BeyondInsight Installation Guide PDF

BeyondInsight
Installation Guide
SECURITY IN CONTEXT
Revision/Update Information: October 2015
Software Version: BeyondInsight 5.7
Revision Number: 1
CORPORATE HEADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2015 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
BeyondInsight Installation Guide Contents
Contents
Contents 3
Introduction 6
Documentation for BeyondInsight 6
Help Videos 6
Contacting Support 6
Telephone 7
Online 7
Overview 8
Architectural Review 8
Installation Overview 9
Requirements 10
Server Requirements 11
Windows Server 2008 11
Windows Server 2012 12
Client Requirements 13
Database Requirements 13
Installing Retina and BeyondInsight 15

Downloading Product Installers 15
Installing and Configuring BeyondInsight 15
Configuration Wizard Settings 15
Installing Retina 18
Configuring Retina Connections to BeyondInsight 19

Configuring Central Policy 19
Configuring Events Client 20
Configuring Analytics and Reporting 21

Verify SQL Report Server Configuration 21
Configuring Analytics and Reporting 22
Configuring and Running a Scan 31
Patch Management Module 34

Installation Notes 34
Requirements 34
Mixed WSUS Environments 34
Windows Server 2012 Overview 35
Installing WSUS Administration Console Using PowerShell 35
BeyondTrust® October 2015 3

Resolving Internal HTTP 500.19 Error 35
PowerBroker for Unix & Linux 37

Requirements 37
Generating a Certificate 37
Exporting the BeyondInsight Server SSL Certificate 37
Configuring Keywords 38
PowerBroker for Windows 39

Generating a Certificate 39
Configuring PowerBroker for Windows 39
Running the Software Removal Tool 41

Command Line Syntax 41
Using the BeyondInsight Configuration Tool 42
Upgrading Your License 44

Upgrading from BeyondInsight Community Version 44
Advanced Configuration 45
Installing a Stand-Alone Event Server 45
Setting up BeyondInsight to use a Fully Qualified Domain Name 45
Configuring Windows Authentication to the Database 45
SQL Server 2012 45
Changing Database Authentication 45
Appendix A: Certificates 47
Working with BeyondInsight Certificates 47
eEyeEmsServer Certificate 47
EmsClientCert Certificate 48
Troubleshooting BeyondInsight Certificates 48
Using a Domain PKI for BeyondInsight Communication 52
Prerequisites 52
Requirements 52
Assigning the SSL Web Service Certificate in BeyondInsight 53
Configuring a Client Certificate for PowerBroker for Windows 54
Configuring Auto Enrollment 55
Appendix B: Permissions 56
BeyondInsight Analytics and Reporting 56
Installation Permissions 56
SQL Server database access 56
Analytics and Reporting Permissions 56

Permissions Required for BeyondInsight Configuration User 56

Permissions Required for the Web Proxy User 57
Permissions Required for the SSRS Proxy User 57
Permissions Required for the SQL Agent Service Running the Daily Sync Job 58

BeyondInsight Installation Guide Introduction
Introduction
This guide provides detailed instructions and procedures for installing BeyondInsight.
This section includes the document conventions, list of documentation for the product, and where to get
additional product information.
Documentation for BeyondInsight

The complete BeyondInsight documentation set includes the following:
• BeyondInsight Installation Guide
• BeyondInsight User Guide
• BeyondInsight Analytics and Reporting User Guide
If you are working with any of the BeyondInsight modules, refer to the product documentation for
additional information about that module.
Help Videos
How to Design a Scan for Shellshock Vulnerability Using BeyondInsight
http://vimeo.com/beyondtrust/review/111766681/a5fcfaac04
How to Set up a Scan Using BeyondInsight

http://vimeo.com/beyondtrust/review/112162327/19b1261e10
Creating a BeyondInsight User Group

http://vimeo.com/beyondtrust/review/112166598/b5aecf1376
Creating a BeyondInsight Smart Rule

http://vimeo.com/beyondtrust/review/114140956/e24c1ffa36
Deploying BeyondInsight Analytics and Reporting

http://vimeo.com/beyondtrust/review/114141583/edf1ac02ab
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and
chat, along with product downloads, product installers, license management, account, latest product
releases, product documentation, webcasts and product demos.

BeyondInsight Installation Guide Introduction
Telephone
Privileged Account Management Support

Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Vulnerability Management Support

North/South America: 866.529.2201 | 949.333.1997
+ enter access code
All other Regions:

Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code
Online
http://www.beyondtrust.com/Resources/Support/

BeyondInsight Installation Guide Overview
Overview
This guide is designed to lead you through an installation of BeyondInsight.
This guide assumes familiarity with Microsoft Server 2008/2012 and Microsoft S SQL Server
2008/2012/2014 installations.
Architectural Review
Having a conceptual understanding of BeyondInsight’s architecture is tremendously valuable before
installing and configuring the components. See the following diagram and explanations:
BeyondInsight is the web-based console where you will configure and launch vulnerability assessment
scans. As a scans complete, a report is automatically generated. Results can be navigated interactively in
the console. BeyondInsight does not perform vulnerability scans directly, but sends a request to the
Retina Network Security Scanner.
Retina Network Security Scanner is the scanning engine that performs all vulnerability assessments. It
can run stand-alone, but when paired with BeyondInsight, scan results are sent securely to
BeyondInsight to populate the SQL Server database.

BeyondInsight Installation Guide Overview
Analytics & Reporting is an additional web-based interface that provides comprehensive analytical tools
and creates reports from collective scan data. It facilitates trending and delta reports, prioritization,
anomaly detection, regulatory compliance.
Retina Protection Agent provides local scanning capabilities and is generally used where network-based
scanning is problematic. For example, mobile users who only connect periodically, or hardened servers
that block scan attempts. The RPA coexists with other endpoint solutions, such as McAfee or Symantec,
which may already be in place.
Installation Overview
Two software components comprise the solution:
• BeyondInsight management console
• Retina Network Security Scanner
Analytics and Reporting is a supplementary configuration launched from the BeyondInsight console and
does not require a separate installer.
Note: By default, Retina Network Security Scanner is installed as a standalone component that, initially,
will not recognize the BeyondInsight console. Simple configuration steps will be performed that allow
Retina to:
• Receive scan job requests from BeyondInsight
• Send completed scan results securely back to BeyondInsight.

