Retina CS Users Guide

June 10, 2013User Guide Release 4.5.1 Retina CS User Guide Revision/Update Information: June 10, 2013 Software Version: Retina CS 4.5.1 Revision Number: 1 COPYRIGHT NOTICE Copyright © 2013 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”) or BeyondTrust’s authorized remarketer, if and when applicable. TRADE SECRET NOTICE This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying, modification and use. DISCLAIMER BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A PARTICULAR PURPOSE. LIMITED RIGHTS FARS NOTICE (If Applicable) If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture, duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II)) LIMITED RIGHTS DFARS NOTICE (If Applicable) If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at DFARS 252.2277013. TRADEMARK NOTICES PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage, PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Virtualization, PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker Identity Services are trademarks of BeyondTrust. Retina, Retina® CS, Iris, Blink, Retina® Web, and REM are registered trademarks of BeyondTrust. SecureIIS and Enterprise Update Server are trademarks of BeyondTrust. Windows® is a registered trademark of Microsoft Corporation FICTITIOUS USE OF NAMES All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely coincidental. BeyondTrust® June 10, 2013 2 Retina CS User Guide Contents Contents I. Retina CS Management Console i Retina CS Overview Retina CS Architectural Overview Retina CS Components Retina Network Security Scanner (RNSS agent) Retina Protection Agent (RP agent) eEye Manager Service AppBus (Application Bus) Events Client Central Policy Server Enterprise Update Server Third Party Patch Service Scheduling Service Shared Services Engine How a Scan Works How Job Scheduling Works Access Retina CS Access the Client Portal 1 2 3 3 3 3 3 3 4 4 4 4 4 5 6 8 9 Retina CS Tools Overview Working with Smart Rules Understanding Smart Rule Filters Smart Rule Filters Predefined Smart Groups Creating an Asset Smart Rule Creating a Vulnerabilities Smart Rule Cloning a Smart Rule Marking a Smart Group as Inactive Creating an Address Group Creating a Smart Rule based on an Address Group Creating an Active Directory Query Working with Attributes Working with Tickets Creating a Ticket Managing Ticket Details Marking a Ticket as Inactive Tracking Open Tickets Using a Smart Rule 10 11 11 12 13 14 16 17 19 20 20 22 22 23 25 25 26 27 27 Reports and Scan Templates Running a Report on Existing Scan Data Creating Scheduled Reports 30 31 32 BeyondTrust® June 10, 2013 i Retina CS User Guide Contents Viewing Scheduled Reports in the Calendar View Reviewing Report Results Creating a Report Creating a Report Category Viewing and Downloading Reports Managing Report Templates Setting Report Output Options Configuring Scan Settings Working with Audit Groups Working with Port Groups Creating a Custom Audit Report Templates and Audit Groups Report Templates Audit Groups Regulatory Reporting Pack Audit Groups 32 33 34 34 35 36 36 38 41 42 43 46 46 54 54 Asset Management Interpreting Scan Results on the Dashboard Reviewing Asset Details Risk Scores Changing Asset Properties Changing the Display Setting Display Preferences Filtering Records Managing Jobs Reviewing Job Details Reviewing Scheduled Job Details Viewing Scheduled Scans in the Calendar View Viewing Scan Event Details Aborting or Pausing a Job Changing Job Page Settings 55 56 57 57 58 58 59 60 61 61 62 63 64 64 65 Mobility Scanning Overview Configuring a BlackBerry Connector Configuring an Android Connector Deploying the Application to Android Devices Configuring Settings on Android Devices Configuring an ActiveSync Connector Reviewing Mobility Scan Results Creating Custom Audits for Mobile Devices 67 67 67 69 70 70 71 72 72 Cloud Scanning Requirements Amazon EC2 Requirements VMWare VCenter Requirements 74 74 74 74 BeyondTrust® June 10, 2013 ii Retina CS User Guide Contents Configuring a Cloud Connector Scanning Paused or Offline VMWare Images 75 76 Multi Tenant Overview Smart Rules Manager and Browser Pane Working with Scan Credentials Quick Rules Organization Filters Patch Management Module Mobility Connectors Retina Protection Agents Setting Up Organizations Step 1 Creating a Workgroup Step 2 Adding an Organization Step 3 Creating a User Group for a Tenant 78 78 79 79 80 80 80 81 81 82 82 83 84 Managing Users Creating User Groups User Group Permissions Access Levels Permissions Required for Configuration Options Creating User Accounts Reset Retina CS Account Password Auditing Retina CS Users Adding Credentials Creating an SSH Credential Creating Oracle Credentials Adding Credentials for Active Directory Access 85 85 87 90 90 91 92 92 93 93 94 95 Setting Retina CS Options Account Lockout Options Account Password Options Auto Update Options Display Options Email Notifications Maintenance Options Proxy Settings Refresh Settings 96 96 97 97 98 98 98 100 100 Maintenance Viewing Status for Scanners and Agents Determining if a Retina Agent is Available Removing Retina Agent Files Configuring a Failover Agent 102 102 102 103 104 BeyondTrust® June 10. 