Accenture MDR Quick Start Guide for Symantec Critical System Protection (SCSP) and Data Center Security (DCS)
- Sekar Venkataramani
- KS
This quick start guide will help Accenture MDR customers configure Symantec Critical System Protection (SCSP) and Data Center Security (DCS) to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | SCSP/DCS Database | 1433 (TCP) | Default database port |
Configuring SCSP and DCS
To configure the Microsoft® SQL database, follow the below steps.
Configure the database based on the user account authentication type:
On-box - If you are using SQL Authentication, the LCP can directly connect to the DB server and collect logs.
Off-box - If you are using Windows Authentication, you must install the Symantec Event Agent and Collector on the Windows server as Windows authentication is not allowed from the LCP.
Configure the SQL Server Instance to listen on a Non-Dynamic Port.
Note: For more information on the Accenture Security MDR Installation Guide for Off-box Agent for LCP, please contact the Accenture MDR onboarding team.
1. Configuring the Database Using SQL Authentication
To configure the database using SQL authentication, follow the steps below.
Create a read-only database account.
Based on the Microsoft SQL Server version, do one of the following:
For Microsoft SQL Server 2012, from the Start menu, click Programs > Microsoft SQL Server 2012 > SQL Server Management Studio.
For Microsoft SQL Server 2008, from the Start menu, click Programs > Microsoft SQL Server 2008 > SQL Server Management Studio.
For Microsoft SQL Server 2005, from the Start menu, click Programs > Microsoft SQL Server 2005 > SQL Server Management Studio.
For Microsoft SQL Server 2000, from the Start menu, click Programs > Microsoft SQL Server 2000 > SQL Enterprise Manager.
2. At the login prompt, type the Administrator username and password.
3. From the Authentication drop-down list, select SQL Server Authentication.
4. In the SQL Server Management Studio window, in the Object Explorer pane, go to Security > New > Login and perform the following tasks.
In the Select a page pane, click General.
In the right pane, in the Login name text box, type a username for the LCP.
Select the SQL Server authentication option.
In the Password and Confirm password text boxes, type a password.
Uncheck the following check boxes:
Enforce password policy
Enforce password expiration
User must change password at next login
From the Default Database drop-down list, select the required database for which the user needs authentication.
In the Select a page pane, click Server Roles.
In the right pane, select public.
In the Select a page pane, click User Mapping.
In the User Mapping section, check the required database check box.
Specify the Default Schema of the user as dbo.
In the Database role membership section, check the db_datareader check box.
In the Select a page pane, click Status.
In the Permission to connect to database engine section, select Grant.
In the Login section, select Enabled, and then click OK.
Set permissions for required tables and view
In the SQL Server Management Studio window, in the Object Explorer pane, expand the SCSP database.
Go to Security > Users, right-click <read-only user account> (user account created in step I) and click Properties.
In the Database User - <read-only account> window, in the Select a page pane, click Securables and then click Search….
In the Add Objects window, click the Specific objects… option and then click OK.
Figure 1-1: The Add Objects Window.
5. In the Select Objects window, click Object Types…, check the Tables and Views check boxes, and then click OK.
Figure 1-2: The Select Objects Window.
6. In the Select Objects window, in the text box, type [dbo].[SCSP_REALTIME_EVENTS];[dbo].[AUDIT] and click OK.
7. In the Database User - <read-only account> window, click the AUDIT name and click the Explicit tab.
8. In the Permission section, scroll down and then click Select.
9. In the Select row, check the Grant check box.
10. In the Database User - <read-only account> window, click the SCSP_REALTIME_EVENTS name and click the Explicit tab.
11. Repeat steps 8 and 9 to assign the Select permissions to the view and then click OK.
Set the SQL Server security mode to mixed authentication.
To set the Microsoft SQL Server security mode to mixed authentication, follow the steps below.
Based on the Microsoft SQL Server version, do one of the following:
For Microsoft SQL Server 2012, from the Start menu, click Programs > Microsoft SQL Server 2012 > SQL Server Management Studio.
