Beruflich Dokumente
Kultur Dokumente
Installation Guide
SECURITY IN CONTEXT
Revision/Update Information: October 2015
Software Version: BeyondInsight 5.7
Revision Number: 1
CORPORATE HEADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2015 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
BeyondInsight Installation Guide Contents
Contents
Contents 3
Introduction 6
Documentation for BeyondInsight 6
Help Videos 6
Contacting Support 6
Telephone 7
Online 7
Overview 8
Architectural Review 8
Installation Overview 9
Requirements 10
Server Requirements 11
Windows Server 2008 11
Windows Server 2012 12
Client Requirements 13
Database Requirements 13
Advanced Configuration 45
Installing a Stand-Alone Event Server 45
Setting up BeyondInsight to use a Fully Qualified Domain Name 45
Configuring Windows Authentication to the Database 45
SQL Server 2012 45
Changing Database Authentication 45
Appendix A: Certificates 47
Working with BeyondInsight Certificates 47
eEyeEmsServer Certificate 47
EmsClientCert Certificate 48
Troubleshooting BeyondInsight Certificates 48
Using a Domain PKI for BeyondInsight Communication 52
Prerequisites 52
Requirements 52
Assigning the SSL Web Service Certificate in BeyondInsight 53
Configuring a Client Certificate for PowerBroker for Windows 54
Configuring Auto Enrollment 55
Appendix B: Permissions 56
BeyondInsight Analytics and Reporting 56
Installation Permissions 56
SQL Server database access 56
Analytics and Reporting Permissions 56
Introduction
This guide provides detailed instructions and procedures for installing BeyondInsight.
This section includes the document conventions, list of documentation for the product, and where to get
additional product information.
Help Videos
How to Design a Scan for Shellshock Vulnerability Using BeyondInsight
http://vimeo.com/beyondtrust/review/111766681/a5fcfaac04
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and
chat, along with product downloads, product installers, license management, account, latest product
releases, product documentation, webcasts and product demos.
Telephone
Online
http://www.beyondtrust.com/Resources/Support/
Overview
This guide is designed to lead you through an installation of BeyondInsight.
This guide assumes familiarity with Microsoft Server 2008/2012 and Microsoft S SQL Server
2008/2012/2014 installations.
Architectural Review
Having a conceptual understanding of BeyondInsight’s architecture is tremendously valuable before
installing and configuring the components. See the following diagram and explanations:
BeyondInsight is the web-based console where you will configure and launch vulnerability assessment
scans. As a scans complete, a report is automatically generated. Results can be navigated interactively in
the console. BeyondInsight does not perform vulnerability scans directly, but sends a request to the
Retina Network Security Scanner.
Retina Network Security Scanner is the scanning engine that performs all vulnerability assessments. It
can run stand-alone, but when paired with BeyondInsight, scan results are sent securely to
BeyondInsight to populate the SQL Server database.
Analytics & Reporting is an additional web-based interface that provides comprehensive analytical tools
and creates reports from collective scan data. It facilitates trending and delta reports, prioritization,
anomaly detection, regulatory compliance.
Retina Protection Agent provides local scanning capabilities and is generally used where network-based
scanning is problematic. For example, mobile users who only connect periodically, or hardened servers
that block scan attempts. The RPA coexists with other endpoint solutions, such as McAfee or Symantec,
which may already be in place.
Installation Overview
Two software components comprise the solution:
• BeyondInsight management console
• Retina Network Security Scanner
Analytics and Reporting is a supplementary configuration launched from the BeyondInsight console and
does not require a separate installer.
Note: By default, Retina Network Security Scanner is installed as a standalone component that, initially,
will not recognize the BeyondInsight console. Simple configuration steps will be performed that allow
Retina to:
• Receive scan job requests from BeyondInsight
• Send completed scan results securely back to BeyondInsight.
Requirements
Verifying that prerequisite software and settings are correct is the key to a successful installation. If you
receive errors during the installation, first check that prerequisites have been met.
The image below generally indicates the minimum software and hardware requirements. See the
BeyondTrust Solution Requirements document. Important considerations follow.
Minimum requirements are listed here. Work with your BeyondTrust Professional Services team to
determine your deployment strategy.
