Accenture Security Quick Start Guide for Trend Micro™ OfficeScan™ IDLP

This quick start guide will help Accenture MDR customers configure Trend Micro™ OfficeScan™ Integrated Data Loss Prevention (IDLP) to allow logs to the Log Collection Platform (LCP).

This document includes the following topics:

 

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

LCP

Trend Micro OfficeScan IDLP

1433 (TCP)

Default port

 

Configuring Trend Micro OfficeScan IDLP Database

To configure the Microsoft® SQL database, follow the below steps.

  1. Configure the database based on the user account authentication type: 

    • On-box - If you are using SQL Authentication, the LCP can directly connect to the DB server and collect logs. 

    • Off-box - If you are using Windows Authentication, you must install the Event Agent and Collector on the Windows server as Windows authentication is not allowed from the LCP.

Configure the SQL Server instance to listen on a non-dynamic port.

 Note:

  • For more information on the Accenture Security Installation Guide for Off-box Agent for LCP, please contact the Accenture Security onboarding team.

  • Windows Authentication is only supported with Microsoft SQL Server 2005 JDBC driver version 1.1 or higher.

Configuring the database using SQL Authentication

Create a read-only database account.

  • Based on the Microsoft SQL Server version, do one of the following:

    • For Microsoft SQL Server 2012, from the Start menu, click Programs Microsoft SQL Server 2012 > SQL Server Management Studio.

    • For Microsoft SQL Server 2008, from the Start menu, click Programs Microsoft SQL Server 2008 > SQL Server Management Studio.

    • For Microsoft SQL Server 2005, from the Start menu, click Programs Microsoft SQL Server 2005 SQL Server Management Studio.

  • At the login prompt, type the Administrator username and password.

  • From the Authentication drop-down list, select SQL Server Authentication.

  • In the SQL Server Management Studio window, in the Object Explorer pane, go to Security > New > Login and perform the following tasks.

    • In the Select a page pane, click General.

    • In the right pane, in the Login name text box, type a username for the LCP.

    • Select the SQL Server authentication option.

    • In the Password and Confirm password text boxes, type a password.

    • Uncheck the following check boxes: 

      • Enforce password policy

      • Enforce password expiration

      • User must change password at next login 

    • From the Default Database drop-down list, select the required database for which the user needs authentication.

    • In the Select a page pane, click Server Roles.

    • In the right pane, select public.

    • In the Select a page pane, click User Mapping.

    • In the User Mapping section, check the required database check box. 

    • Specify the Default Schema of the user as dbo.

    • In the Database role membership section, check the db_datareader check box.

    • In the Select a page pane, click Status.

    • In the Permission to connect to database engine section, select Grant.

    • In the Login section, select Enabled, and then click OK.

Set the SQL Server security mode to mixed authentication

To set the Microsoft SQL Server security mode to mixed authentication, follow the steps below.

  1. Based on the Microsoft SQL Server version, do one of the following:

    • For Microsoft SQL Server 2012, from the Start menu, click Programs Microsoft SQL Server 2012 > SQL Server Management Studio.

    • For Microsoft SQL Server 2008, from the Start menu, click Programs Microsoft SQL Server 2008 > SQL Server Management Studio.

    • For Microsoft SQL Server 2005, from the Start menu, click Programs Microsoft SQL Server 2005 SQL Server Management Studio.

  2. Login as an Administrator.

  3. On the left pane, right-click the appropriate server and then click Properties.

  4. In the Server Properties window, select Security.

  5. In Server Authentication section, click SQL Server and Windows Authentication mode.

  6. Click OK and then click Close.

Configuring the database using Windows Authentication

​​To configure the database using Windows authentication, follow the steps below.

Create a read-only database account.

  1. In Windows Domain Controller, create a standard user account and make a note of the username and password. Note: While creating a domain user account, uncheck the User must change password at next logon check box and check the Password never expires check box.

  2. Based on the Microsoft SQL Server version, do one of the following:

    • For Microsoft SQL Server 2012, from the Start menu, click Programs Microsoft SQL Server 2012 > SQL Server Management Studio.

    • For Microsoft SQL Server 2008, from the Start menu, click Programs Microsoft SQL Server 2008 > SQL Server Management Studio.

    • For Microsoft SQL Server 2005, from the Start menu, click Programs Microsoft SQL Server 2005 SQL Server Management Studio.

    • At the login prompt, type the Administrator username and password.

    • From the Authentication drop-down list, choose SQL Server Authentication.

    • In the SQL Server Management Studio window, in the Object Explorer pane, go to Security > New > Login and perform the following tasks.

      1. In the Select a page pane, click General.

      2. Select the Windows authentication option.

      3. In the Login name  text box, type the Windows username created in the Domain Controller and click Search to select the desired username.

      4. From the Default Database drop-down list, select the required database for which the user needs authentication.

      5. In the Select a page pane, click User Mapping.

      6. In the User Mapping section, check the Required Database check box. 

      7. Specify the Default Schema of the user as dbo.

      8. In Database role membership section, check the db_datareader check box.

      9. In the Select a page pane, click Status.

      10. In the Permission to connect to database engine section, select Grant.

      11. In the Login section, select Enabled and click OK.

Set the off-box server for Windows authentication. Please engage the Accenture Security MDR onboarding team to perform this step.

