Mumbai Security and Compliance User Group

 View Only

Best practices for integrating windows 2008 server with domain account. 

Sep 30, 2011 02:52 AM

Integration of Windows 2008 Server with SSIM with Domain account

 

Below mentioned activity needs to be performed on each Windows server before SSIM can capture the logs from these servers.

 

  1. Obtaining FQDN hostname of the windows server
  2. Configuring windows security descriptor
  3. Creating & Adding ssim user into Event Logs readers group.

 


 

  1. Obtain the FQDN name of monitored server. Use this host name in SSIM’s sensor configuration to fetch the logs through OFF box integration. This hostname should contain complete domain name (incase of Member server ) or a workgroup name.

Note:- Only FQDN name needs to be provided to Symantec team.
 

  1. Configuring windows Security Descriptor:

For the collector to access the Event Log through WinRM, a security descriptor must be added to the monitored vista or Windows 2008 system. The security descriptor was added as a component of Vista SP1.

 

For a user that does not have administrative privileges, you can create a new user and add the record to the Event Log Readers group.

 

  1. To do this, first run the wevtutil command to get information about access rights. For example, to get settings for the Security log, you can run the following command:
    wevtutil gl security
  2.            

Here Take note of the channel Access which returns the SDDL string that is is set for the Security Log. In the example above, the third ACE string (A;;0x1;;;S-1-5-32-573) grants read access to the Event Log Readers group.

 

  1. Now network service must be allowed to Read windows security Logs via winrm service  because in windows 2008 Security event log is restricted to very few users to do this append the security descriptor of network service (A;;0x1;;;S-1-5-20)  in channel access by running below command.
    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)


Above command Grants Read only Access to Network service to read security Event log.

 

Also make note of previous channel access rights as shown in step A and append the (A;;0x1;;;S-1-5-20) to existing channel access permission by appending  the command as shown above

 

  1. Add the Network Service account to the Event Log Readers group as winrm service is executed by network service
    net localgroup "Event Log Readers" /add "NT Authority\Network Service"


 

  1. Configure WinRM to work with collector.

    Run the below three commands to configure winrm service on 2008 server

    winrm quickconfigand answer Y to accept changes

 

          The command performs the following operations:

  • Starts the WinRM service and sets the service startup type to auto-start
  • Configures a listener for the ports that send and receive MS-Management protocol messages using either the HTTP (5985) protocol or the HTTPS protocol
  • Defines the Internet Connection Firewall (ICF) exceptions for the WinRM service and opens the ports

          winrm set winrm/config/service @{AllowUnencrypted="true"}
          winrm set winrm/config/service/Auth @{Basic="true"}

 

 

This basic steps are not enough to overcome the challanges in integration of Win 2k8 server with a domain account

For the same we can re-verify the following steps:

 

 Assumption:- Integration is done using user SSIMTEST (SSIMTEST is user created domain bearing SID "S-1-5-21-1214440339-1454471165-839522115-166706")

 
Step 1 : wevtutil gl security

Step 2 : wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x1;;;S-1-5-21-1214440339-1454471165-839522115-166706)

Step 3 : net localgroup "Event Log Readers" /add "NT Authority\Network Service"

Step 4 : Add SSIMTEST id into Event log readers group.

Step 5 : winrm quickconfig

Step 6 : winrm configSDDL ...........or.............. winrm configSDDL http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog

Step 7 : winrm set winrm/config/Service @{RootSSDL="O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)(A;;GR;;;S-1-5-21-1214440339-1454471165-839522115-166706)S::P(AU;FA;GA;;;WD)(AU;SA;GWGX;;;WD)"}

Step 8 : winrm set winrm/config/service @{AllowUnencrypted="true"}

Step 9 : winrm set winrm/config/service/Auth @{Basic="false"}


Step 10 : Enable encryption on user SSIMTEST on DC

Step 11 : enable "Allow kerberos encryption to accept on Network security" on Local security policy of target server

Step 12 : check for collector update.

Step 13 : check for Time sync between target host SSIM box & domain.

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Mar 17, 2012 03:33 AM

Very useful article smiley

Feb 16, 2012 01:29 AM

Useful artcle..Avakash, U can better publish all the artcles u created regarding SSIM in one article as knowledgebase? which will be really useful..where we can find all data in one place?

Feb 03, 2012 02:11 AM

Good one!!!

Related Entries and Links

No Related Resource entered.