Windows Server 2008 (x86 and 64-bit)
Operating System Windows Server 2008 R2 (64-bit only) – latest service pack is required
Windows Server 2012 and 2012 R2 (64-bit only)
Microsoft SQL Server 2008 SP2 or later
Microsoft SQL Server 2008 R2 SP1 or later
Microsoft SQL Server 2012
Microsoft SQL Server 2014
Database Microsoft SQL Standard or Enterprise Editions Only
Microsoft SQL Server Reporting Services
Microsoft SQL Server Analysis Services
Microsoft SQL Server Integration Services
Note: SQL Server collation must be set to SQL_Latin1_General_CP1_CI_AS
Processor Intel Dual Core 2.0GHz (or compatible, minimum)
Memory 16GB Minimum (Requires x64 OS)
500MB (software install)
Hard Drive
40GB (database minimum)
Network Network Interface Card (NIC) with TCP/IP enabled
Microsoft .NET Framework 3.5 SP1 (Application Server Role, Windows
Process Activation Service Support/HTTP Activation)
Microsoft .NET Framework 4.5 (Application Server Role, Windows Process
Server Requirements
Activation Service Support/HTTP Activation)
Microsoft Internet Information Server (IIS) 7.0 or later with ASP.Net
support (Web Server (IIS) role)
Adobe Flash Player 10.0 or higher
Client Requirements Oracle Sun Java Version 7 Update 11 or later
Microsoft Silverlight 5.0 or later
Installation on Domain Controllers or Small Business Servers is not
Notes
supported.
Processor: Assign two processors when installing both Retina and the BeyondInsight console on a single
virtual machine. This greatly improves performance.
Memory: 8GB is minimum, 12GB is preferred when SQL Server and BeyondInsight are on the same
machine.
Hard Drive: Allocate 80GB for the hard disk when provisioning a virtual machine. If installing on a physical
machine where the OS is already installed, have 60GB free space.
Server Requirements
Verify the following Server Roles and Features in Server Manager. Note, some features are selected by
default.
Application Server
Download and install the latest version of .NET Framework, 4.5 or higher. To verify, go to Control Panel |
Programs | Program and Features.
Application Server
Verify Server Roles:
Verify Features:
Client Requirements
Both BeyondInsight and Analytics & Reporting use a browser-based interface. The client is a web
browser. Therefore, the requirements (Flash, Java, SilverLight) apply to any machine, including the
machine where BeyondInsight is installed, using a browser to access BeyondInsight or Analytics and
Reporting consoles.
Database Requirements
BeyondInsight supports Microsoft SQL Server 2008/2008 R2, 2012/2012 R2 and 2014.
Microsoft SQL Server Express is not supported and will cause installation errors.
Install the SQL Server database prior to installing the BeyondInsight console. Note the following when
installing SQL Server:
• Install SQL Server while logged on as a domain or local administrator.
• In addition to the Database Engine Services, select to install the optional Analysis, Reporting and
Integration Services
• Select to install Management Tools (SQL Server Management Studio).
For Service Accounts:
• SQL Server 2008: Use the NT AUTHORITY\SYSTEM account for all services where you are required to
set it.
• SQL Server 2012/2014: Accept the default service accounts. SQL Server 2012/2014 creates individual
accounts for each service.
• Set SQL Server Agent to start ‘Automatic’ (default is ‘Manual’).
• Select Windows authentication mode
Note: You can select Mixed Mode authentication, if desired, and provide the ‘sa’ account
password, however, this is not necessary when SQL Server resides on the same machine as
BeyondInsight.
• Select Add Current User when setting the SQL Server Administrator and Analysis Services
Administrator.
SQL Server 2012/2014 does not provide the required permissions to the NT AUTHORITY\SYSTEM account.
To correct this, go to SQL Server 2012 Management Studio | Security | Logins | <right-click> NT
AUTHORITY\SYSTEM | Properties. Select Server Roles |sysadmin, then click OK.
Web Site Information page: Informs you that the BeyondInsight console will be implemented as the
default IIS website.
Agent Password page: The Agent Password is used to configure the connection between the Retina
scanner and the BeyondInsight console, to be performed later. Agents need a password to retrieve
Central Policy information from BeyondInsight. The password is also used when importing certificates
using the Events Client Configuration tool. The password must match the machine’s password
composition requirements.
Event Server Information page: Provides the option to configure SNMP. Generally, this is not configured
for evaluations.
