to remove it: 

winrm delete winrm/config/Listener?Address=IP:192.168.2.1+Transport=HTTthe

To delete an HTTPS listener 

  • Type the following at the command prompt: 

winrm delete winrm/config/Listener?Address=IP: +Transport=HTTPS

For example, if your listener has the IP Address 192.168.2.1, type the following command to remove it:

winrm delete winrm/config/Listener?Address=IP:192.168.2.1 +Transport=HTTPS

 To list all WinRM listeners​

  • ​Type the following at a command prompt: 

winrm enumerate winrm/config/listener

To set access rights for WinRM 

For WinRM 1.1:

  • Use the following command to grant read access for WinRM to a user: 

winrm set winrm/config/Service @{RootSDDL="O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)(A;;GR;;; )S:P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)"}
  • Replace with the SID of the user to whom you want to grant read access. To retrieve the SID of a user, consult the Microsoft documentation. 

For WinRM 2.0:

 A window appears that lets you add users and set the permissions.

image-20240528-043436.png

The collector can be installed remotely and uses Kerberos authentication when read from Windows 2012 R2 Domain Controllers. 

To configure Kerberos:

  1. Create a user for events reading.

  2. Add this user to the Event Log Reader group.

  3. Open User properties and in the Account tab, select Algorythms for this user.

image-20240528-043359.png
  1. Edit the Domain controller policy to enable additional algorithms.

To Configure the collector to collect events using HTTP transport with domain accounts 

  1. Create a domain user account in the Windows Active Directory Domain that hosts the systems from which you will be collecting events.

  2. On each system from which you will be collecting events, add the domain user account created in the previous step to the local Administrators group.

  3. On each system from which you will be collecting events, open an administrator-level command prompt by right-clicking the command prompt shortcut in the Start menu (located in All Programs > Accessories), and selecting Run as administrator.

  4. In the command prompt window, run the following commands:

winrm quickconfig
winrm set winrm/config/service @{AllowUnencrypted=”true”}
winrm set winrm/config/service/auth @{Basic=”true”}
  1. Answer “y” when asked “Make these changes [y/n]?”

  2. In Information Manager, in your WS Management Event Collector configuration, create a sensor definition for each system from which you will be collecting events, as follows:

  • Monitored Host Name = Fully Qualified Domain Name of system

  • Monitored Host Realm = Domain Name of Active Directory Domain

  • Connection Port = default for HTTP transport is port 80 for WinRM 1.1 and port 5985 for WinRM 2.0

  • Connection Protocol = HTTP

  • Monitored Host Account Name = Domain user account created in step 1

  • Account Password = Password for Domain user account created in step 1

  • Event Logs to Audit = Event logs from which you would like to collect events

  • Start Reading From = BEGINNING or END​

WinRM 2.x now uses the following ports for its default WinRM configuration: ports HTTP = 5985 and HTTPS = 5986.

To Configure the collector to collect events using HTTP transport with a standalone server account

  1. Create a local user account in the Windows Active Directory Domain that hosts the systems from which you will be collecting events.

  2. On each system from which you will be collecting events, add the local user account created in the previous step to the local Administrators group.

  3. On each system from which you will be collecting events, open an administrator-level command prompt by right-clicking the Command Prompt shortcut on the Start menu (located in All Programs > Accessories), and selecting Run as administrator.

  4. In the command prompt window, run the following commands: 

winrm quickconfigwinrm set winrm/config/service @{AllowUnencrypted=”true”}
  1. Answer “y” when asked “Make these changes [y/n]?” 

  2. In Information Manager, in your WS Management Event Collector configuration, create a sensor definition for each system from which you will be collecting events as follows:

  • Monitored Host Name = Fully Qualified Domain Name of system

  • Connection Port = default for HTTP transport is port 80 for WinRM 1.1 and port 5985 for WinRM 2.0

  • Connection Protocol = HTTP

  • Monitored Host Account Name = MACHINE/username for the local user account created in step 1

  • Account Password = Password for local user account created in Step 1

  • Event Logs to Audit = Event logs from which you would like to collect events

WinRM 2.x now uses the following ports for its default WinRM configuration: ports HTTP = 5985 and HTTPS = 5986.