  • Login to the off-box server as Administrator.

  • Download the Microsoft SQL Server JDBC driver and run the installer.

  • Copy the sqljdbc_auth.dll file from the <installation directory>\sqljdbc_<version>\<language>\auth\ location to the <drive>\WINDOWS directory on the computer where the JDBC driver is installed.

  • To set up the Event Agent service with Windows credentials, follow the steps below.

    • On the Start menu, click Run.

    • In the Open text box, type services.msc and click OK.

    • In the Services window, right-click the Event Agent service and click Properties.

    • On the Log On tab, select the This account option and enter the Windows credentials (created in step I).

    • Click OK and restart the Event Agent service.

    • In the Collector configuration, for the database sensor setting, add the string ;integratedSecurity=true to the end of the Database URL.

Note: In some situations, you might need to copy the sqljdbc_auth.dll in the.\jre\lib folder to the LCP. Please refer to this link for more details.

Configure the SQL Server Instance to listen on a non-dynamic port

To configure the Microsoft SQL Server instance to listen on a non-dynamic port, follow the steps below.

  1. On the Start menu, go to Programs > Microsoft SQL Server > SQL Enterprise Manager > SQL Server Configuration Manager.

  2. Expand SQL Server Network Configuration and select Protocols for <instance_name>.

    • In the right pane, click TCP/IP.

    • In the TCP/IP properties window, on the IP Addresses tab, ensure that the Active and Enabled options are set to Yes.

    • Ensure that the TCP Dynamic Ports text box is blank for the IP address to which the LCP connects.

    • In the TCP Port text box, type 1433

To configure Microsoft SQL Server from CLI (Optional)

  1. From the Windows Start menu, choose Run, and then type the following command: cmd

  2. Navigate to the directory that contains the OSQL.EXE file.

    • For Microsoft SQL Server 2012, the default directory location for this file is C:\Program Files\Microsoft SQL Server\110\Tools\Binn.

    • For Microsoft SQL Server 2008, the default directory location for this file is C:\Program Files\Microsoft SQL Server\100\Tools\Binn.

    • For Microsoft SQL Server 2005, the default directory location for this file is C:\Program Files\Microsoft SQL Server\90\Tools\Binn.

  3. Log in as the system administrator user. Type the following command: sqlcmd -S ip_address_or_host_name -U sa -P sa_user_password

  4. At the command prompt, type the following commands:

EXEC sp_addlogin 'account_name', 'password', database_name'

USE database_name

EXEC sp_grantdbaccess 'account_name'

EXEC sp_addrolemember 'db_datareader', 'account_name'

ALTER USER account_name WITH DEFAULT_SCHEMA=dbo

go

quit

Note: The following tables/views are used in the IDLP queries: tb_LogDataLossPrevention, L10NTMCM,tb_Device_Access_Control_Log, v_DeviceAccessControlLog, v_DataDiscovery

To configure SSL for the SQL Server (optional)

You can configure an SSL connection for Microsoft SQL Server 2005, 2008, 2012 database with the Microsoft SQL Server JDBC driver 4.0.

  1. Based on the Microsoft SQL Server version, do one of the following:

    • For Microsoft SQL Server 2012, from the Start menu, click Programs Microsoft SQL Server 2012 > Configuration Tools > SQL Server Configuration.

    • For Microsoft SQL Server 2008, from the Start menu, click Programs Microsoft SQL Server 2008 > Configuration Tools > SQL Server Configuration.

    • For Microsoft SQL Server 2005, from the Start menu, click Programs Microsoft SQL Server 2005 Configuration Tools > SQL Server Configuration

    • Expand SQL Server Network Configuration, right-click Protocols for <the required server> and then click Properties.

  2. On the Certificate tab, select the required certificate Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.

  3. On the Flags tab, specify the protocol encryption option.

  4. Set the ForceEncryption option to Yes to encrypt all client and server communication. 

  5. Click Apply and then click OK.

  6. Click SQL Server Services, right-click SQL-SERVER, and then click Restart.

  7. Click Apply and then click OK.

LCP Configuration Parameters

Table 1-2: The Trend Micro OfficeScan IDLP event collector (DB - 3775) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Database URL

jtds:jdbc:sqlserver://<hostname>:1433;

DatabaseName=<databasename>

 

The database URL string that needs to be configured on the collector by MDR.

Hostname - Hostname or IP address of the database. 

Databasename - The name of the database in which the IDLP events are stored.

Instance_name - The name of the instance within the specified database.

1433 (TCP port) - The default port number for DB connectivity.

Note: If the database is configured to use a different port number, please advise the MDR onboarding team. 

User Name

Custom Value

The username for the database account mentioned in the Pre-Installation Questionnaire (PIQ).

Password 

Custom Value

The password for the database account mentioned in the PIQ.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.