Email Information page: Allows you to provide a default SMTP mail server and account. This may be used,
for example, to automatically email a report after vulnerability scans complete. However, the SMTP mail
server and email address you provide are not verified by the configuration wizard. If you do not know the
information, or don’t want to provide it for the evaluation, you can enter fake data as shown below.
Administrator Password page: Creates an initial login account to the BeyondInsight console with full
rights. This is NOT the local machine administrator or domain administrator account. As with the agent
password, BeyondInsight console administrator password must match the machine’s password
composition requirements.
Ready to Apply Settings and BeyondInsight Configuration pages: After entering your information, the
‘RetinaCSDatabase’ will be created in MS SQL. Expect this process to take about 7-10 minutes.
Once completed, and you select Finish, the BeyondInsight console starts in your default browser. You
can login with the BeyondInsight Administrator account and password created above.
Installing Retina
To install Retina, run the downloaded Retina_5.xx.x installer, enter the Retina license key (serial number)
and follow the default prompts. After supplying the License Registration information, Retina will go
through an auto-update process, contacting BeyondTrust servers; this can take several minutes. Once
complete, Retina will automatically launch.
For more information, refer to the Retina Installation Guide.
4. Select the Management tab, select Enable Central Policy and enter the required information.
– Central Policy Server: Name or IP address of the machine where the BeyondInsight console is
installed. You can use ‘localhost’ if Retina and the console reside on the same machine.
– Password: Use the Agent Password that was defined during the previous BeyondInsight
configuration steps. For example, ‘Retina123’.
– Agent Name: Enter a name of your choice, which will identify the Retina scanner in the
BeyondInsight console.
5. Click the Test button. In a few seconds you should receive a confirmation message that the
connection from Retina to the BeyondInsight console was successful.
If you receive a message that “The connection was refused by the specified server”, verify that the
NT AUTHORITY\SYSTEM account has been given the sysadmin server role as previously mentioned.
3. Select Report manager URL, then select the Report Manager Site Identification link and verify success.
2. At the Sign In to BeyondInsight page, enter the same administrator/password used to log on to the
console. Once logged on, select Configure Now.
4. Step 2: SQL Server and SQL Server Analysis Services: Enter the Machine Name.
5. Step 3: SQL Reporting Services (SSRS): Enter the Web Service URL, i.e., http://<machine
name>:80/ReportServer.
6. Step 4: SQL Server Agent: The SQLSERVERAGENT service account created during the SQL Server
2012/2014 installation will not have the necessary write permissions to the BeyondInsightReporting
database.
There are a few ways to address this, but one of the easiest is to use the machine or domain
administrator account as a proxy account. When using SQL 2008/2008 R2, setting a proxy account is
not necessary.
7. Step 5: Web Service Credentials: User name and password should automatically populate, just select
Deploy.
9. Deployment Complete: Once the deployment completes, select the option to synchronize data
now. This critical process synchronizes scan results from the RetinaCSDatabase, which was created
during the BeyondInsight console configuration, with the newly created BeyondInsightReporting
database.
By default, synchronization occurs every day at 12:00 am (See Step 5: SQL Server Agent), but can also
be run manually if desired. It takes several minutes to complete.
10. Verify successful synchronization by selecting the SQL Server Agent Jobs tab and then Refresh.
Be mindful NOT to select the browser’s refresh button since that will reload the page and you will
have to login again.
2. Select Discovery Scan. The Management Report Templates contain the specific audits that will be
executed on the target machines.
3. Select Scan.
Installation Notes
• Ensure that your license includes the Patch Management module feature before proceeding with the
install. Contact your BeyondTrust representative.
• Installing the Patch Management module on domain controllers or Small Business Servers is not
supported.
• BITS and Microsoft WSUS Client must be enabled on all clients.
Requirements
Windows Server 2012 WSUS Installation Requirements
• IIS
• Windows PowerShell
• .NET Framework 4.5 Features
• Microsoft Report View Redistributable 2008
http://www.microsoft.com/en-us/download/details.aspx?id=3841
Currently there are three supported production versions of WSUS that can contribute to this situation.
• WSUS v3.2 - runs on Windows Server 2003, 2008, and 2008R2
• WSUS v6.2 - runs on Windows Server 2012
This command installs the console only and will not run a post-install task.