2013 iii . 2013 iv . BeyondTrust Modules 108 Retina Scanner Agents Discovery Scanning Running a Discovery Scan Discovering Assets Using a Smart Group Discovering Assets Manually Running a Vulnerability Scan Reviewing Vulnerability Scan Results Creating a Quick Rule Excluding Vulnerabilities Malware Toolkit Vulnerabilities Remediating Vulnerabilities Setting CVSS Metrics Setting CVSS Environmental Metrics Setting Base and Temporal Metrics Reviewing Asset Risks on the Network Map Configuring Retina Agent Scan Options Performance Settings Timeout Values Event Routing Setting Restrictions on Scan Times Configuring General Scan Options Scanner Pooling 109 110 110 111 111 112 115 116 117 118 119 119 120 120 122 123 123 123 124 125 125 127 PowerBroker for Windows Overview Creating a Smart Group Creating PowerBroker Rules Including Arguments in a Rule Marking Events to Exclude Deploying and Managing Policies Using Retina CS Deploying Policies Reviewing Policies Session Monitoring Viewing Events on the Session Viewer Saving Session Data 129 129 130 131 133 133 134 135 135 135 136 138 Patch Management Module Overview How Patching with WSUS Works How a Patch Deployment Works 139 140 140 141 BeyondTrust® June 10.Retina CS User Guide Contents Creating a Support Package Diagnostics Monitoring Services 104 106 106 II. 2013 v .Retina CS User Guide Contents Connecting to a WSUS Server Requirements Adding a Connection Connecting to a Downstream Server Installing the WSUS Administration Console Registering Smart Rules Redeploying Configuration Approving Patch Updates Reviewing Patch Details Deleting Patches Third-Party Patching Generating a Certificate Subscribing to Vendor Patch Updates List of Supported Vendors 143 143 144 145 145 146 148 148 150 151 151 152 152 154 System Center Configuration Manager Overview Requirements Creating a Connection to a SCCM Site Server Deploying a Package to a Collection SCCM and 3rd Party Patching Using Group Policy to Configure SCCM Assets for 3rd Party Patches 155 155 155 155 156 157 158 Retina Protection Agents Overview How RP Agent Deployments Work Downloading Retina Protection Agents Configuring a Default Policy Preparing Target Assets Using the 3rd Party Deployment Tool Updating RPA Licenses Deploying the Protection Policies Storing Retina Protection Agent Serial Numbers Reviewing Details about Protection Agents Removing Protection Agents Configuring Protection Policies Working with Rules and Rule Groups Creating a Rule Group and Setting Rules Creating a Protection Policy Creating a Dynamic Policy Organizing Your Policies Rules Reference System Wide Firewall Rules Application Firewall Rules IPS Signature Rules Trusted and Banned IPs 161 162 162 163 163 164 165 166 166 167 168 169 170 170 171 172 172 176 177 177 179 181 184 BeyondTrust® June 10. Retina CS User Guide Contents Registry Protection Rules Execution Protection Rules File Integrity Rules Windows Events Rules Source Names Trusted List Options Miscellaneous Options 185 186 188 193 193 195 195 PowerBroker Servers for Unix & Linux Overview Retina CS and PowerBroker Servers Architecture Managing PowerBroker Servers Events Creating a Smart Group Using pbreplay to Play the Logged Events Searching the I/O Logs Search Parameters 197 197 197 199 199 199 200 201 PasswordSafe Overview Configuring PasswordSafe Creating a Connection to Your Appliance Creating User Groups Adding a Managed System Managing Passwords Requesting a Password Approving a Password Retrieving a Password 207 207 207 208 208 210 212 212 214 215 Regulatory Reports Pack Compliance Scans Healthcare Pack Compliance Scans Finance Pack Compliance Scans Government Pack Compliance Scans Running a Compliance Scan Reviewing Compliance Scan Results 216 217 217 217 217 218 219 Configuration Compliance Pack Setting Permissions for Configuration Compliance Managing Benchmarks Importing Benchmarks Setting OVAL Tests Option 220 220 221 221 222 Appendix A: Preparing Your Database Application for Scans Preparing Your MySQL Database 223 223 BeyondTrust® June 10, 2013 vi Retina CS User Guide Contents Appendix B: BMC Remedy Creating a Connector to your BMC Remedy Server Creating a Smart Group Exporting the Data BeyondTrust® June 10, 2013 224 224 226 226 vii Retina CS User Guide I. Retina CS Management Console I. Retina CS Management Console Retina CS Overview Retina CS Tools Reports and Scan Templates Asset Management Mobility Scanning Cloud Scanning Multi Tenant Managing Users Setting Retina CS Options Maintenance BeyondTrust® June 10, 2013 i Retina CS User Guide Retina CS Overview Retina CS Overview In this section. 