BeyondInsight Installation Guide Requirements
Requirements
Verifying that prerequisite software and settings are correct is the key to a successful installation. If you
receive errors during the installation, first check that prerequisites have been met.
The image below generally indicates the minimum software and hardware requirements. See the
BeyondTrust Solution Requirements document. Important considerations follow.
Minimum requirements are listed here. Work with your BeyondTrust Professional Services team to
determine your deployment strategy.
Windows Server 2008 (x86 and 64-bit)
Operating System Windows Server 2008 R2 (64-bit only) – latest service pack is required
Windows Server 2012 and 2012 R2 (64-bit only)
Microsoft SQL Server 2008 SP2 or later
Microsoft SQL Server 2008 R2 SP1 or later
Microsoft SQL Server 2012
Microsoft SQL Server 2014
Database Microsoft SQL Standard or Enterprise Editions Only
Microsoft SQL Server Reporting Services
Microsoft SQL Server Analysis Services
Microsoft SQL Server Integration Services
Note: SQL Server collation must be set to SQL_Latin1_General_CP1_CI_AS
Processor Intel Dual Core 2.0GHz (or compatible, minimum)
Memory 16GB Minimum (Requires x64 OS)
500MB (software install)
Hard Drive
40GB (database minimum)
Network Network Interface Card (NIC) with TCP/IP enabled
Microsoft .NET Framework 3.5 SP1 (Application Server Role, Windows
Process Activation Service Support/HTTP Activation)
Microsoft .NET Framework 4.5 (Application Server Role, Windows Process
Server Requirements
Activation Service Support/HTTP Activation)
Microsoft Internet Information Server (IIS) 7.0 or later with ASP.Net
support (Web Server (IIS) role)
Adobe Flash Player 10.0 or higher
Client Requirements Oracle Sun Java Version 7 Update 11 or later
Microsoft Silverlight 5.0 or later
Installation on Domain Controllers or Small Business Servers is not
Notes
supported.

Google Chrome 42 or higher does not support Microsoft Silverlight.
Processor: Assign two processors when installing both Retina and the BeyondInsight console on a single
virtual machine. This greatly improves performance.
Memory: 8GB is minimum, 12GB is preferred when SQL Server and BeyondInsight are on the same
machine.
Hard Drive: Allocate 80GB for the hard disk when provisioning a virtual machine. If installing on a physical
machine where the OS is already installed, have 60GB free space.
Server Requirements
Verify the following Server Roles and Features in Server Manager. Note, some features are selected by
default.
Windows Server 2008
Web Server (IIS)

Application Server
Download and install the latest version of .NET Framework, 4.5 or higher. To verify, go to Control Panel |
Programs | Program and Features.
Windows Server 2012
Web Server (IIS)

Verify Server Roles:

Application Server
Verify Server Roles:
Verify Features:
Client Requirements
Both BeyondInsight and Analytics & Reporting use a browser-based interface. The client is a web
browser. Therefore, the requirements (Flash, Java, SilverLight) apply to any machine, including the
machine where BeyondInsight is installed, using a browser to access BeyondInsight or Analytics and
Reporting consoles.
Database Requirements
BeyondInsight supports Microsoft SQL Server 2008/2008 R2, 2012/2012 R2 and 2014.
Microsoft SQL Server Express is not supported and will cause installation errors.

Install the SQL Server database prior to installing the BeyondInsight console. Note the following when
installing SQL Server:
• Install SQL Server while logged on as a domain or local administrator.
• In addition to the Database Engine Services, select to install the optional Analysis, Reporting and
Integration Services
• Select to install Management Tools (SQL Server Management Studio).
For Service Accounts:
• SQL Server 2008: Use the NT AUTHORITY\SYSTEM account for all services where you are required to
set it.
• SQL Server 2012/2014: Accept the default service accounts. SQL Server 2012/2014 creates individual
accounts for each service.
• Set SQL Server Agent to start ‘Automatic’ (default is ‘Manual’).
• Select Windows authentication mode
Note: You can select Mixed Mode authentication, if desired, and provide the ‘sa’ account
password, however, this is not necessary when SQL Server resides on the same machine as
BeyondInsight.
• Select Add Current User when setting the SQL Server Administrator and Analysis Services
Administrator.
SQL Server 2012/2014 does not provide the required permissions to the NT AUTHORITY\SYSTEM account.
To correct this, go to SQL Server 2012 Management Studio | Security | Logins | <right-click> NT
AUTHORITY\SYSTEM | Properties. Select Server Roles |sysadmin, then click OK.

BeyondInsight Installation Guide Installing Retina and BeyondInsight
Installing Retina and BeyondInsight

Downloading Product Installers
After BeyondTrust Sales generates a customer license, you will receive an email that includes a link to
download product installers.
Installing and Configuring BeyondInsight

Installing the BeyondInsight console is a two-step process: installing the software and running through
the configuration.
First, run the downloaded BeyondInsight_5.x.x installer, enter the BeyondInsight console license key
(serial number) and follow the default prompts. Supply the License Registration information when
prompted. If you already installed Retina, the License Registration information will automatically
populate. After the software has installed, the BeyondInsight Configuration Wizard automatically
launches.
Configuration Wizard Settings

Database page: Configure the database. Accept the default (local) SQL Server if the SQL Server is on the
same machine and will use the logged on Windows credentials to connect. Otherwise, click the Advanced
button to enter SQL Server information, including the SQL Server server name, database name, and
database credentials.
Web Site Information page: Informs you that the BeyondInsight console will be implemented as the
default IIS website.