To Set up the collector without SSL 

If you are not collecting from other Windows hosts, your traffic will be sent from the agent encrypted, so there is no need to encrypt it on the same host twice. But if you wish to send logs from other windows hosts, you should consider using https and follow the procedures described below.

You must complete WinRM configuration on Windows Vista or Windows 2008 before you can install and configure the Information Manager Windows Vista/2008 collector. Review Microsoft documentation or contact Microsoft for detailed information.

To Add a Security Descriptor (SD) to the registry 

Access to the Event Logs requires that a Custom SD be used to allow access to that log. The Information Manager Windows Vista/2008 collector must have the ability to access the Windows Event Log, for this you must add an SD. To do this, you need to update your registry by exporting the customsd.reg provided with the collector or by adding the SD to the Event Logs manually. For Windows Server 2003, import customsd.reg for the local administrator account or add customsd. See "To add a Security Descriptor (SD) to the registry". 

For more information about Custom SD and the values in the data string, review the Microsoft documentation.

To add a Security Descriptor (SD) to the registry: 

If you are not on a Domain, use the provided registry file to add the security descriptor for the Administrator account. The customsd.reg file is located under the utils subdirectory of the installation directory or inside the collector zipfile.

The default, customsd.reg, is set up for use by the local computer Administrator account only and will not provide the required security configuration for any other users.

If you use a Domain, you need to configure a custom Security Descriptor. When using a domain user account, you need to configure the SD to allow access for that user.

To Set up the WinRM 

WinRM 2.x now uses the following ports for its default WinRM configuration: Ports HTTP = 5985 and HTTPS = 5986. See “Creating a WinRM listener with a custom port”.

WinRM must be installed and configured or WinRM scripts do not run and the WinRM command-line tool cannot perform data operations.

On Windows Vista, the WinRM service must be started manually. By default, no WinRM listener is configured. You can use the WinRM command to locate listeners and addresses. 

A certificate must be installed before you use the HTTPS protocol. This information is in the collector manual. You should execute step 4 in the collector manual only if you use a local account for monitored host name.

To set up WinRM: 

  1. To configure a Vista computer, you must login as the local administrator. You can either select Run As Administrator from the Start menu or use the RunAs command at the command prompt.

  2. To configure WinRM to work with the collector for standard http enter the following:To create WinRM listener with HTTP port 80, run the following command to create this listener: winrm create winrm/config/listener?Address=*+Transport=HTTP The command performs the following operations:

  • Starts the WinRM service and sets the service startup type to auto-start.

  • Configures a listener for the port that sends and receives MS-Management protocol messages using the HTTP protocol.

  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports. 

  1. Modify some of the default settings: winrm set winrm/config/service @{AllowUnencrypted="true"}winrm set winrm/config/service/Auth @{Basic="true"}

  2. To verify these settings, type the following: winrm enumerate winrm/config/Listener

  3. To remove a WinRM listener type the following at a command prompt: winrm delete winrm/config/listener?Address=*+Transport=HTTPS 

  4. Follow the remaining steps in the WS Management Event Collector Guide for Installation and Sensor Configuration.

 

Creating a WinRM listener with a custom port 

You need to create a WinRM listener with a custom port when you want to collect Windows logs and enable the WinRM listener. It uses the ports that are already in use.

WinRM 1.1 and its earlier versions use default HTTP port 80 and default HTTPS port 443 while Internet Information Services commonly use these ports.

WinRM 2.x uses default HTTP port 5985 and default HTTPS port 5986. Windows 2008 R2 uses a new version of WinRM, by default its HTTP port is 5985 and HTTPS port is 5986.