2013 1 . Retina CS Architectural Overview Retina CS Components How a Scan Works How Job Scheduling Works Accessing Retina CS BeyondTrust® June 10. tiered approach to compliance and security management throughout your organization. Multiple Retina CS Servers can replicate data to produce a tiered architecture and all management control and results are available through an Internetenabled application. Retina Network Security Scanners run vulnerability assessments. Retina CS Architecture BeyondTrust® June 10. All communication between agents and Retina CS is encrypted and stored in a SQL Server database. 2013 2 .Retina CS User Guide Retina CS Overview Retina CS Architectural Overview Retina CS architecture follows a top-down. and Retina Protection Agents can perform endpoint host security. The events are then encrypted and sent to the database. including: virus and spyware. The Events Client sends the information to the eEye Manager Service. A security certificate is required by the Events Client to communicate with the agent. protecting assets. and vulnerability assessment. eEye Manager Service This component is the Retina CS web interface. The eEye Manager Service also acts as a background service that gathers information from the Events Client (which retrieves information from the agents). BeyondTrust® June 10. A security certificate is required by the Events Client to communicate with the agent. Events Client Certificate Generate security certificates to ensure secure transmission of data between clients and Retina CS. The RNSS agent receives instructions from the Central Policy service. 2013 3 . Use the Retina CS Configuration Tool to generate certificates. Events Client The Events Client is responsible for forwarding information gathered by the RNSS agent and RP agent. The Events Client is installed when an RNSS agent or RP agent is installed. The Retina Protection agent provides layers of protection.Retina CS User Guide Retina CS Overview Retina CS Components This section provides information on each of the components that Retina CS relies on in running scans. etc. Retina Network Security Scanner (RNSS agent) The Retina Network Security Scanner is the scan engine responsible for scanning the assets in your environment. For more information. Retina Protection Agent (RP agent) The agent designed to protect your assets. firewall. AppBus (Application Bus) Provides communications between BeyondTrust components and receives events to insert in the Retina CS database. This function can also be done by a dedicated Event Server for scalability. refer to the Retina CS Installation Guide. This certificate can be created during the Retina CS installation. intrusion prevention. This certificate can be created during the Retina CS installation. system protection. BeyondTrust® June 10. The protection policy needs to know the policy to push out to the selected protected assets.Retina CS User Guide Retina CS Overview Central Policy Server Central Policy is a service that sends RNSS agents and RP agents their settings. Shared Services Engine Receives Retina Protection agent deployment details from the AppBus and sends those details to the assets where the RP agent is being deployed. the Central Policy kicks out the job information to the RP agent to apply to the target asset. you can centrally manage updates for your BeyondTrust applications. the RNSS agent needs to know the targets and the audits to run against those targets. Policies are defined in the Retina CS management console. For example. Scheduling Service Responsible for contacting the Update server and downloading the latest product updates and audit updates. receive updates automatically or manually and distribute updates to client systems on your network. Enterprise Update Server Using the Enterprise Update Server. The same for the RP agent policies. and when the policy is deployed. Third Party Patch Service Gathers third party patches and makes them available for distribution using WSUS. This information is selected in the Retina CS management console. You can schedule automatic updates to ensure that your assets are protected by the latest vulnerability audits. 