Agent Password page: The Agent Password is used to configure the connection between the Retina
scanner and the BeyondInsight console, to be performed later. Agents need a password to retrieve
Central Policy information from BeyondInsight. The password is also used when importing certificates
using the Events Client Configuration tool. The password must match the machine’s password
composition requirements.
Event Server Information page: Provides the option to configure SNMP. Generally, this is not configured
for evaluations.
Email Information page: Allows you to provide a default SMTP mail server and account. This may be used,
for example, to automatically email a report after vulnerability scans complete. However, the SMTP mail
server and email address you provide are not verified by the configuration wizard. If you do not know the
information, or don’t want to provide it for the evaluation, you can enter fake data as shown below.

Administrator Password page: Creates an initial login account to the BeyondInsight console with full
rights. This is NOT the local machine administrator or domain administrator account. As with the agent
password, BeyondInsight console administrator password must match the machine’s password
composition requirements.

Ready to Apply Settings and BeyondInsight Configuration pages: After entering your information, the
‘RetinaCSDatabase’ will be created in MS SQL. Expect this process to take about 7-10 minutes.
Once completed, and you select Finish, the BeyondInsight console starts in your default browser. You
can login with the BeyondInsight Administrator account and password created above.
Installing Retina
To install Retina, run the downloaded Retina_5.xx.x installer, enter the Retina license key (serial number)
and follow the default prompts. After supplying the License Registration information, Retina will go
through an auto-update process, contacting BeyondTrust servers; this can take several minutes. Once
complete, Retina will automatically launch.
For more information, refer to the Retina Installation Guide.

BeyondInsight Installation Guide Configuring Retina Connections to BeyondInsight
Configuring Retina Connections to BeyondInsight

Now that Retina and the BeyondInsight console are installed, they must be configured to work together
by configuring both Central Policy and Events Client.
Configuring Central Policy

Central Policy enables Retina to pull scan requests from, and send scan status updates to, the
BeyondInsight console.
To configure Central Policy:
1. Run Retina.
2. Navigate to Tools > Options.
3. Select the Event Routing tab and then select Enable Event Routing to Centralized Console.
4. Select the Management tab, select Enable Central Policy and enter the required information.
– Central Policy Server: Name or IP address of the machine where the BeyondInsight console is
installed. You can use ‘localhost’ if Retina and the console reside on the same machine.
– Password: Use the Agent Password that was defined during the previous BeyondInsight
configuration steps. For example, ‘Retina123’.

BeyondInsight Installation Guide Configuring Retina Connections to BeyondInsight
– Agent Name: Enter a name of your choice, which will identify the Retina scanner in the
BeyondInsight console.
5. Click the Test button. In a few seconds you should receive a confirmation message that the
connection from Retina to the BeyondInsight console was successful.
If you receive a message that “The connection was refused by the specified server”, verify that the
NT AUTHORITY\SYSTEM account has been given the sysadmin server role as previously mentioned.
Configuring Events Client

The Events Client enables Retina to securely send completed scan data to BeyondInsight, where it will be
extracted to populate the Retina CS Database.
To configure the Events Client:
1. In Windows 2008: Start | All Programs | BeyondTrust | Tools |Event Client Configuration.
In Windows 2012: Start | Apps | BeyondTrust | Events Client Configuration.
2. Run through the Events Client Installation wizard, accepting default values. At the Select a Client
Certificate page, navigate to <drive>:\Program Files (x86)\eEye Digital Security\Retina CS and select
EmsClientCert.
3. When prompted for a password, enter the Agent Password defined during the previous
BeyondInsight configuration steps. For example, ‘Retina123’.
4. At the Test Connection page, select Next , wait a few seconds, and verify that a test message was
successfully sent to the Application Bus.
After configuring Central Policy and Events Client, you are ready to run vulnerability scans and view the
corresponding report. See the Configuring and Running a Simple Credentialed Scan section. However, we
will continue on to set up Analytics and Reporting.

BeyondInsight Installation Guide Configuring Analytics and Reporting
Configuring Analytics and Reporting

BeyondInsight’s Analytics and Reporting requires initial configuration before it can be used. The
configuration assumes that SQL Reporting, Analysis and Integration services are installed and working as
per the prerequisites. See Database Requirements.
Before configuring A & R, verify that the SQL Report Server is functioning properly.
Verify SQL Report Server Configuration

1. On Windows 2008:
Start | All Programs | Microsoft SQL Server 2008 R2 | Configuration Tools | Reporting Services
Configuration Manager
On Windows 2012:
Start | Apps | Microsoft SQL Server 2014 (or 2012) | SQL Server 2014 Reporting Services
Configuration Manager
2. After connecting, select Web Service URL, then select the Report Server Web Service URL link and
verify the confirmation web page.
3. Select Report manager URL, then select the Report Manager Site Identification link and verify success.

Configuring Analytics and Reporting

1. Log on to the BeyondInsight console and select Analytics and Reporting.
2. At the Sign In to BeyondInsight page, enter the same administrator/password used to log on to the
console. Once logged on, select Configure Now.

3. Step 1: Installation Credentials: Enter the machine or domain administrator credentials.
4. Step 2: SQL Server and SQL Server Analysis Services: Enter the Machine Name.

5. Step 3: SQL Reporting Services (SSRS): Enter the Web Service URL, i.e., http://<machine
name>:80/ReportServer.

6. Step 4: SQL Server Agent: The SQLSERVERAGENT service account created during the SQL Server
2012/2014 installation will not have the necessary write permissions to the BeyondInsightReporting
database.
There are a few ways to address this, but one of the easiest is to use the machine or domain
administrator account as a proxy account. When using SQL 2008/2008 R2, setting a proxy account is
not necessary.

7. Step 5: Web Service Credentials: User name and password should automatically populate, just select
Deploy.

8. Deployment Progress: Deployment progress is shown while the BeyondInsightReporting database is

created. Verify success, then select Finish.

