Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Windows 2008 & 2008 R2 SSIM Integration Consolidated - (Graphical).

Created: 21 Mar 2012 • Updated: 07 Aug 2012 | 3 comments
Language Translations
Avkash K's picture
+9 9 Votes
Login to vote

Integration of Windows 2008 Server with SSIM using Domain Account

 

The SSIM integration activity consists of two parts as mentioned below :

1. Activity to be performed on Windows 2008 server

2. Activity to be performed on SSIM

 

1. Activity to be performed on Windows 2008 Server

 

OBTAIN THE FQDN (Fully Qualified Domain Name) name of monitored server & OS version:

Use this host name in SSIM’s sensor configuration to fetch the logs through OFF box integration. This hostname should contain complete domain name (incase of Member server ) or a workgroup name. Note down the FQDN name & OS version details which will be required at the time of sensor configuration.

 

CHECKING THE WINDOWS FIREWALL STATUS

You need to determine if the Windows Firewall is running
To determine if the firewall is running, type the following command from a command prompt:
netsh advfirewall firewall show rule name=all
 

  • If the firewall is running you will see a very long list of the firewall rules, then skip this step & move ahead to the next step 3(configure winrm).
  • If the firewall is not running you will see an error "An error occurred while attempting to contact the Windows Firewall service...", then start the firewall service & under Windows firewall settings OFF the firewall status.

Please refer the below screenshot for more details.

 

 

CONFIGURE WINRM

 

Run the below commands to configure winrm service on 2008 server

winrm quickconfigand answer Y to accept changesif it is already configured it will show below message.

 

The command performs the following operations:

  • Starts the WinRM service and sets the service startup type to auto-start
  • Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP (5985) protocol or the HTTPS protocol
  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports

 

Now we will set specific parameters for winrm.

We will configure winrm to allow unencrypted traffic as we are using HTP for communication & not HTTPS:

From a command prompt:
winrm set winrm/config/service @{AllowUnencrypted="true"}

 

As we are using kerberos authentication we will disable the basic authentication for winrm:

From a command prompt:
winrm set winrm/config/service/Auth @{Basic="false"}

 

The winrmquickconfig command enables the Remote Shell access by default.

 

For security, Symantec recommends that you disable the Remote Shell access.

When you run winrm set winrm/config, the following message displays:

AllowRemoteShell Access=true.

To turn the default off, type the following command:

winrm set winrm/config/Winrs @{AllowRemoteShellAccess="false"}

 

 

 

CONFIGURE USER / GROUPS ACCOUNTS

 

  • Open the Server Manager
  • Expand Local Users & Groups.
  • Expand Groups.
  • Add user ssimtest01 id into members of “Event Log Readers” group.

 

 

  • Add the Network Service account to the Event Log Readers group as winrm service isexecuted by network service( Run the following command from command propmt)
    net localgroup "Event Log Readers" /add "NT Authority\Network Service"

 

 

CONFIGURE WINDOWS SECURITY DESCRIPTOR

Network service must be allowed to Read windows security Logs via winrm service  because in windows 2008 Security event log is restricted to very few users to do this append the security descriptor of network service (A;;0x1;;;S-1-5-20)& )(A;;0x1;;;NS)in channel access by running below commands.
 

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;NS)

 

Above command Grants Read only Access to Network service to read security Event log.

 

CONFIGURE WINDOWS FIREWALL RULE (If Firewall is enabled)

 

After ensuring that the firewall service is enabled and running, you can use the commands below.

netsh advfirewall firewall show rule name=all

Commands for opening up the Windows Firewall Port
Enter the following command from the command prompt:

For Windows Server 2008 with Winrm 1.1
netsh advfirewall firewall add portopening TCP 80 "Windows Remote Management"

                                                                        OR

For Windows Server 2008 R2 with Winrm 2.0

netsh advfirewall firewall add portopening TCP 5985 "Windows Remote Management"

 

You can also create winrm listner on custom port to avoid any mismatch of ports with existing running applications:

This command will create a winrm listner on custom port 8888:

Winrm set winrm/config/listener?Address=*+Transport=HTTP @{Port="8888"}

 

 

 

GET THE FINAL OUTPUT OF FOLLOWING COMMANDS & Reconfirm the settings done:

 

Type following command from command prompt:

winrm get winrm/config

Verify under the Service portion the following
It should return these settings under the Services section.
Auth
Basic = false
Kerberos = true
Negotiate = true
Certificate = false

 

To determine the port and IP that the listener is active on

From a command prompt:
winrm enumerate winrm/config/Listener

What to inspect
DefaultPort - the port the service is listening on
ListeningOn - Verify the port and address that the service is listening on

 

Run the wevtutil command to get information about access rights.

wevtutil gl security

           

 

Also note down the following information prior moving to the sensor config.

  1. FQDN of target Server
  2. Server OS version(Windows server 2008 or 2008 R2)
  3. Information for the output of following commands:

winrm get winrm/config

winrm enumerate winrm/config/Listener

wevtutil gl security

 

  

2. Activity to be performed on SSIM :

 

SSIM Sensor Configuration for OFF BOX Collection

 

We are creating a new Sensor configuration Under “Microsoft Windows Vista® Event collector 4.4” This collector is compatible with Windows 2008 & Vista.

 

Step 1: In Monitored host name enter the FQDN name of server to be monitored (Local host, or 127.0.0.1 or the actual IP will not able to create the connection through winrm service)

Step 2: In Monitored Host Realm enter the realm on domain (testdom.com) this can be found by running Ksetup command from Server from which log needs to be fetched

Step 3: In Connection port use 80, 5985 for http or 5986 for https communication.
For https communication to work it is required to install Certificate authority on the domain and retrieve the certificate to be used in SSIM Agent configuration for log collection)

Step 4: In monitored host Account Name enter a domain ID or its equivalent ID to be used for log collection. (Use only User ID, do not use domain\username format).

 

Comments 3 CommentsJump to latest comment

sviridov's picture

found an error:

For security, Symantec recommends that you disable the Remote Shell access.

When you run winrm set winrm/config, the following message displays:

correct command:

winrm get winrm/config

or better yet use the command:

winrm get winrm/config/winrs

 

All my posts are made by google translator!

0
Login to vote
kathleenjoieamulong's picture

Hi.

 

I tried following this but still, SSIM can't collect events on the Win2k8 R2 server. 

Any Kerberos issue encountered?

I am encountering Kerberos concerns on the Event Viewer and Symantec Support told me to eliminate first the errors in Kerberos authentication.

 

Thanks,

Kat

0
Login to vote
kathleenjoieamulong's picture

I encountered the following error :

 

Description = Response message does not contain any data.
 
event_desc = Response message does not contain any data.
0
Login to vote