2013 4 . Central Policy is the component responsible for sending the agents job information. When the scan starts. the Central Policy kicks the job information to the agent. see Ports Used by Retina CS.  BeyondTrust® The Retina CS Event Server passes the information to the SQL Server. For a list of ports that Retina CS uses. 2013 5 .  The Central Policy service notifies the RNSS agent with the instructions for the scan job. The gathered info is normalized.mmf format. u Create the scan job in Retina CS Management Console. The data sent is in .Retina CS User Guide Retina CS Overview How a Scan Works This section provides the communication workflow between Retina CS and the agents. and scheduling information. June 10. Gathered information from the RNSS agent is passed through the  Events Client to the Retina CS Event Server. Ž The RNSS agent goes out to the assets as provided in the scan job details and gathers the data based on the selected scan template. scan template. The scan job includes details such as the IP addresses to be targeted. Assets will be discovered if the following are included in the Smart Rule: l BeyondTrust® Address groups June 10. 2013 6 . includes setting: l l l List of scanners Choosing the asset distribution algorithm Choosing the targets  Targets are determined by: l Assets that are in the database (Assets are already discovered). 1433 Event Client RNSS and RPA to Retina CS RPA Central Policy Endpoint to Retina CS Version 1 – 2000 RNSS Central Policy RNSS to Retina CS Update Servers SyncIt or EUS to BeyondTrust 443 or 80 Client Browser User to Retina CS or Retina Insight 443 or 80 PowerBroker Mobile Connector to PBM 443 Android Mobile Connector Android agents to Retina CS 21691 Retina CS replication CS to CS for Enterprise 21692 tiering Retina Insight to SQL Server 21690 Version 2 – 443 Version 1 – 10001 Version 2 – 443 How Job Scheduling Works The following job scheduling overview assumes multiple scanners are used.Retina CS User Guide Retina CS Overview Ports Used by Retina CS Function Components Port Database connectivity CS to SQL Server. u Create a Smart Rule. scanners are always associated with assigned assets.  Two . targets are assigned first if their IP address is known.Retina CS User Guide Retina CS Overview l l Ž Cloud assets LDAP queries Asset distribution algorithm assigns scanners to assets. Then targets are assigned to scanners by the name of the target if it is known. After this assignment occurs. 2013 7 . For round robin assignments.xml files are sent to the Retina scanner agent: l l a file that contains job scheduling information a file that lists the targets assigned to the scanner Round robin assignment BeyondTrust® June 10. To log on Retina CS: 1. click Forgot your Password? Enter your username to have a new password sent to your registered email address. note that times displayed match the web browser on the local computer (unless stated otherwise). Enter your username and password. You can also log on to Retina CS using the URL provided to you by your Security Administrator. If you forget your password. 3. The default username is Administrator and the password is the Administrator Password you set in the Retina CS Configuration wizard. 2013 8 . Select Start > All Programs > eEye Digital Security > Retina CS > Retina CS.Retina CS User Guide Retina CS Overview Access Retina CS When working in Retina CS. 2. BeyondTrust® June 10. Click Login. You will need your username and password provided in your product confirmation email. The Client Portal is displayed. Select from one of the following options: – Product Downloads. To access the client portal: 1. You can access documentation for each product as well as additional guides. Type your username and password from your product confirmation email. as needed. User’s Guides and online help systems. You can access and download the most current versions of your licensed software. You can access and manage your product licenses. and technical support. BeyondTrust® – Product Licensing. then click Sign In. including knowledge base articles using the client portal. In addition. product documentation.eEye. technical bulletins and knowledge base articles.Retina CS User Guide Retina CS Overview Access the Client Portal You can access product downloads. 2. June 10. support request forms and release notes. – Documentation.com/clients. license keys. Typically the documentation set consists of Installation Guides. You can access knowledge base articles. 