BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top 5 Tips and Tricks for Retina CS 4.5

Posted August 8, 2013    Morey Haber

I honestly believe we have the best pre-sales, post sales, and technical support departments in the security industry. They are responsive, technical, and can customize BeyondTrust solutions to match individual business requirements, even when they are pretty comprehensive outside-of-the-box. Based on their work, we have an internal process and external knowledge base to document these configurations and make them available to any prospect or client that wants to do even more with the solution.

Recently, we did a review of these installations and found that there are some very simple tips and tricks to using Retina CS (and Retina Insight) that can go along way for any business. I have documented the Top 5 below and want to give a big shout out to my teams for their excellent work and making these available to everyone. So, here it goes, the Top 5 Tips and Tricks for Retina CS:

#1 – Creating a Smart Rule for Assets with No Operating System Identified

This tip helps administrators document which assets are not being properly identified by their operating system during a Retina scan. This could be due to firewalls, anti-virus solutions, and IDS/IPS security solutions preventing (as they should) what the operating system is for a device. First, create a Smart Rule and specify the following regular expression:

To show only assets with OS unidentified use “does not match” –> ^[a-zA-Z0-9]
To show only assets with OS identified use “matches regular expression” –> ^[a-zA-Z0-9]

Asset Selection Criteria-img1

Then, as an action, specify a Smart Group or an email alert. When assets are identified with no matching operating system, the smart group will automatically populate or an email which will be sent to an administrator.

#2 – Dynamically Change PowerBroker for Windows Policy Based on Asset Location (IP Address Range)

With the introduction of Retina CS 4.5 and PBW 6.0, PBW can receive policy from Active Directory Group Policy (GPO Based) or the Retina CS Threat Management Console. Policy from Retina CS is assigned via a Smart Rule / Smart Group. In order to have a PBW agent dynamically change policy based on location (IP Address), simply add the Address Group to the Asset Selection Criteria.

Asset Selection Criteria-img2

When the asset (in this case win8-wm) is located within the Address Group range “Cricklewood” it will receive the policy “Cricklewood Sample”. Next the user needs to create a second duplicate Smart Rule with another IP range excluding “Cricklewood”. This would be any address foreign to your internal network or trusted VLAN. When the PBW agent checks in (assuming routing Retina CS is made available publicly), it will then receive the alternate policy (not shown) that could potentially be more restrictive since the asset is not on a trusted network. This allows policy to change dynamically on a PBW agent based on location and when not connected via Active Directory (I.e. Non domain machines or even eDirectory).

#3 – Assigning Assets to Retina CS Patch Management

Retina CS has an automated engine via Smart Rules to change a client’s WSUS settings to the system managed by Retina CS for Patch Management. Sometimes, this process will fail if the device is not online reliably or remote registry access is not permitted. In that case PowerBroker EPP (as an agent) can be used to assist with the change (if installed) or you can deploy the settings for Active Directory as a remote registry file. Below is a sample of this file:

     Windows Registry Editor Version 5.00

     [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
     “ElevateNonAdmins”=dword:00000001
     “WUServer”=”http://192.168.1.204:80
     “WUStatusServer”=”http://192.168.1.204:80

     [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
     “NoAUShutdownOption”=dword:00000001
     “AutoInstallMinorUpdates”=dword:00000001
     “NoAutoUpdate”=dword:00000000
     “AUOptions”=dword:00000004
     “ScheduledInstallDay”=dword:00000000
     “ScheduledInstallTime”=dword:00000017
     “AUPowerManagement”=dword:00000001
     “IncludeRecommendedUpdates”=dword:00000001
     “RebootRelaunchTimeoutEnabled”=dword:00000001
     “RebootRelaunchTimeout”=dword:00000005
     “DetectionFrequencyEnabled”=dword:00000001
     “DetectionFrequency”=dword:00000001
     “UseWUServer”=dword:00000001

Change the IP Address and Port in the top lines to your WSUS server (IP Address or Hostname) and modify any of the values in the second section based on Microsoft’s Knowledge Base. This will allow you to configure assets for Retina CS integrated WSUS Patch Management even when they are restricted to automate configuration from the console itself. This works great in a lab too when you are testing out the solution for the first time!

#4 – Advanced Vulnerability Reporting on Mobile Devices

Retina CS has advanced Mobile connectors for Microsoft ActiveSync, BlackBerry, and Android Agents. These connectors allow you to inventory and report vulnerabilities on a wide variety of mobile devices and show the results as Assets within Retina CS.

Retina CS-img3

One of the coolest tips for the solution is that these Assets are stored just like every other Asset and can be used against every report in the system just like a Server or Workstation; including common regulatory reports like HIPAA and PCI. All an administrator needs to do is Run a Report on Existing Data against a mobile Smart Group and the results will appear just like any other Asset in the System. Below is a snippet from a HIPAA report against these Android devices:

Admin-Safeguards-img4

#5 – Retina Insight Pivot Grid

If you have seen a pre-sales demonstration of our technology, you have probably seen the Retina Insight Pivot Grid. This component of the technology allows users to build customized reports when none of the over 260+ canned reports meet their needs. Administrators can open the Pivot Grid and drag and drop Measures and Metrics for almost all of the data collected by Retina CS to create custom reports. Below is a sample of Assets and Vulnerabilities mapped to the presence of Zero-Day Vulnerabilities.

assets-vulnerabilities-zero-day-maps-img5

These report templates can be exported / imported such that they can be transported from a lab to production, and then saved and published just like any other Retina Insight report. It truly gives you the power to create custom reports well outside-of-the-box.

If you have found any other tips and tricks in your travels, please comment below. We would like to hear from you.

Tags:
, , , , , , ,

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,