Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top 5 Tips and Tricks for Retina CS 4.5

Posted August 8, 2013    Morey Haber

I honestly believe we have the best pre-sales, post sales, and technical support departments in the security industry. They are responsive, technical, and can customize BeyondTrust solutions to match individual business requirements, even when they are pretty comprehensive outside-of-the-box. Based on their work, we have an internal process and external knowledge base to document these configurations and make them available to any prospect or client that wants to do even more with the solution.

Recently, we did a review of these installations and found that there are some very simple tips and tricks to using Retina CS (and Retina Insight) that can go along way for any business. I have documented the Top 5 below and want to give a big shout out to my teams for their excellent work and making these available to everyone. So, here it goes, the Top 5 Tips and Tricks for Retina CS:

#1 – Creating a Smart Rule for Assets with No Operating System Identified

This tip helps administrators document which assets are not being properly identified by their operating system during a Retina scan. This could be due to firewalls, anti-virus solutions, and IDS/IPS security solutions preventing (as they should) what the operating system is for a device. First, create a Smart Rule and specify the following regular expression:

To show only assets with OS unidentified use “does not match” –> ^[a-zA-Z0-9]
To show only assets with OS identified use “matches regular expression” –> ^[a-zA-Z0-9]

Asset Selection Criteria-img1

Then, as an action, specify a Smart Group or an email alert. When assets are identified with no matching operating system, the smart group will automatically populate or an email which will be sent to an administrator.

#2 – Dynamically Change PowerBroker for Windows Policy Based on Asset Location (IP Address Range)

With the introduction of Retina CS 4.5 and PBW 6.0, PBW can receive policy from Active Directory Group Policy (GPO Based) or the Retina CS Threat Management Console. Policy from Retina CS is assigned via a Smart Rule / Smart Group. In order to have a PBW agent dynamically change policy based on location (IP Address), simply add the Address Group to the Asset Selection Criteria.

Asset Selection Criteria-img2

When the asset (in this case win8-wm) is located within the Address Group range “Cricklewood” it will receive the policy “Cricklewood Sample”. Next the user needs to create a second duplicate Smart Rule with another IP range excluding “Cricklewood”. This would be any address foreign to your internal network or trusted VLAN. When the PBW agent checks in (assuming routing Retina CS is made available publicly), it will then receive the alternate policy (not shown) that could potentially be more restrictive since the asset is not on a trusted network. This allows policy to change dynamically on a PBW agent based on location and when not connected via Active Directory (I.e. Non domain machines or even eDirectory).

#3 – Assigning Assets to Retina CS Patch Management

Retina CS has an automated engine via Smart Rules to change a client’s WSUS settings to the system managed by Retina CS for Patch Management. Sometimes, this process will fail if the device is not online reliably or remote registry access is not permitted. In that case PowerBroker EPP (as an agent) can be used to assist with the change (if installed) or you can deploy the settings for Active Directory as a remote registry file. Below is a sample of this file:

     Windows Registry Editor Version 5.00



Change the IP Address and Port in the top lines to your WSUS server (IP Address or Hostname) and modify any of the values in the second section based on Microsoft’s Knowledge Base. This will allow you to configure assets for Retina CS integrated WSUS Patch Management even when they are restricted to automate configuration from the console itself. This works great in a lab too when you are testing out the solution for the first time!

#4 – Advanced Vulnerability Reporting on Mobile Devices

Retina CS has advanced Mobile connectors for Microsoft ActiveSync, BlackBerry, and Android Agents. These connectors allow you to inventory and report vulnerabilities on a wide variety of mobile devices and show the results as Assets within Retina CS.

Retina CS-img3

One of the coolest tips for the solution is that these Assets are stored just like every other Asset and can be used against every report in the system just like a Server or Workstation; including common regulatory reports like HIPAA and PCI. All an administrator needs to do is Run a Report on Existing Data against a mobile Smart Group and the results will appear just like any other Asset in the System. Below is a snippet from a HIPAA report against these Android devices:


#5 – Retina Insight Pivot Grid

If you have seen a pre-sales demonstration of our technology, you have probably seen the Retina Insight Pivot Grid. This component of the technology allows users to build customized reports when none of the over 260+ canned reports meet their needs. Administrators can open the Pivot Grid and drag and drop Measures and Metrics for almost all of the data collected by Retina CS to create custom reports. Below is a sample of Assets and Vulnerabilities mapped to the presence of Zero-Day Vulnerabilities.


These report templates can be exported / imported such that they can be transported from a lab to production, and then saved and published just like any other Retina Insight report. It truly gives you the power to create custom reports well outside-of-the-box.

If you have found any other tips and tricks in your travels, please comment below. We would like to hear from you.

, , , , , , ,

Additional articles

Cavalancia-Headshot - Medium

Making Windows Endpoints the Least of your Worries

Posted September 2, 2015    Nick Cavalancia

We’re all concerned that someday an external hacker will try to gain access to your company’s critical data and systems. The problem? Your endpoints – both your workstations and servers – bypass (and often leave) the safety and security of your environment daily.

, ,

Why Customers Choose PowerBroker: Low Total Cost of Ownership

Posted September 2, 2015    Scott Lang

In a survey of more than 100 customers, those customers indicated that BeyondTrust’s low powerbroker-difference-2total cost of ownership was a competitive differentiator versus other options in the privileged account management market.

, , ,

Passwords: A Hacker’s Best Friend

Posted September 1, 2015    Larry Brock

After all the years of talk about biometrics and multi-factor authentication, we still have passwords and will likely have them for a long time. Because many “high risk” systems require complex passwords (zk7&@1c6), most people that use them believe their passwords are secure. But they aren’t.

, ,