2013 9 . 3. Using your web browser. log on to www. – Technical Support. you can view and update your support tickets. 2013 10 .Retina CS User Guide Retina CS Tools Retina CS Tools In this section. Overview Working with Smart Rules Understanding Smart Rule Filters Predefined Smart Groups Creating an Asset Smart Rule Creating a Vulnerability Smart Rule Cloning a Smart Rule Marking a Smart Group as Inactive Creating an Address Group Creating an Always Address Group Creating a Smart Group Based on an Address Group Creating an Active Directory Query Working with Attributes Working with Tickets Creating a Ticket Managing Ticket Details Marking a Ticket as Inactive Tracking Open Tickets Using a Smart Rule BeyondTrust® June 10. then use the attributes as the selection criteria in the Smart Rule. For more information. including CIDR notation and named hosts. Working with Smart Rules A Smart Rule is a filter that you can use to organize assets.Retina CS User Guide Retina CS Tools Overview Retina CS provides a set of tools to help you organize assets for scanning. The Asset Management permission allows the user to create a Smart Rule. To help you review scan results. Use a Smart Rule to register assets as Smart Groups to: BeyondTrust® • Run vulnerability scans against • Apply protection policies to • Register for Patch updates • Monitor and view June 10. you can create filters and set preferences on the Assets page to easily review scan results. 2013 11 . or the critical nature of some of your assets. The following list provides examples on ways you can use these tools: l l l Create an IP address group that organizes assets by a range of IP addresses. Scans can return a lot of information. You can organize the assets using one of the following Smart Rules types: • Asset Smart Groups – Organizes the assets based on the filters selected. that Smart Group will automatically be associated with: – Read permissions to all user groups that the user is a member of. Change the properties for assets (after a scan runs). Depending on the number of assets that you want to scan. or be granted the Asset Management permission to work with Smart Rules. For more information. Use an Active Directory query that will organize assets by organizational unit. • Vulnerability Smart Groups – Organizes the vulnerabilities based on the vulnerabilities filter selected. Note: When a non-administrator user creates a Smart Group. – Write permissions to all user groups the user is a member of and also has the Asset Management permission. consider organizing the assets using address groups or Active Directory queries which can be part of a Smart Rule. see Changing Asset Properties. The user must be a member of the Administrators group. see Changing the Display. Create a Smart Rule and use the query as your asset selection criteria. or Operating System. see Creating an Address Group and Creating an Active Directory Query. You can create these filters in the Smart Rule Manager or from the Configure tab. 2013 12 .Retina CS User Guide Retina CS Tools A Smart Rule updates results automatically. you can be sure the list of assets is current. you can filter on such properties as Asset fields. • If you select Match All Criteria. Filters can be joined with 'and' (Match All Criteria) or 'or' (Match Any Criteria) conditions. You can create address groups or an Active Directory query to use as filters. Understanding Smart Rule Filters There are many filters available to you to create Smart Rules. as shown: If an asset can no longer be contacted or no longer meets the criteria in the rule. For more information. You can use more than one filter to refine or extend the scope of assets in the Smart Rule. BeyondTrust® June 10. ensuring that assets that match the criteria in the rule are current. For example. For example. then only one of the indented filter items under it must be true for an asset to be included. a simple filter on assets might be finding all assets in the domain EMEA. then every indented filter under it must be true for an asset to be included. At any time when you select the Smart Rule for a scan (for example). • If you select Match Any Criteria. The following filter example will include all assets in the EMEA domain that are either servers or workstations. the rule dynamically updates. Assigned Attributes. Installed Software. you can choose to include or exclude the asset from the rule. Malware Filter assets based on malware. Installed Software Filter on any combination of installed software. or filter on malware name or ID. Assets with Open Tickets For ticket tracking. 