To create a WinRM listener with a custom HTTP port 8888

  • Run the command: winrm create winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}Port 8888 is given as an example. You may choose any unused port.

To create WinRM listener with a custom HTTPS port 8888:

  • Run the command: winrm create winrm/config/listener?Address=*+Transport=HTTPS @{Port="8888"}Port 8888 is given as an example. You may choose any unused port.

To change the port to a created WinRM listener: 

  • Run the command: winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"} Port 8888 is given as an example. You may choose any unused port.

Creating a Group Policy Object (GPO) for auto-configuration through Active Directory for the WS Management collector

​​For automatic configuration of WinRM through Active Directory, refer to the following URL:

Creating a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

One of the components that the WS Management collector uses is WinRM. You need to create certificates for every server to use HTTPS as a communication protocol for WinRM.

To automate this task, you can create a Group Policy Object (GPO) which instructs the servers to enroll for a certificate automatically. 

 

To create a GPO for auto-enrollment of certificates for WinRM for the WS Management collector

  1. On the Start menu, go to Programs > Administrative Tools > Group Policy Management.

  2. Create a new GPO.

  3. Right-click the new GPO, and click Edit.

  4. In Group Policy Management Editor, expand the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies folders.

  5. Create a new automatic certificate request policy.

  6. In the Welcome to the Automatic Certificate Request Settings Wizard panel, click Next.

  7. In the Certificate Template panel, select the Computer template, and click Next. If you create a policy for domain controllers, select the Domain Controller template.

  8. Click Finish.

  9. In the Group Policy Management Editor, navigate to Public Key Policies folder, in the right, enable Certificate Client Services - Auto-Enrollment (right-click Properties).

  10. To the right, in Group Policy Management Editor, in the Object Type section, , right-click Certificate Client Services - Auto-Enrollment, and select Properties.

  11. In the Configuration Model list, click Enabled.

  12. Check the two boxes available, click Apply and then click OK.

To check that the permissions for the Computer template on your certificate authority (CA) are set correctly: 

  1. On your CA, on the Start menu, click Run, and type the following command: mmc

  2. In the Management console, on the File menu, click Add/Remove Snap-in...

  3. In the Available snap-ins list, click Certificate Templates, click Add, and then click OK.

  4. In the Template Display Name list, right-click Computer template, and then click Properties.

  5. On the Security tab, for the domain computers group, check the Allow box to enroll permissions for domain computers.

You can now link the GPO to your domain and assign it to the computers that use WinRM for the WS Management collector.

Specifying manually what certificate the WinRM listener uses

If in the collector log there are messages about "untrusted server certificate chain", a certificate either has not been set up, or winrm is set up with the wrong certificate file.

You must specify the certificate for Winrm because it does not use the correct one with the quickconfig tab.

You can manually set which certificate winrm uses by specifying the Certificate Thumbprint when you create the listener.

To create a new listener that specifies the Certificate Thumbprint:

  1. Open the certificate file, and click the Details tab.

  2. Scroll to the bottom and click Thumbprint.

  3. The bottom half of the window displays the hexadecimal value. This is what must be used in the Winrm command.

  4. When logged in as administrator, or an administrator, open a command window.

  5. Set the winrm configuration to use the correct thumbprint by entering the following command: winrm set winrm/config/service @{CertificateThumbprint=" "}

You need to remove the spaces from the thumbprint string.

  1. Set up the listener to use that same thumbprint by entering the following command: winrm create winrm/config/Listener?Address=IP: +Transport=HTTPS @{Hostname=" ";CertificateThumbprint="

<Hexadecimal thumbprint value from the correct certificate>"} 

You will need to remove the spaces from the thumbprint string. 

Deleting a WinRM listener created with the quickconfig command

You can delete WinRM listener that was created with the quickconfig command in Windows 2008 or Windows Vista.

