BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top 5 Tips and Tricks for Retina CS 4.5

Posted August 8, 2013    Morey Haber

I honestly believe we have the best pre-sales, post sales, and technical support departments in the security industry. They are responsive, technical, and can customize BeyondTrust solutions to match individual business requirements, even when they are pretty comprehensive outside-of-the-box. Based on their work, we have an internal process and external knowledge base to document these configurations and make them available to any prospect or client that wants to do even more with the solution.

Recently, we did a review of these installations and found that there are some very simple tips and tricks to using Retina CS (and Retina Insight) that can go along way for any business. I have documented the Top 5 below and want to give a big shout out to my teams for their excellent work and making these available to everyone. So, here it goes, the Top 5 Tips and Tricks for Retina CS:

#1 – Creating a Smart Rule for Assets with No Operating System Identified

This tip helps administrators document which assets are not being properly identified by their operating system during a Retina scan. This could be due to firewalls, anti-virus solutions, and IDS/IPS security solutions preventing (as they should) what the operating system is for a device. First, create a Smart Rule and specify the following regular expression:

To show only assets with OS unidentified use “does not match” –> ^[a-zA-Z0-9]
To show only assets with OS identified use “matches regular expression” –> ^[a-zA-Z0-9]

Asset Selection Criteria-img1

Then, as an action, specify a Smart Group or an email alert. When assets are identified with no matching operating system, the smart group will automatically populate or an email which will be sent to an administrator.

#2 – Dynamically Change PowerBroker for Windows Policy Based on Asset Location (IP Address Range)

With the introduction of Retina CS 4.5 and PBW 6.0, PBW can receive policy from Active Directory Group Policy (GPO Based) or the Retina CS Threat Management Console. Policy from Retina CS is assigned via a Smart Rule / Smart Group. In order to have a PBW agent dynamically change policy based on location (IP Address), simply add the Address Group to the Asset Selection Criteria.

Asset Selection Criteria-img2

When the asset (in this case win8-wm) is located within the Address Group range “Cricklewood” it will receive the policy “Cricklewood Sample”. Next the user needs to create a second duplicate Smart Rule with another IP range excluding “Cricklewood”. This would be any address foreign to your internal network or trusted VLAN. When the PBW agent checks in (assuming routing Retina CS is made available publicly), it will then receive the alternate policy (not shown) that could potentially be more restrictive since the asset is not on a trusted network. This allows policy to change dynamically on a PBW agent based on location and when not connected via Active Directory (I.e. Non domain machines or even eDirectory).

#3 – Assigning Assets to Retina CS Patch Management

Retina CS has an automated engine via Smart Rules to change a client’s WSUS settings to the system managed by Retina CS for Patch Management. Sometimes, this process will fail if the device is not online reliably or remote registry access is not permitted. In that case PowerBroker EPP (as an agent) can be used to assist with the change (if installed) or you can deploy the settings for Active Directory as a remote registry file. Below is a sample of this file:

     Windows Registry Editor Version 5.00

     [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
     “ElevateNonAdmins”=dword:00000001
     “WUServer”=”http://192.168.1.204:80
     “WUStatusServer”=”http://192.168.1.204:80

     [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
     “NoAUShutdownOption”=dword:00000001
     “AutoInstallMinorUpdates”=dword:00000001
     “NoAutoUpdate”=dword:00000000
     “AUOptions”=dword:00000004
     “ScheduledInstallDay”=dword:00000000
     “ScheduledInstallTime”=dword:00000017
     “AUPowerManagement”=dword:00000001
     “IncludeRecommendedUpdates”=dword:00000001
     “RebootRelaunchTimeoutEnabled”=dword:00000001
     “RebootRelaunchTimeout”=dword:00000005
     “DetectionFrequencyEnabled”=dword:00000001
     “DetectionFrequency”=dword:00000001
     “UseWUServer”=dword:00000001

Change the IP Address and Port in the top lines to your WSUS server (IP Address or Hostname) and modify any of the values in the second section based on Microsoft’s Knowledge Base. This will allow you to configure assets for Retina CS integrated WSUS Patch Management even when they are restricted to automate configuration from the console itself. This works great in a lab too when you are testing out the solution for the first time!

#4 – Advanced Vulnerability Reporting on Mobile Devices

Retina CS has advanced Mobile connectors for Microsoft ActiveSync, BlackBerry, and Android Agents. These connectors allow you to inventory and report vulnerabilities on a wide variety of mobile devices and show the results as Assets within Retina CS.

Retina CS-img3

One of the coolest tips for the solution is that these Assets are stored just like every other Asset and can be used against every report in the system just like a Server or Workstation; including common regulatory reports like HIPAA and PCI. All an administrator needs to do is Run a Report on Existing Data against a mobile Smart Group and the results will appear just like any other Asset in the System. Below is a snippet from a HIPAA report against these Android devices:

Admin-Safeguards-img4

#5 – Retina Insight Pivot Grid

If you have seen a pre-sales demonstration of our technology, you have probably seen the Retina Insight Pivot Grid. This component of the technology allows users to build customized reports when none of the over 260+ canned reports meet their needs. Administrators can open the Pivot Grid and drag and drop Measures and Metrics for almost all of the data collected by Retina CS to create custom reports. Below is a sample of Assets and Vulnerabilities mapped to the presence of Zero-Day Vulnerabilities.

assets-vulnerabilities-zero-day-maps-img5

These report templates can be exported / imported such that they can be transported from a lab to production, and then saved and published just like any other Retina Insight report. It truly gives you the power to create custom reports well outside-of-the-box.

If you have found any other tips and tricks in your travels, please comment below. We would like to hear from you.

Tags:
, , , , , , ,

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…

pbps-blog3

7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

Tags:
, , , , ,