2013 13 . June 10. Select malware from a list. and kind. device ID. Assigned Attributes Attacks Child Smart Rule If the attribute is unassigned on a particular asset. Group the Smart Group by asset fields. see Creating an Address Group. For more information. asset name. see Creating an Active Directory Query. domain or DNS. You can include more than one asset field filter in the Smart Rule to refine the results. such as. The Smart Rule filter can be set to include overdue tickets. This is especially useful if the Smart Rule is a complicated set of filters. Asset Smart Rule Filters Active Directory Query Create an LDAP query to include or exclude assets in the selected domain. Filter assets based on attack. Select attacks from a list. Address Group Asset Fields For more information. Reusing a Smart Rule further refines the assets that will be a part of the Smart Group. You can reuse a Smart Rule to save time when creating new Smart Rules. Create a group of IP addresses. create a Smart Rule that filters on open tickets. Table 1. Create a filter based on an attribute. BeyondTrust® Cloud Assets Filter assets on the cloud connector. or filter on attack name or ID.Retina CS User Guide Retina CS Tools Smart Rule Filters Review the following tables for more information about available Smart Rule filters. MAC Address Filter by MAC address of assets. risk. Can filter for responsive or unresponsive scan agents. Zero day vulnerabilities Filter on zero day vulnerabilities. CVSS score or vector. Operating systems included in the list are those detected in your network. Processes Filter on any combination of processes. or System). Vulnerability Scanners Filter by Retina scan agent. can be included or excluded from the rule. information. Include or exclude the vulnerabilities from the Smart Group. BeyondTrust® June 10. Vulnerability fields Filter by the name of the vulnerability.Retina CS User Guide Retina CS Tools Filter on any combination of OS. or any of the compliance audit groups available. PCI severity. For example. Predefined Smart Groups By default there are Smart Groups already defined and created. Vulnerability severity Filter by severity level: low. Services Filter by any combination of service. Operating System Assets with no OS detected. Security. Vulnerabilities Filter by vulnerability. Zero Day. high. All Audits. Vulnerability has mitigation patch Filter by patch updates that are available to remediate the vulnerability. Windows Events Filter by Windows events that are available in the Windows Event Viewer (for example. Ports Filter by port group. Assets with open ports in the port group can be included or excluded from the rule. Vulnerability in audit group Filter by audit group. 2013 14 . Workgroup Filter by workgroup. Application. Protection Agents Filter by protection agents. Vulnerabilities Smart Rule Filters Child Smart Rule Filter the vulnerabilities by child Smart Rules. Table 2. medium. 2013 15 . For example. Assets and Devices Includes default Smart Groups for all assets and all assets labeled as workstations. However. Table 3. and mobile assets with critical vulnerabilities. predefined Smart Groups can be marked as inactive (except for the All Assets Smart Group) to improve performance on large databases. see Marking a Smart Group as Inactive. Assets detected as virtual environments are part of these Smart Groups. Includes Smart Groups for virtual environments. including Microsoft Hyper-V and Parallels. Assets that are servers or workstations might not be detected. Virtual Servers and Virtual Workstations. Intelligent Alerts are inactive by default. not included in the Smart Group.Retina CS User Guide Retina CS Tools Predefined Smart Groups cannot be changed or deleted. Intelligent Alerts Includes Smart Groups that detect assets added since yesterday. Zero Day Vulnerabilities Includes all assets where zero day vulnerabilities are detected. Predefined Smart Groups for Assets Agents and Scanners Detects assets where protection agents and Retina scanners are deployed. For more information. Only the Web Servers Smart Group is marked as active. web servers. The predefined Smart Groups are displayed in the Smart Groups browser pane and are organized in the following categories. database servers. Predefined Smart Groups for Vulnerabilities All Vulnerabilities Includes all assets where there are vulnerabilities detected. and therefore. Servers Includes Smart Groups that detect assets that are mail servers. domain controllers. BeyondTrust® This default category also includes two Smart Groups. June 10. the asset might be a router or unknown and will not be part of the Smart Group. and SCADA. Virtualized Devices Table 4. When selected. The Smart Rule is always available for processing when Active is selected. The Active check box is selected by default. 