To delete a WinRM listener created with the quickconfig command:

Do either of the following:

  • For an HTTP listener, run the following command: winrm delete winrm/config/Listener?Address=*+Transport=HTTP

  • For an HTTPS listener, run the following command: winrm delete winrm/config/Listener?Address=*+Transport=HTTPS

Using the Event Log Readers group ​

Windows 2008/2008R2 standalone or domain level 2008 /2008R2 servers and Windows Vista grant read access to the event logs to the Event Log Readers group by default.

Therefore, do not import the customsd.reg and do not set any CustomSD manually. You might want to work under a user account that does not have administrative privileges when you use the collector.

In this case you need to create a user account and add it to the Event Log Readers group.

This does not apply to Windows 2003 standalone or domain level 2003 servers.

To get information about the access rights run wevtutil command. For example, to get settings for the Security log, run the following command: wevtutil gl security

The command gives you the following output

  • name: security

  • enabled: true

  • type: Admin

  • owningPublisher:

  • isolation: Custom

  • channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY) (A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)

  • logging:

  • logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx

  • retention: false

  • autoBackup: false

  • maxSize: 20971520

  • publishing:

Look at the output for the channnelAccess that returns the SDDL string which is set for the Security Log. In this case the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group

0x1               Read

0x2               Write

0x3               Read/Write

0x4               Delete

For WinRM 1.1, the ACE string of the RootSDDL, which grants read access to the Event Log Readers looks as follows: (A;;GR;;;ER).

 If you imported the customsd.reg or set the CustomSD in the registry, you need to restore the default settings. 

 

To restore the default settings if you imported the customsd.reg or set CustomSD manually

  1. Navigate to the Registry.

  2. Delete the CustomSD key.

Giving the Network Service account the right permission ​

To collect Security log from a Windows 2008/2008R2 standalone or domain level 2008/2008R2 server via WinRM, the Network Service account must be given read access to the Security log.

This does not apply to Windows 2003 standalone or domain level 2003 servers. 

The Network Service account is a default account that Windows Remote Management service uses to run.

If you are pulling from a Domain Controller, you must modify the SDDL string. 

To give the Network Service account the right permission 

Use either of the following methods:

  • ​You can add the account to the Event Log Readers group on the Windows 2008 server from which you want to collect the Security log with the following command:net localgroup "Event Log Readers" "NT Authority\Network Service" /add

  • You can give the Network Service account read access to the Security log by changing the channel access with the following command:wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA) (A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)​

The second option gives you the ability to use a Group Policy to set the channel access for the Security log in a domain environment.

If you are pulling from a Domain Controller, add the following string to the Custom SDDL for the Domain User to grant Network Service read access: (A;;0x1;;;NS). You need to use the second option for Windows 2008 Domain Controller as the Network Service is a Built-in Security Principal and local groups are not used in a Domain Controller.

 

Limiting the sensor to use only certain encryption types

The sensor uses the first encryption type that works for a connection. There is a way to limit the use of encryption types.

To limit the sensor to use only certain encryption types

  1. In a text editor, edit the config.xml file in the directory of the collector which uses the Windows Management Sensor.On Windows, this directory is normally available at C:\Program Files\Symantec\Event Agent\collectors\msvista.On Linux and Solaris, this is directory is normally available at : /opt/Symantec/sesa/Agent/collectors/msvista. 

  2. Under the tag, find the tag. 

  3. Insert the Encryption Types property between the and tags.

  4. Specify the desired value(s). The property accepts a single value as well as a comma-separated list of values.Full list of supported encryption types is available at http://download.oracle.com/javase/6/docs/technotes/guides/security/ jgss/jgss-features.html.

  5. Save and close the file.

  6. Restart the Event Agent. The following is a sample excerpt of a config.xml:<property name="props">  <props>    ..   <prop key="EncryptionTypes">des3-hmac-sha1,    des3-cbc-sha1-kd</prop>     ..   </props> </property>

Creation of a subscription for reading events from a remote WinRm configured listener

In Windows Server 2008 and higher, a remote subscription can be configured.

  • No labels