9. Deployment Complete: Once the deployment completes, select the option to synchronize data
now. This critical process synchronizes scan results from the RetinaCSDatabase, which was created
during the BeyondInsight console configuration, with the newly created BeyondInsightReporting
database.
By default, synchronization occurs every day at 12:00 am (See Step 5: SQL Server Agent), but can also
be run manually if desired. It takes several minutes to complete.

10. Verify successful synchronization by selecting the SQL Server Agent Jobs tab and then Refresh.
Be mindful NOT to select the browser’s refresh button since that will reload the page and you will
have to login again.


BeyondInsight Installation Guide Configuring and Running a Scan
Configuring and Running a Scan

For your first scan, it is helpful to only scan the local machine since this will verify communication between
Retina and the BeyondInsight console without introducing other variables such as firewall settings or
network conditions that may impede scanning external targets.
Configuring and running a discovery scan can be performed with a few simple steps:
1. In the management console, navigate to the Assets tab, then select Scan.
2. Select Discovery Scan. The Management Report Templates contain the specific audits that will be
executed on the target machines.
3. Select Scan.

4. Enter the target machines to scan.

You can use a single IP address, an IP address range, CIDR notation or named host(s).
5. Enter credentials for the target machine(s).
6. Select Start Scan.

7. Select the Jobs tab to see scan progress.

When the scan completes, select the Reports tab, and then double-click the completed job to open
the report.

BeyondInsight Installation Guide Patch Management Module
Patch Management Module

For more information about the Patch Management module requirements, refer to the BeyondInsight
User Guide.
Table 1. Patch Management Module Requirements
Management Consoles BeyondInsight 2.0 or later
Installation Notes
• Ensure that your license includes the Patch Management module feature before proceeding with the
install. Contact your BeyondTrust representative.
• Installing the Patch Management module on domain controllers or Small Business Servers is not
supported.
• BITS and Microsoft WSUS Client must be enabled on all clients.
Requirements
Windows Server 2012 WSUS Installation Requirements
• IIS
• Windows PowerShell
• .NET Framework 4.5 Features
• Microsoft Report View Redistributable 2008
http://www.microsoft.com/en-us/download/details.aspx?id=3841
Mixed WSUS Environments

Review this section if you plan to use the Patch Management module or the SCCM feature.
The fundamental challenge with mixed scenarios with different operating systems has to do with the
WSUS API version.
To support local publishing activities (basically anything involving putting a third-party update into the
WSUS database), both the WSUS Console version of the BeyondInsight server and the version of WSUS
installed on the WSUS server must be same.
Otherwise, the Third Party Patch Service returns the following error message and no Third Party Updates
will be available for approval and installation.
Message: Failed to publish packageName. Publishing operation failed because
the console and remote server versions do not match.
Currently there are three supported production versions of WSUS that can contribute to this situation.
• WSUS v3.2 - runs on Windows Server 2003, 2008, and 2008R2
• WSUS v6.2 - runs on Windows Server 2012

• WSUS v6.3 - runs on Windows Server 2012 R2

Resolution
Ensure all WSUS servers and BeyondInsight servers have the same WSUS patches installed.
To check the WSUS patches installed on a server:
1. Log on to the server you need to check.
2. If you are running Windows Server 2003, find the patches in Add or Remove Programs:
a. Open Control Panel > Add or Remove Programs.
b. At the top of the window, select Show updates.
c. Scroll to Windows Server Update Services.
d. Note the KB numbers (in parentheses) at the end of each "Hotfix" entry.
3. If you are running Windows Server 2008, find the patches in Programs and Features:
a. Open Control Panel > Programs and Features.
b. In the left pane, click View installed updates.
c. Scroll to Windows Server Update Services.
d. Note the KB numbers (in parentheses) at the end of each entry.
Windows Server 2012 Overview

Review the following articles to learn more about how Windows Server 2012 and WSUS work together.
• WSUS on Windows Server 2012 Overview
http://technet.microsoft.com/en-us/library/hh852345.aspx
• Deploy Windows Server Update Services in Your Organization
http://technet.microsoft.com/en-us/library/hh852340.aspx
• Difference between WSUS 3.2 and WSUS 6.0
http://social.technet.microsoft.com/Forums/windowsserver/en-US/16d5f9bb-98cc-4285-a886-
52fb2b99531e/difference-between-wsus-30-and-wsus-40
Installing WSUS Administration Console Using PowerShell

1. Open a Windows PowerShell console as an administrator.
2. Execute the following command:
Install-WindowsFeature -Name UpdateServices-Ui
This command installs the console only and will not run a post-install task.
Resolving Internal HTTP 500.19 Error

If Windows Server 2012, IIS, WSUS, and BeyondInsight are installed on the same server, and HTTP Error
500.19 occurs when you try to log on to BeyondInsight.
Windows Server 2012 is a 64-bit only Operating System. When WSUS is installed, suscomp.dll is defined
globally and loaded in every application pool. The BeyondInsight application pool is 32-bit and will result
in the error when the 64-bit suscomp.dll attempts to load.

You can use one of the following ways to fix the issue.
Option 1
1. Back up IIS.
2. Open IIS Manager.
3. Click the server module node in the tree and select Modules.
4. Right-click DynamicCompressionModule and select Unlock.
5. Right-click on StaticCompressionModule and select Unlock.
6. Open the Default Web Site, and then open Modules.
7. Right-click DynamicCompressionModules and select Remove.
8. Right-click StaticCompressionModule and select Remove.
9. Do IISRESET from an elevated/administrative command prompt.
Option 2
Install BeyondInsight and WSUS on separate Windows Server 2012 servers.

