Integration of Windows 2008 Server with SSIM using Domain Account
The SSIM integration activity consists of two parts as mentioned below :
1. Activity to be performed on Windows 2008 server
2. Activity to be performed on SSIM
1. Activity to be performed on Windows 2008 Server
OBTAIN THE FQDN (Fully Qualified Domain Name) name of monitored server & OS version:
Use this host name in SSIM’s sensor configuration to fetch the logs through OFF box integration. This hostname should contain complete domain name (incase of Member server ) or a workgroup name. Note down the FQDN name & OS version details which will be required at the time of sensor configuration.
CHECKING THE WINDOWS FIREWALL STATUS
You need to determine if the Windows Firewall is running
To determine if the firewall is running, type the following command from a command prompt:
netsh advfirewall firewall show rule name=all
- If the firewall is running you will see a very long list of the firewall rules, then skip this step & move ahead to the next step 3(configure winrm).
- If the firewall is not running you will see an error "An error occurred while attempting to contact the Windows Firewall service...", then start the firewall service & under Windows firewall settings OFF the firewall status.
Please refer the below screenshot for more details.
CONFIGURE WINRM
Run the below commands to configure winrm service on 2008 server
winrm quickconfigand answer Y to accept changesif it is already configured it will show below message.
The command performs the following operations:
- Starts the WinRM service and sets the service startup type to auto-start
- Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP (5985) protocol or the HTTPS protocol
- Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports
Now we will set specific parameters for winrm.
We will configure winrm to allow unencrypted traffic as we are using HTP for communication & not HTTPS:
From a command prompt:
winrm set winrm/config/service @{AllowUnencrypted="true"}
As we are using kerberos authentication we will disable the basic authentication for winrm:
From a command prompt:
winrm set winrm/config/service/Auth @{Basic="false"}
The winrmquickconfig command enables the Remote Shell access by default.
For security, Symantec recommends that you disable the Remote Shell access.
When you run winrm set winrm/config, the following message displays:
AllowRemoteShell Access=true.
To turn the default off, type the following command:
winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"}
CONFIGURE USER / GROUPS ACCOUNTS
- Open the Server Manager
- Expand Local Users & Groups.
- Expand Groups.
- Add user ssimtest01 id into members of “Event Log Readers” group.
- Add the Network Service account to the Event Log Readers group as winrm service isexecuted by network service( Run the following command from command propmt)
net localgroup "Event Log Readers" /add "NT Authority\Network Service"
CONFIGURE WINDOWS SECURITY DESCRIPTOR
Network service must be allowed to Read windows security Logs via winrm service because in windows 2008 Security event log is restricted to very few users to do this append the security descriptor of network service (A;;0x1;;;S-1-5-20)& )(A;;0x1;;;NS)in channel access by running below commands.
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;NS)
Above command Grants Read only Access to Network service to read security Event log.
CONFIGURE WINDOWS FIREWALL RULE (If Firewall is enabled)
After ensuring that the firewall service is enabled and running, you can use the commands below.
netsh advfirewall firewall show rule name=all
Commands for opening up the Windows Firewall Port
Enter the following command from the command prompt:
For Windows Server 2008 with Winrm 1.1
netsh advfirewall firewall add portopening TCP 80 "Windows Remote Management"
OR
For Windows Server 2008 R2 with Winrm 2.0
netsh advfirewall firewall add portopening TCP 5985 "Windows Remote Management"
You can also create winrm listner on custom port to avoid any mismatch of ports with existing running applications:
This command will create a winrm listner on custom port 8888:
Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}
GET THE FINAL OUTPUT OF FOLLOWING COMMANDS & Reconfirm the settings done:
Type following command from command prompt:
winrm get winrm/config
Verify under the Service portion the following
It should return these settings under the Services section.
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false
To determine the port and IP that the listener is active on
From a command prompt:
winrm enumerate winrm/config/Listener
What to inspect
DefaultPort - the port the service is listening on
ListeningOn - Verify the port and address that the service is listening on
Run the wevtutil command to get information about access rights.
wevtutil gl security
Also note down the following information prior moving to the sensor config.
- FQDN of target Server
- Server OS version(Windows server 2008 or 2008 R2)
- Information for the output of following commands:
winrm get winrm/config
winrm enumerate winrm/config/Listener
wevtutil gl security
2. Activity to be performed on SSIM :
SSIM Sensor Configuration for OFF BOX Collection
We are creating a new Sensor configuration Under “Microsoft Windows Vista® Event collector 4.4” This collector is compatible with Windows 2008 & Vista.
Step 1: In Monitored host name enter the FQDN name of server to be monitored (Local host, or 127.0.0.1 or the actual IP will not able to create the connection through winrm service)
Step 2: In Monitored Host Realm enter the realm on domain (testdom.com) this can be found by running Ksetup command from Server from which log needs to be fetched
Step 3: In Connection port use 80, 5985 for http or 5986 for https communication.
For https communication to work it is required to install Certificate authority on the domain and retrieve the certificate to be used in SSIM Agent configuration for log collection)
Step 4: In monitored host Account Name enter a domain ID or its equivalent ID to be used for log collection. (Use only User ID, do not use domain\username format).