9. 6. 3. Use categories to organize your Smart Rules in the Smart Groups browser pane. Clear the check box so the rule is not processed. Select Asset based smart rules from the Smart Rule type list.Retina CS User Guide Retina CS Tools Creating an Asset Smart Rule You can configure an asset Smart Rule to: • Create Smart Groups • Send email alerts with a list of assets • Set attributes on assets • Create a ticket with a list of assets • Enable for Patch management • Set environmental metrics for CVSS scoring • Set scanner pooling To create a Smart Rule: 1. 7. Click New Rule. BeyondTrust® June 10. You can select the Smart Group to filter the list of assets in the Smart Groups pane. 5. Enter a name and description. the rule is displayed in the Smart Groups pane as a Smart Group. 8. Click Manage Smart Rules. select one of the following: – Show asset as Smart Group . From the Perform Actions section of the manager. 2013 16 . 4. The Smart Rules Manager displays existing Smart Rules. 2. Select the filters in the Asset Selection Criteria section of the manager. Enter a category name or select a category from the list. Select the Assets tab. Emails are only sent if the list of assets that match the rule is changed from the last time the rule was processed. and registering for patch updates. – Enable for Patch Management . including ticket assignment. Creating a Vulnerabilities Smart Rule You can configure a vulnerabilities Smart Rule to: BeyondTrust® • Manage vulnerabilities • Use as filters in grids and reports June 10. – Set attributes on each asset . – Create Ticket . 2013 17 . – Send an email with a list of assets .Select the attribute type from the list and then select the attribute. 10. and email alert.Select and enter the email addresses for notification when the rule criteria is matched.Select to create a Smart Group for managing patch updates to assets. For more information. – Set Scanner Properties . – Deploy PBW Policy – Select to deploy PowerBroker for Windows policies to the assets that match the criteria selected in the Smart Rule. Click Save. For more information. For more information. – Mark each asset inactive .Assets detected as inactive will no longer be displayed on the Assets page or in reports. – Set Environmental CVSS Metrics .Select tickets parameters. See Scanner Pooling. – Export Data .Select one or more Retina scanner agents to lock to the Smart Group. see Registering Smart Rules. Smart Groups are also used for running scans. severity.Select environmental metrics for CVSS. see Creating a Ticket. see Setting CVSS Metrics.Select to manage a Smart Group for the BMC Remedy connector.Retina CS User Guide Retina CS Tools You can also select the default view to display on the Assets page when the Smart Group is selected. applying protection policies. 7. 2. Enter a category name or select a category from the list. The Active check box is selected by default. Select the Assets tab. Click Save. 5.Retina CS User Guide Retina CS Tools To create a vulnerabilities Smart Rule: 1. 6. Select the filters in the Asset Selection Criteria section of the manager. Enter a name and description. Clear the check box so the rule is not processed. BeyondTrust® June 10. The Smart Rule is always available for processing when Active is selected. 3. 2013 18 . 4. The Smart Rules Manager displays existing Smart Rules. Select Vulnerability based smart rules from the Smart Rule type list. Click Manage Smart Rules. 10. – Create vulnerability audit group – To create a read-only audit group. select one of the following: – Show vulnerability as Smart Group – When selected. 8. the rule is displayed on the Vulnerabilities page as a filter for the list of assets selected in the Smart Groups browser pane. From the Perform Actions section of the manager. 9. Use categories to organize your Smart Rules in the Smart Rules Manager. Click New Rule. The Smart Rule is active only after you click Save. select the organization from the list. 2013 19 .Retina CS User Guide Retina CS Tools Cloning a Smart Rule You can clone your custom Smart Rules or the predefined Smart Rules. On the Smart Rules Manager page. and then click the clone icon. This saves you time in recreating the filters in the initial Smart Rule. and then click OK. and configure the new Smart Rule to run more frequently. To clone a Smart Rule: 1. Click Manage Smart Rules. 4. An example scenario: you created a Smart Rule where the 'discover assets' option is selected and you run the rule once a month. BeyondTrust® June 10. If you are using the Multi Tenant feature. edit the Smart Rule filters as needed. 3. 2. Click Save. Select the Smart Rule. Select the Assets tab. You can clone the Smart Rule. turn off 'discover assets'. the Retina CS user must be a member of the Administrators group. the address group is synchronized with the Retina scanner agent. if you have a lot of Smart Groups. 2013 20 . The Retina scanner agent is designed to recognize this address group name and includes the group in every scan (regardless if the group is selected in the scan job). whether included or omitted are considered part of the scan that is running. IP addresses are entered as an IP range. or be assigned the Asset Management permission. See Creating User Groups. BeyondTrust® June 10. However. To work with address groups. The next time a scan runs. you can save on processing time if you mark unused Smart Groups as inactive. The IP addresses.The address group can include and exclude IP addresses. Creating an Address Group Not supported in Retina CS Community. An inactive Smart Group is no longer displayed in the Smart Group browser pane (until marked active again). Create an address group then use the address group as an IP address filter when creating a Smart Rule.Retina CS User Guide Retina CS Tools Marking a Smart Group as Inactive You cannot delete predefined Smart Groups. named host. An address group can contain included or excluded IP addresses. or as a CIDR block. Creating an Always Address Group You can create an address group and name it Always. Enter a name for the address group.60 is included in the scan since that IP address is added to the Always address group • buffett-laptop is excluded from the scan since that asset is explicitly omitted in the Always address group • 10. To exclude IP addresses.txt file with a list of IP addresses to include and exclude.10. 2. The list can include all IP addresses to exclude if that is how you want to create your filter. use the format: 192.10. enter the IP addresses.10. 5. A scan tries to scan 10.x. To create an Address Group filter: – Click New to open the New Address Group dialog box. This only occurs with some reports.x. Click the Configure tab. the Always address group is configured with the following: 10. Enter IP addresses to include or exclude. an excluded IP address. and then click Save.x (1) The following shows an example of how a CIDR block.10. – Click Import to import a . Click + in the Address Group pane.10. the asset is not scanned but might still be displayed in the report. and then click Address Groups. To exclude IP addresses. The list depends on your particular needs. To create an address group: 1.Retina CS User Guide Retina CS Tools For example. 2013 21 . The results: • 10.10.10.50 and buffett-laptop.10. and then select the Omit this entry check box.50 is scanned as usual Note that if an asset was scanned and then later added to the Always address group as Omit. Select the address group and then click + in the Type/Entry pane.60 and buffett-laptop (omitted). and excluded named hosts are displayed after importing: BeyondTrust® June 10. 3. 4. The Domain list is populated with the domains in the forest. 3. To work with Active Directory queries. Enter a path name or click Browse to search for a path. Select a container and click OK to close the dialog box. 2. 4. Create an Active Directory query to retrieve information from Active Directory to populate a Smart Rule. and then click Active Directory Queries.Retina CS User Guide Retina CS Tools Creating a Smart Rule based on an Address Group When you are configuring an address group you can choose to create a Smart Group based on the address group. the Retina CS user must be a member of the Administrators group. the forest is automatically detected. See Creating User Groups. For example. or be assigned the Asset Management permission. Create the address group and add IP addresses as described earlier. Click the arrow as shown: The address group Smart Group is displayed in the Smart Groups browser pane: Creating an Active Directory Query Not supported in Retina CS Community. Enter a name for the query. On the Select Active Directory Path dialog box. Click the Configure tab. To create an Active Directory query: 1. create a query that uses computer names for a selected domain. Click New. 2013 22 . BeyondTrust® June 10. 6. 7. Click Credentials and provide credentials (optional). 10. You can use attributes to label assets. