Accenture MDR Quick Start Guide for Sophos Enterprise Console

This quick start guide will help Accenture MDR customers configure Sophos Enterprise Console to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Configuring Sophos Enterprise Console

You must configure Sophos Enterprise Console to work with the event collector by following the steps below.

1. Create a read-only database user account for Microsoft SQL Server.

2. Set the Microsoft SQL server security mode to mixed authentication.

3. Create a read-only database user with Windows Account for Microsoft SQL Server.

4. Configure the SQL Server instance to listen on a non-dynamic port.

5. Configure an SSL connection for the Microsoft SQL Server JDBC driver.

6. Configure the sensor properties for Windows user accounts.

​I. 

To create a read-only database user account for Microsoft SQL Server, follow the steps below.

1. From the Windows Start menu, choose Run, and then type the following command: cmd

2. Navigate to the directory that contains the OSQL.EXE file.

3. Login as the system administrator user. Type the following command: sqlcmd -S ip_address_or_host_name -U sa -P sa_user_password

4. At the command prompt, type the following commands:

• For Microsoft SQL Server 2000 or Microsoft SQL Server 2000 Desktop Engine (MSDE):

• For Microsoft SQL Server 2005, 2008, and 2012, and 2014:

II. 

To set the Microsoft SQL server security mode to mixed authentication, follow the steps below.

Based on the Microsoft SQL server version, do one of the following:

• For Microsoft SQL server 2005, from the Start menu, click Programs > Microsoft SQL Server > Microsoft SQL Server Management Studio.

• For Microsoft SQL server 2008, 2012, 2014, and 2016, from the Start menu, click Programs > Microsoft SQL Server > SQL Server Management Studio.

1. On the left pane, right-click the appropriate server, and then click Properties.

2. In the Server Properties window, select Security.

3. In the Server Authentication section, select SQL Server and Windows Authentication mode.

4. Click OK and then click Close.

III. 

To create a read-only database user with Windows Account for Microsoft SQL Server, follow the steps below.

From Windows Domain Controller, create a standard user and note down the username and password.

Note: While Creating a Domain User ensure that you deselect the User must change password at next logon option and select the Password never expires option.

1. Open SQL Server Management Studio.

2. Login to the SQL Database with Admin privileges.

3. In Object Explorer, expand the Databases folder. Expand the database in which you want to create the new database user.

4. Right-click the Security folder, point to New, and select Logins….

5. In the Database User – New dialog box, on the General page, select Windows Authentication.

6. In the User name box, from the User type list, select Windows user. You can also click Search (…) to open the Select User or Group dialog box.

7. In the Default Database box, specify the database that will own objects created by this user.

8. On the User Mapping page, select the databases that this login can access. When you select a database, check the Map check box.

9. Specify a database user to map to the login. Provide the username you created in the above steps.

10. Specify the default schema of the user. When a user is first created, its default schema is dbo.

11. From the Database role membership for Database drop-down list, select db_datareader.

12. Click Ok.

IV. 

To configure the SQL Server instance to listen to network requests on a non-dynamic port, follow the steps below.

1. Start the SQL Server Configuration Manager.

2. Do one of the following:

• For Microsoft SQL Server 2005, in the left pane, expand SQL Server 2005 Network Configuration.

• For Microsoft SQL Server 2008, in the left pane, expand SQL Server 2008 Network Configuration.

• For Microsoft SQL Server 2012, in the left pane, expand SQL Server 2012 Network Configuration.

• For Microsoft SQL Server 2014, in the left pane, expand SQL Server 2014 Network Configuration.

3. Select Protocols for <instance_name>.

4. On the right pane, make sure that the following fields are set as follows:

• In TCP/IP Properties, on the IP Address tab, make sure that Active and Enabled are both set to Yes.

• Make sure that TCP Dynamic Ports is blank for the IP address that the collector connects to.

• Make sure that TCP Port contains the value 1433 for the IP address that the collector connects to.

V. 

 Note: This step is needed only if Secure Sockets Layer (SSL) connection is a requirement.

 You can configure an SSL connection for Microsoft SQL Server 2005, 2008, 2012, or 2014 database with Microsoft SQL Server JDBC driver 4.0.

To configure SSL for the Microsoft SQL Server, follow the steps below.

1. Start the SQL Server Configuration Manager.

2. Expand SQL Server Network Configuration, right-click the protocols for the server that you want and then click Properties.

3. On the Certificate tab, select the certificate that you want to use to protect your connection. 

Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.

4. On the Flags tab, view or specify the protocol encryption option. The logon packet is always encrypted.

5. Set the ForceEncryption option to Yes.  

Note: ForceEncryption encrypts all the client and server communication. Clients that cannot support encryption are denied access.

  6. Restart the SQL Server. Click SQL Server Services and then right-click SQL-SERVER and Restart.

VI. 

Note: To set up Windows Authentication with Accenture security database event collectors, you must use off-box collection. You cannot use this setup with on-box collection.

 You must use Microsoft SQL Server 2005 JDBC driver version 1.2 (which is the oldest version supported by Accenture event collectors) or newer.

To configure the sensor properties for Windows user accounts, follow the steps below.

1. Run the MS SQL Server 2005 JDBC driver installer.

2. Copy the sqljdbc_auth.dll file from the <installation directory>\sqljdbc_<version>\<language>\auth\  location to the <drive>\WINDOWS directory on the computer where the JDBC driver is installed.

• For the 4.7.x Event Agent, only use the sqljdbc_auth.dll file in the x86 folder regardless of whether the operating system is 32 bit or 64 bit.

• For the 4.8 Event Agent, on a 32 bit operating system, use the sqljdbc_auth.dll file in the x86 folder and on a 64-bit processor, use the sqljdbc_auth.dll file in the x64 folder.

3. Set up the Event Agent service with the login credentials of the account whose Windows credentials are used to access the MS SQL Server.

• On the Start menu click Run.

• In the Open text box, type services.msc, and click OK.

• Right-click Event Agent and click Properties.

• On the Log On tab, select This account and enter the users credentials.

• Click OK and restart the service.

4. In the Collector configuration, for the database sensor setting, add the string ;integratedSecurity=true to the end of the Database URL.

5. In the collector's database sensor setting, remove any values entered in the username and password fields.

6. In some situations, you might need to copy the sqljdbc_auth.dll file in the .\ jre\lib folder where the LCP event agent is installed.

LCP Configuration Parameters

Table 1-2: The Sophos Enterprise Console event collector(DB-3674) properties to be configured by MDR are shown in the table.