BeyondInsight Installation Guide PowerBroker for Unix & Linux
PowerBroker for Unix & Linux

Use BeyondInsight to manage PowerBroker for Unix & Linux event log records. Configure BeyondInsight
and PowerBroker for Unix & Linux to work together to send the event logs to the BeyondInsight
management console.
This chapter provides information on preparing PowerBroker Servers to work with BeyondInsight.
Refer to the PowerBroker Servers product documentation for specific details on the keywords that must
be configured.
Requirements
• BeyondInsight version 4.5 or later
• PowerBroker for Unix & Linux version 7.5 or later
Generating a Certificate
1. Open the BeyondInsight Configuration Tool and select Certificate Management.
2. Select Export certificate.
3. Select Client certificate from the list.
4. Enter a password for the export file and provide the destination in the Path field.
5. Click OK to export the certificate as a PKCS#12 file (with a .pfx extension).
6. Using openssl, convert the certificate from PKCS#12 format (*.pfx file) to PEM format (*.pem):
openssl pkcs12 –clcerts –in <full_pathname_of_pfx_to_convert> -
out <full_pathname_of_target_pem> –nodes
7. Securely copy the certificate to the PowerBroker Servers Unix & Linux Master and Logserver hosts.
8. In the PBUL settings file, assign the path and filename of this certificate to the keyword
sslrcscertfile.
Exporting the BeyondInsight Server SSL Certificate

1. Open the Windows Certificate Manager (certmgr.msc) and expand the Trusted Root Certification
Authorities folder.
2. In the details pane, select the BeyondInsight server SSL certificate in the Issued To field.
The certificate name contains the hostname of the BeyondInsight server and the text “eEye EMS CA”.
Example: RCS hostname is LA-RETINACS-01:
The certificate’s name is “LA-RETINACS-01 eEye EMS CA”
3. From the Action menu, select All Tasks > Export.
4. In the Certificate Export Wizard:
a. Select No when asked to export the private key, and then click Next.
b. Select the DER encoded binary X.509 (*.CER) format, and then click Next.
c. Provide the target destination of the certificate, and then click Next.
d. Confirm the settings, and then click Finish to export the certificate.
5. Using openssl, convert the certificate from DER format (*.cer) to PEM format (*.pem) using this
command:

BeyondInsight Installation Guide PowerBroker for Unix & Linux
openssl x509 -inform der -in

<full_pathname_of_cer_to_convert> -out
<full_pathname_of_target_pem>
6. Securely copy the certificate to the PBUL Master and Logserver hosts.
7. In the PBUL settings file, assign the path and filename of this certificate to the keyword
sslrcscafile.
For more information about importing the certificates, refer to “Solr Install” in the PowerBroker Servers
Install Guide.
Configuring Keywords
If you have not done so during the for Unix & Linux installation, set the following keywords in pb.settings
on the Master and Log server hosts:
• rcshost
• rcswebsvcport
• sslrcscertfile
• sslrcscafile
• rcseventstorefile
For a complete list of keywords that must be configured, refer to the PowerBroker for Unix & Linux
product documentation.

BeyondInsight Installation Guide PowerBroker for Windows
PowerBroker for Windows

To configure PowerBroker for Windows to forward events to BeyondInsight, you must follow the
procedures in this section:
Ensure that you have the appropriate license key for BeyondInsight.
Before proceeding, ensure all PowerBroker for Windows components and BeyondInsight are installed.
Generating a Certificate
Generate a client certificate using the BeyondInsight Configuration tool. Certificates must be deployed to
any asset where you are capturing events with PowerBroker for Windows.
After you generate a certificate, you can create an MSI. You can then set up a GPO with the MSI and
deploy the certificate to your PowerBroker assets.
Note: Do not generate a client certificate if there is one created for either PowerBroker Endpoint
Protection Platform or for Retina Network Security Scanner. You can use the existing client
certificate for your PowerBroker for Windows assets.
To generate a certificate:
1. Run the configuration tool, and then click Certificate Management.
2. Select Generate Certificate, and then select Client Certificate from the Certificate type menu.
3. Enter a password.
4. Click OK.
Creating an MSI File

To create an MSI file:
1. Run the BeyondInsight Configuration tool.
2. Click Generate Certificate msi.
The certinstaller.msi file is created in the following directory: C:\Program Files (x86)\eEye Digital
Security\Retina CS\Utilities\msi
Configuring PowerBroker for Windows

Install the PowerBroker for Windows components. For more information, refer to the PowerBroker
Installation Guide.
To configure PowerBroker for Windows:
1. Run the Group Policy Management Editor.
2. Go to the Management folder in the Administrative Templates section.

BeyondInsight Installation Guide PowerBroker for Windows
3. Set the following options:

Table 2. Management Settings for BeyondInsight Integration
Setting Description
Log events to
Activates event forwarding to BeyondInsight.
BeyondInsight
Enable Asynchronous
Sends event logs to the System event log when
BeyondInsight Event
BeyondInsight cannot process the events.
Logging
Configure the
BeyondInsight Certificate Sets the BeyondInsight certificate name, eEyeEmsClient.
Name
Enter the interval in minutes.
The default interval is every 360 minutes (6 hours).
Configure the
Configure a regular interval to send heartbeat events to ensure there is a connection
BeyondInsight heartbeat
between PowerBroker and BeyondInsight.
interval
In addition to the usual events, when configured to send events to BeyondInsight, a
heartbeat event will also be sent (event ID 28701).
Configure BeyondInsight to
Create a path for the event data XML file when the file cannot be sent to
Store XML Events on
BeyondInsight.
Failure
Configure the
Enter the URL for the BeyondInsight web service.
BeyondInsight Web
Follow the format: https://myserver/EventService/Service.svc
Service URL
Configure the Enter a workgroup name.