You can use one of the following ways to fix the issue.
Option 1
1. Back up IIS.
2. Open IIS Manager.
3. Click the server module node in the tree and select Modules.
4. Right-click DynamicCompressionModule and select Unlock.
5. Right-click on StaticCompressionModule and select Unlock.
6. Open the Default Web Site, and then open Modules.
7. Right-click DynamicCompressionModules and select Remove.
8. Right-click StaticCompressionModule and select Remove.
9. Do IISRESET from an elevated/administrative command prompt.
Option 2
Install BeyondInsight and WSUS on separate Windows Server 2012 servers.
Requirements
• BeyondInsight version 4.5 or later
• PowerBroker for Unix & Linux version 7.5 or later
Generating a Certificate
1. Open the BeyondInsight Configuration Tool and select Certificate Management.
2. Select Export certificate.
3. Select Client certificate from the list.
4. Enter a password for the export file and provide the destination in the Path field.
5. Click OK to export the certificate as a PKCS#12 file (with a .pfx extension).
6. Using openssl, convert the certificate from PKCS#12 format (*.pfx file) to PEM format (*.pem):
openssl pkcs12 –clcerts –in <full_pathname_of_pfx_to_convert> -
out <full_pathname_of_target_pem> –nodes
7. Securely copy the certificate to the PowerBroker Servers Unix & Linux Master and Logserver hosts.
8. In the PBUL settings file, assign the path and filename of this certificate to the keyword
sslrcscertfile.
Configuring Keywords
If you have not done so during the for Unix & Linux installation, set the following keywords in pb.settings
on the Master and Log server hosts:
• rcshost
• rcswebsvcport
• sslrcscertfile
• sslrcscafile
• rcseventstorefile
For a complete list of keywords that must be configured, refer to the PowerBroker for Unix & Linux
product documentation.
Generating a Certificate
Generate a client certificate using the BeyondInsight Configuration tool. Certificates must be deployed to
any asset where you are capturing events with PowerBroker for Windows.
After you generate a certificate, you can create an MSI. You can then set up a GPO with the MSI and
deploy the certificate to your PowerBroker assets.
Note: Do not generate a client certificate if there is one created for either PowerBroker Endpoint
Protection Platform or for Retina Network Security Scanner. You can use the existing client
certificate for your PowerBroker for Windows assets.
To generate a certificate:
1. Run the configuration tool, and then click Certificate Management.
2. Select Generate Certificate, and then select Client Certificate from the Certificate type menu.
3. Enter a password.
4. Click OK.
Setting Description
Log events to
Activates event forwarding to BeyondInsight.
BeyondInsight
Enable Asynchronous
Sends event logs to the System event log when
BeyondInsight Event
BeyondInsight cannot process the events.
Logging
Configure the
BeyondInsight Certificate Sets the BeyondInsight certificate name, eEyeEmsClient.
Name
Enter the interval in minutes.
The default interval is every 360 minutes (6 hours).
Configure the
Configure a regular interval to send heartbeat events to ensure there is a connection
BeyondInsight heartbeat
between PowerBroker and BeyondInsight.
interval
In addition to the usual events, when configured to send events to BeyondInsight, a
heartbeat event will also be sent (event ID 28701).
Configure BeyondInsight to
Create a path for the event data XML file when the file cannot be sent to
Store XML Events on
BeyondInsight.
Failure
Configure the
Enter the URL for the BeyondInsight web service.
BeyondInsight Web
Follow the format: https://myserver/EventService/Service.svc
Service URL
Enable BeyondInsight
Enable to create a trace log if events are not flowing into BeyondInsight.
Trace Logging
Manage License Use the License Manager to update your license or transfer the
license (remove the license from the installation computer and
move to another computer).
Certificate Certificates are used by the Events Client component to ensure
Management secure data transmission.
Generate certificate and export the certificate to a preferred
location.
The certificate password must be the same as the Central Policy
password.
Install SSL Certificate Create an SSL certificate to create a secure connection to IIS.
The certificate is not generated by a trusted certificate authority. An
invalid certificate message is displayed to browsers connected to
IIS.
Enable Debug Logging Use this feature when troubleshooting BeyondInsight with the
BeyondTrust Security support team.
Stop and Start Services Select to start and stop the BeyondInsight services.