For Microsoft SQL Server 2008, from the Start menu, click Programs > Microsoft SQL Server 2008 > SQL Server Management Studio.
For Microsoft SQL Server 2005, from the Start menu, click Programs > Microsoft SQL Server 2005 > SQL Server Management Studio.
For Microsoft SQL Server 2000, from the Start menu, click Programs > Microsoft SQL Server 2000 > SQL Enterprise Manager.
2. Login as an Administrator.
3. On the left pane, right-click the appropriate server and then click Properties.
4. In the Server Properties window, select Security.
5. In Server Authentication section, click SQL Server and Windows Authentication mode.
6. Click OK and then click Close.
2. Configuring the Database using Windows Authentication
To configure the database using Windows authentication, follow the steps below.
Create a read-only database account.
In Windows Domain Controller, create a standard user account and make a note of the username and password.
Note: While creating a domain user account, uncheck the User must change password at next logon check box and check the Password never expires check box.
Based on the Microsoft SQL Server version, do one of the following:
For Microsoft SQL Server 2012, from the Start menu, click Programs > Microsoft SQL Server 2012 > SQL Server Management Studio.
For Microsoft SQL Server 2008, from the Start menu, click Programs > Microsoft SQL Server 2008 > SQL Server Management Studio.
For Microsoft SQL Server 2005, from the Start menu, click Programs > Microsoft SQL Server 2005 > SQL Server Management Studio.
For Microsoft SQL Server 2000, from the Start menu, click Programs > Microsoft SQL Server 2000 > SQL Enterprise Manager.
2. At the login prompt, type the Administrator username and password.
3. From the Authentication drop-down list, choose SQL Server Authentication.
4. In the SQL Server Management Studio window, in the Object Explorer pane, go to Security > New > Login and perform the following tasks.
In the Select a page pane, click General.
Select the Windows authentication option.
In the Login name text box, type the Windows username created in the Domain Controller and click Search to select the desired username
From the Default Database drop-down list, select the required database for which the user needs authentication.
In the Select a page pane, click User Mapping.
In the User Mapping section, check the required database check box.
Specify the Default Schema of the user as dbo.
In Database role membership section, check the db_datareader check box.
In the Select a page pane, click Status.
In the Permission to connect to database engine section, select Grant.
In the Login section, select Enabled and click OK.
To provide permissions to the required tables and views:
In the SQL Server Management Studio window, in the Object Explorer pane, expand Databases, <required database>, Security, and Users.
Double-click the user account created in step 5.
In the Database User - <read-only account> window, in the Select a page pane, click Securables and then click Search….
In the Add Objects window, select the Specific objects… option and then click OK.
Figure 1-3: The Add Objects Window.
5. In the Select Objects window, click the Object Types… button, check the Tables and Views check boxes, and then click OK.
Figure 1-4: The Select Objects Window.
6. In the text box, type [dbo].[SCSP_REALTIME_EVENTS];[dbo].[AUDIT] and click OK.
7. In the Securables section, click SCSP_REALTIME_EVENTS.
8. On the Explicit tab, highlight the Select permission and check the Grant check box.
9. In the Securables section, click AUDIT.
10. On the Explicit tab, highlight the Select permission, check the Grant check box, and then click OK.
1. Set the off-box server for Windows authentication.
Please engage the MDR onboarding team to perform this step.
Login to the off-box server as Administrator.
Download the Microsoft SQL Server JDBC driver and run the installer.
Copy the sqljdbc_auth.dll file from the <installation directory>\sqljdbc_<version>\<language>\auth\ location to the <drive>\WINDOWS directory on the computer where the JDBC driver is installed.
To set up the Symantec Event Agent service with Windows credentials, follow the steps below.
On the Start menu, click Run.
In the Open text box, type services.msc and click OK.
In the Services window, right-click the Symantec Event Agent service and click Properties.
On the Log On tab, select the This account option and enter the Windows credentials (created in step I).
Click OK and restart the Symantec Event Agent service.
2. Configure the SQL Server Instance to listen on a non-dynamic port
To configure the Microsoft SQL Server instance to listen on a non-dynamic port:
On the Start menu, go to Programs > Microsoft SQL Server > SQL Enterprise Manager > SQL Server Configuration Manager.
Expand SQL Server Network Configuration and select Protocols for <instance_name>.
In the right pane, click TCP/IP.
In the TCP/IP properties window, on the IP Addresses tab, ensure that the Active and Enabled options are set to Yes.
Ensure that the TCP Dynamic Ports text box is blank for the IP address to which the LCP connects.
In the TCP Port text box, type 1433
Configure an SSL connection for the Microsoft SQL Server (Optional)
To configure SSL for the SQL Server:
Based on the Microsoft SQL Server version, do one of the following:
For Microsoft SQL Server 2012, from the Start menu, click Programs > Microsoft SQL Server 2012 > Configuration Tools > SQL Server Configuration.
For Microsoft SQL Server 2008, from the Start menu, click Programs > Microsoft SQL Server 2008 > Configuration Tools > SQL Server Configuration.
For Microsoft SQL Server 2005, from the Start menu, click Programs > Microsoft SQL Server 2005 > Configuration Tools > SQL Server Configuration.
For Microsoft SQL Server 2000, from the Start menu, click Programs > Microsoft SQL Server 2000 > Configuration Tools > SQL Server Configuration.
2. Expand SQL Server Network Configuration, right-click Protocols for <the required server> and then click Properties.
3. On the Certificate tab, select the required certificate.
4. Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.
5. On the Flags tab, specify the protocol encryption option.
6. Set the ForceEncryption option to Yes to encrypt all client and server communication.
7. Click Apply and then click OK.
8. Click SQL Server Services, right-click SQL-SERVER, and then click Restart.
9. Click Apply and then click OK.
To configure Microsoft SQL Server from CLI (Optional)
From the Windows Start menu, choose Run, and then type the following command: cmd
Navigate to the directory that contains the OSQL.EXE file.
For Microsoft SQL Server 2012, the default directory location for this file is C:\Program Files\Microsoft SQL Server\110\Tools\Binn
For Microsoft SQL Server 2008, the default directory location for this file is C:\Program Files\Microsoft SQL Server\100\Tools\Binn
For Microsoft SQL Server 2005, the default directory location for this file is C:\Program Files\Microsoft SQL Server\90\Tools\Binn
3. Log in as the system administrator user and type the following command: sqlcmd -S dtabase_ip_address -U sa -P sa_user_password
4. At the command prompt, type the following commands:For Microsoft SQL Server 2005, Microsoft SQL Server 2008, and Microsoft SQL Server 2012:EXEC sp_addlogin '<user_name>', '<user_password>', '<database_name>'USE <database_name>CREATE USER <user_name> FOR LOGIN <user_name>EXEC sp_addrolemember 'db_datareader', '<user_name>'GRANT SELECT ON SCSP_REALTIME_EVENTS to <user_name>;GRANT SELECT ON AUDIT to <user_name>;go
LCP Configuration Parameters
Table 1-2: The SCSP and DCS event collector (DB- 3137) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Database URL | jtds:jdbc:sqlserver://<hostname>:1433;DatabaseName=<databasename> or jtds:jdbc:sqlserver://<hostname>\instance_name=<instancename>:1433; DatabaseName=< databasename > | The database URL string that needs to be configured on the collector by MDR. Hostname - Hostname or IP address of the database. DatabaseName - The name of the database in which the SCSP and DCS events are stored. 1433 (TCP port) - The default port number for DB connectivity. Note: If the device is configured to use a different port number, please advise the MDR onboarding team. Instance_name - The name of the instance within the specified database. |
Username | Custom Value | The username for the database account mentioned in the Pre-Installation Questionnaire (PIQ). |
Password | Custom Value | The password for the database account mentioned in the PIQ. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.