PowerBroker workgroup A workgroup name is needed for asset matching in BeyondInsight.
name for BeyondInsight
Enable BeyondInsight
Enable to create a trace log if events are not flowing into BeyondInsight.
Trace Logging

BeyondInsight Installation Guide Running the Software Removal Tool
Running the Software Removal Tool

The BeyondTrust Software Removal Tool (SRT) is a standalone application that you can use to uninstall
third-party security programs.
You must run the SRT on the computer where the applications are installed.
You can remove the following antivirus applications:
Symantec, McAfee, AVG Technologies, ESET, NOD32, TrendMicro, CA eTrust, Kaspersky, Sophos,
WebRoot, Ad-Aware, Malware bytes, Spybot, and ZoneAlarm.
Alternatively, you can uninstall applications when you are deploying Retina Protection Agents using
BeyondInsight. For more information, refer to the BeyondInsight User Guide.
Command Line Syntax

/guid -pcode product_code -upar "/norestart /qn"
where product_code is the MSI product code of the software that you want to remove.
You can also use the following optional commands:
/logfile the name (or the entire path) of the log file
some antivirus products require a password to
/password
uninstall (for example, Kaspersky).
specifies if the machine will be restarted after
completely uninstalling all antivirus products.
/restart Possible values:
0 - no restart
1 - restart

BeyondInsight Installation Guide Using the BeyondInsight Configuration Tool
Using the BeyondInsight Configuration Tool

After you initially configure BeyondInsight, you can change settings using the BeyondInsight
Configuration Tool.
The options configured during installation are described here, Configuring ,”{Default ¶ Font} page 1.
Note that you can turn on SSL settings for Active Directory queries (Authentication node). You can use SSL
when creating Active Directory queries or creating BeyondInsight Active Directory user groups. For more
information, refer to the BeyondInsight User Guide.
Table 3. BeyondInsight Additional Configuration Settings

Test Connection Click to test the connection to the SQL Server database.
Create Database Select to create a database.
Upgrade Database Use this feature to upgrade your BeyondInsight database.

BeyondInsight Installation Guide Using the BeyondInsight Configuration Tool
Manage License Use the License Manager to update your license or transfer the
license (remove the license from the installation computer and
move to another computer).
Certificate Certificates are used by the Events Client component to ensure
Management secure data transmission.
Generate certificate and export the certificate to a preferred
location.
The certificate password must be the same as the Central Policy
password.
Install SSL Certificate Create an SSL certificate to create a secure connection to IIS.
The certificate is not generated by a trusted certificate authority. An
invalid certificate message is displayed to browsers connected to
IIS.
Enable Debug Logging Use this feature when troubleshooting BeyondInsight with the
BeyondTrust Security support team.
Stop and Start Services Select to start and stop the BeyondInsight services.
Sync Benchmarks Synchronizes the benchmark templates that reside in the database
with the templates available on the server.
Disable Light Light writeback is a feature used by the Patch Management
Writebacks module. This ensures that information returned to the Patch
Management module indicates that patches are deployed and
items are no longer vulnerable.
If you are not using the Patch Management module, you can turn
off light writebacks.
Generate Certificate Create an MSI file that contains a client certificate. You can then set
msi up a GPO with the MSI and deploy the certificate to your
PowerBroker assets.
Grant Permissions Grants permissions to all stored procedures in the BeyondInsight
schema so that services and web services can run all stored
procedures.
Client Authentication Click the link to disable authentication. When set to Disabled, SSL
client certificates will be ignored.
Click the link again to set to Enabled. SSL authentication is now
turned on with the Require setting selected (rather than the Accept
setting). Go to the SSL Settings in IIS for the BeyondInsight server
to confirm the settings.

BeyondInsight Installation Guide Upgrading Your License
Upgrading Your License

Use the BeyondInsight Configuration tool to update your license. You need to upgrade your license to
extend your license or to extend the asset count purchased (for example, 500 assets to 1 000 assets).
To upgrade your license:
1. Select Start > All Programs > BeyondTrust > BeyondInsight> BeyondInsight Configuration.
2. Click Manage License.
3. On the License Management page, select Update License and click Next.
4. Enter the serial number and click Next.
5. Click Finish.
6. Click Apply to close the BeyondInsight Configuration tool.
Upgrading from BeyondInsight Community Version

If you are upgrading from BeyondInsight Community version, you must get a new license and apply the
license using the License Manager in the Configuration Tool.

BeyondInsight Installation Guide Advanced Configuration
Advanced Configuration
Installing a Stand-Alone Event Server

You can install a stand-alone Event Server depending on your environment. However, it is not a typical
installation scenario. It is recommended that BeyondTrust Technical Support or Professional Services
advise you on whether this installation scenario is suited to your BeyondInsight deployment.
Refer to the Retina Best Practices guide for detailed information on installing a stand-alone Event Server.
Setting up BeyondInsight to use a Fully Qualified Domain Name

By default, BeyondInsight communicates to the Retina scanners and protection agents using the
hostname.
If your company environment requires that you communicate over the Internet using FQDN, see the
following knowledge base article to configure BeyondInsight to use FQDN:
http://kb.beyondtrust.com/home/detail/KB000873
Configuring Windows Authentication to the Database

It is recommended that you use SQL authentication to access the BeyondInsight SQL Server database.
However, if you are a SQL Server administrator, it might be your preference to use Windows
authentication.
Note: The SQL Server database and BeyondInsight server must be in the same Windows domain.
SQL Server 2012

The NT Authority\Network Service account is not created by default on SQL Server 2012. (This account
exists by default on SQL Server 2008 R2).
In an environment where SQL Server 2012 and BeyondInsight are installed on the same server, you must
create the NT Authority\Network Service account in SQL Server before changing the authentication mode.
Permissions assigned on the BeyondInsight database must include: DBO access and REM3Admins.
However, if SQL Server 2012 and BeyondInsight are not on the same server, then the default Windows
permissions apply. Create a local group on the SQL Server and add Domain\MachineName$ to this group.
Assign DBO access and REM3Admins to this local account.
The Application Pool runs as NT Authority\Network Service. For remote configurations, SQL Server uses
the Domain\MachineName$. For same server configurations, SQL Server uses the NT Authority\Network
Service account
Changing Database Authentication

Use the following procedure as a guide to setting up Windows authentication on your SQL Server
database.

BeyondInsight Installation Guide Advanced Configuration
To change database authentication to Windows:

1. Log on to SQL Server.
2. Create a SQL Server login and use the computer account for the remote BeyondInsight server as the
Login Name. For example, Domain\RemoteServerName$.
3. After the login is created, go to the login properties for the new login, and create a user mapping to
the BeyondInsight database and the REM3Admins role.