Sync Benchmarks Synchronizes the benchmark templates that reside in the database
with the templates available on the server.
Disable Light Light writeback is a feature used by the Patch Management
Writebacks module. This ensures that information returned to the Patch
Management module indicates that patches are deployed and
items are no longer vulnerable.
If you are not using the Patch Management module, you can turn
off light writebacks.
Generate Certificate Create an MSI file that contains a client certificate. You can then set
msi up a GPO with the MSI and deploy the certificate to your
PowerBroker assets.
Grant Permissions Grants permissions to all stored procedures in the BeyondInsight
schema so that services and web services can run all stored
procedures.
Client Authentication Click the link to disable authentication. When set to Disabled, SSL
client certificates will be ignored.
Click the link again to set to Enabled. SSL authentication is now
turned on with the Require setting selected (rather than the Accept
setting). Go to the SSL Settings in IIS for the BeyondInsight server
to confirm the settings.
Advanced Configuration
Appendix A: Certificates
Certificates are used for secure communication between agents and BeyondInsight.
There are two types of certificates used with BeyondInsight and PowerBroker agents:
• SSL certificate – Required to encrypt the communication
• Client certificate – Required to authenticate a client
You can use BeyondInsight certificates or create custom certificates. You can use the BeyondInsight
Configuration tool to create certificates.
eEyeEmsServer Certificate
Install the eEyeEmsServer certificate on the server in the Local Machine Store, under the Personal Store.
To verify that the certificate is valid, double-click the certificate.
The following screen capture shows a valid certificate.
EmsClientCert Certificate
The EmsClientCert certificate is used for the following purposes:
• Agent<->Server communications during deployments. Only applies to PowerBroker Endpoint
Protection Platform agent deployments.
The client certificate (with an internally generated password) is exported from the Local Machine
store to the deploy.pfx (this file is the deployment package). The password is the same password
used for Central Policy.
The certificate is imported on the agent and is required to send events to BeyondInsight.
• Agent<->Server communications sending/receiving events.
When generating the client certificate using the BeyondInsight Configuration tool, the certificate is
exported from the Local Machine store to: C:\program files\common files\eEye Digital
Security\Shared Services Host\Certificates\EmsClientCert.pfx
The file uses the Central Policy password.
• Does the eEyeEmsCA certificate have the correct usage identifiers in place? Use the following screen
capture as a guide.
• Does eEyeEmsCA exist on the agent and the server? Ensure the certificate on the agent has the same
serial number as the certificate on the BeyondInsight server.
To view the serial number, double-click the CA certificate in the Certificate Manager to open the dialog
box:
• Was the eEyeEmsCA certificate regenerated or removed? Regenerating or removing the eEyeEmsCA
certificate invalidates any certificate that was generated using the old CA certificate. This breaks the
communication between the agents and the server until the Client and Server certificates are
regenerated on the server and the new Client certificate is deployed on all agents connecting to
BeyondInsight.
• Did the Central Policy password change? If you change the password for Central Policy using the
BeyondInsight Configuration tool, the password change is not automatically applied to
EmsClientCert.pfx.
When you deploy PowerBroker Endpoint Protection Platform on a target, the package will include the
certificate with the old password. In this scenario, the events communication will not be successfully
configured on the target. Using the BeyondInsight Configuration tool, generate a new client
certificate with a new password that matches the Central Policy password.
• To ensure the client certificate works properly with BeyondInsight, the certificate must have correct
usage identifiers and the private key present. Use the following screen captures as a guide.
Prerequisites
Ensure the following is in place in your environment before proceeding.
• Domain member server with Active Directory Certificate Services installed and configured.
• Certificate Authority Web Enrollment role installed
http://technet.microsoft.com/en-us/library/cc731183.aspx
Requirements
• The certificates must be configured as Server Authentication and Client Authentication in the
Intended Purposes section of the certificate.
• The Subject key must contain common text for all client certificates.
In the following example the common text is BTTest.
Appendix B: Permissions
This section is designed for more advanced deployments where local admin or administrator privileges
might not be desired for installing or using BeyondInsight.
Installation Permissions
Minimum permissions needed for the BeyondInsight account.
Permissions Required for the SQL Agent Service Running the Daily Sync Job
Permission to process the BeyondInsight SSAS database.
Table 7. SSRS Proxy User Roles