BeyondInsight Installation Guide Appendix A: Certificates
Appendix A: Certificates
Certificates are used for secure communication between agents and BeyondInsight.
There are two types of certificates used with BeyondInsight and PowerBroker agents:
• SSL certificate – Required to encrypt the communication
• Client certificate – Required to authenticate a client
You can use BeyondInsight certificates or create custom certificates. You can use the BeyondInsight
Configuration tool to create certificates.
Working with BeyondInsight Certificates

The following certificates are used for communication between all Retina and PowerBroker solutions and
BeyondInsight:
• eEyeEmsCA - Certification Authority (CA) certificate
The CA certificate generates and validates client and server certificates, and is located on both agent
and server in the Trusted Root Certification Authorities in the Local Machine store.
• EmsClientCert - Client authentication certificate
• eEyeEmsServer - Server authentication certificate
When connecting to the BeyondInsight Web Service (for example, PowerBroker for Windows connecting
to the Event Service), the EmsClientCert is used to authenticate the client and the SSL certificate is used to
encrypt the data. This prevents anonymous connections to the services. Typically, a Certification
Authority (CA) such as VeriSign validates anonymous clients.
With BeyondInsight, a self-signed CA is created and distributed with the client certificate. BeyondInsight
can then work in a variety of environments especially where network connectivity is a problem. This avoids
the need to register each system instance with an online CA.
Internally, each client certificate contains a private-public key pair. During the SSL handshake the server
requests the client certificate. The client authenticates the certificate before initiating the connection and
the server again validates when it is received.
eEyeEmsServer Certificate
Install the eEyeEmsServer certificate on the server in the Local Machine Store, under the Personal Store.
To verify that the certificate is valid, double-click the certificate.
The following screen capture shows a valid certificate.

EmsClientCert Certificate
The EmsClientCert certificate is used for the following purposes:
• Agent<->Server communications during deployments. Only applies to PowerBroker Endpoint
Protection Platform agent deployments.
The client certificate (with an internally generated password) is exported from the Local Machine
store to the deploy.pfx (this file is the deployment package). The password is the same password
used for Central Policy.
The certificate is imported on the agent and is required to send events to BeyondInsight.
• Agent<->Server communications sending/receiving events.
When generating the client certificate using the BeyondInsight Configuration tool, the certificate is
exported from the Local Machine store to: C:\program files\common files\eEye Digital
Security\Shared Services Host\Certificates\EmsClientCert.pfx
The file uses the Central Policy password.
Troubleshooting BeyondInsight Certificates

When troubleshooting certificate issues, check the following:
• Is the eEyeEmsCA certificate expired?
• Does the certificates store have more than one version of the eEyeEmsCA certificate?

• Does the eEyeEmsCA certificate have the correct usage identifiers in place? Use the following screen
capture as a guide.
• Does eEyeEmsCA exist on the agent and the server? Ensure the certificate on the agent has the same
serial number as the certificate on the BeyondInsight server.
To view the serial number, double-click the CA certificate in the Certificate Manager to open the dialog
box:

• Was the eEyeEmsCA certificate regenerated or removed? Regenerating or removing the eEyeEmsCA
certificate invalidates any certificate that was generated using the old CA certificate. This breaks the
communication between the agents and the server until the Client and Server certificates are
regenerated on the server and the new Client certificate is deployed on all agents connecting to
BeyondInsight.
• Did the Central Policy password change? If you change the password for Central Policy using the
BeyondInsight Configuration tool, the password change is not automatically applied to
EmsClientCert.pfx.
When you deploy PowerBroker Endpoint Protection Platform on a target, the package will include the
certificate with the old password. In this scenario, the events communication will not be successfully
configured on the target. Using the BeyondInsight Configuration tool, generate a new client
certificate with a new password that matches the Central Policy password.
• To ensure the client certificate works properly with BeyondInsight, the certificate must have correct
usage identifiers and the private key present. Use the following screen captures as a guide.


Using a Domain PKI for BeyondInsight Communication

This section is intended to highlight key points to creating a custom certificate. For detailed procedures
on creating a custom domain certificate refer to Microsoft’s documentation.
Keep the following considerations in mind if you are creating a custom template to use for BeyondInsight.
• You can modify templates using the Certificate Templates Console (certtmpl.msc).
• The default Computer template meets the requirements for BeyondInsight communication.
However, you must create a copy of the Computer template and update any particular BeyondInsight
configuration settings in the copy.
• To issue the new template, use the certsrv.msc snap-in.
Prerequisites
Ensure the following is in place in your environment before proceeding.
• Domain member server with Active Directory Certificate Services installed and configured.
• Certificate Authority Web Enrollment role installed
http://technet.microsoft.com/en-us/library/cc731183.aspx
Requirements
• The certificates must be configured as Server Authentication and Client Authentication in the
Intended Purposes section of the certificate.
• The Subject key must contain common text for all client certificates.
In the following example the common text is BTTest.

Assigning the SSL Web Service Certificate in BeyondInsight

1. Start the BeyondInsight Configuration Tool.
2. Scroll to Web Service in the list.
3. Select the domain PKI certificate from the list, and then click Apply.

Configuring a Client Certificate for PowerBroker for Windows

1. Edit the GPO that you are using to deploy policy to your PowerBroker for Windows targets.
2. In Group Policy Management Editor, go to Administrative Templates > BeyondTrust > PowerBroker
for Windows > System > Management.
3. Double-click the Configure the BeyondInsight Certificate Name setting.
4. Enter the common text in the client certificate Subject key.

Configuring Auto Enrollment

To configure auto enrollment for the certificate:
1. In GPME, edit the GPO that applies to your PowerBroker for Windows targets.
2. Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies >
Automatic Certificate Request Settings.
3. Right-click in the right pane, and select New > Automatic Certificate Request.
4. Go through the wizard. On the Certificate Template page, select the custom template.
Refer to the following technet article for more details:
http://technet.microsoft.com/en-us/library/cc731522.aspx

BeyondInsight Installation Guide Appendix B: Permissions
Appendix B: Permissions
This section is designed for more advanced deployments where local admin or administrator privileges
might not be desired for installing or using BeyondInsight.
BeyondInsight Analytics and Reporting
Installation Permissions
Minimum permissions needed for the BeyondInsight account.
SQL Server database access

Ideally, assign the account installing BeyondInsight the sysadmin Server Role.
Otherwise, ensure at least the following SQL Server permissions are assigned to the account:
ALTER database BULKINSERT

CREATE Role CREATE Application Role
CREATE Schema CREATE Type
CREATE Table ALTER Table
UPDATE Table CREATE UNIQUE NONCLUSTERED INDEX
CREATE NONCLUSTERED INDEX CREATE PROCEDURE
ALTER PROCEDURE EXECUTE PROCEDURE
CREATE VIEW ALTER VIEW
GRANT EXEC, SELECT, INSERT, UPDATE, DELETE
Analytics and Reporting Permissions
Permissions Required for BeyondInsight Configuration User

Account entered on this page of the configuration wizard: Step 1: Installation Credentials
• Local administrator rights to the SQL Analysis Services – this is needed to deploy the Analysis Services
cube.
• Permission to create a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\EEYE
• Log on as Batch Job security policy on the SQL Server computer.
Table 4. BeyondInsight Configuration Database Roles
Member in Role Database

Sysadmin BeyondInsight reporting


Required to:
- install the SQL job and the SSIS packages.
- create the BeyondInsight reporting database.
- view SQL job statuses and details. Alternatively, add the configuration
user to the SQLAgentRole of the MSDB database on the BeyondInsight
server for lower privileges.
BeyondInsight
DBOwner Required to install the stored procedures for BeyondInsight reporting
to synchronize data from the BeyondInsight management console.
This role is at the root of SQL Reporting Services management website
System User
and is required to read information from SSRS.
This role is on the root folder settings for the SQL Report Services
Browser management website and is required to read and run reports
deployed to SSRS.
Content Manager
management website and is required to deploy the reports to SSRS.
Permissions Required for the Web Proxy User

Note: These permissions are automatically set up during installation if the installing user has
permissions to.
Account entered on this page of the configuration wizard: Step 5: Web Service Credentials
Table 5. Web Proxy User Roles

RetinaInsightReader BeyondInsight reporting
RetinaInsightUser BeyondInsight management console
RetinaInsightReader BeyondInsight reporting cube in SQL Analysis Services
This role is at the root of SQL Report Services management website
System User
and is required to deploy the reports to SSRS.
Browser management website and is required to read and run reports
deployed to SSRS.
Permissions Required for the SSRS Proxy User

Note: These permissions are automatically set up during installation if the installing user has
permissions to.
Account entered on this page of the configuration wizard: Step 3: SQL Reporting Services (SSRS)

Table 6. SSRS Proxy User Roles

RetinaInsightReader BeyondInsight reporting
RetinaInsightReader BeyondInsight reporting cube in SQL Analysis Services
Permissions Required for the SQL Agent Service Running the Daily Sync Job
Permission to process the BeyondInsight SSAS database.
Table 7. SSRS Proxy User Roles

RetinaInsightSSIS BeyondInsight

BeyondInsight Installation Guide PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BeyondInsight Installation Guide PDF

Hochgeladen von

Copyright:

Verfügbare Formate

BeyondInsight

Installing Retina and BeyondInsight 15

Configuring Retina Connections to BeyondInsight 19

Configuring Analytics and Reporting 21

Configuring and Running a Scan 31

Patch Management Module 34

BeyondTrust® October 2015 3

Resolving Internal HTTP 500.19 Error 35

PowerBroker for Unix & Linux 37

PowerBroker for Windows 39

Running the Software Removal Tool 41

Using the BeyondInsight Configuration Tool 42

Upgrading Your License 44

BeyondTrust® October 2015 4

Permissions Required for BeyondInsight Configuration User 56

BeyondTrust® October 2015 5

Documentation for BeyondInsight

How to Set up a Scan Using BeyondInsight

Creating a BeyondInsight User Group

Creating a BeyondInsight Smart Rule

Deploying BeyondInsight Analytics and Reporting

BeyondTrust® October 2015 6

Privileged Account Management Support

Vulnerability Management Support

All other Regions:

BeyondTrust® October 2015 7

BeyondTrust® October 2015 8

BeyondTrust® October 2015 9

BeyondTrust® October 2015 10

Google Chrome 42 or higher does not support Microsoft Silverlight.

Windows Server 2008

Web Server (IIS)

BeyondTrust® October 2015 11

Windows Server 2012

Web Server (IIS)

BeyondTrust® October 2015 12

BeyondTrust® October 2015 13

BeyondTrust® October 2015 14

Installing Retina and BeyondInsight

Installing and Configuring BeyondInsight

Configuration Wizard Settings

BeyondTrust® October 2015 15

BeyondTrust® October 2015 16

BeyondTrust® October 2015 17

BeyondTrust® October 2015 18

Configuring Retina Connections to BeyondInsight

Configuring Central Policy

BeyondTrust® October 2015 19

Configuring Events Client

BeyondTrust® October 2015 20

Configuring Analytics and Reporting

Verify SQL Report Server Configuration

BeyondTrust® October 2015 21

Configuring Analytics and Reporting

BeyondTrust® October 2015 22

3. Step 1: Installation Credentials: Enter the machine or domain administrator credentials.

BeyondTrust® October 2015 23

BeyondTrust® October 2015 24

BeyondTrust® October 2015 25

BeyondTrust® October 2015 26

8. Deployment Progress: Deployment progress is shown while the BeyondInsightReporting database is

BeyondTrust® October 2015 27

BeyondTrust® October 2015 28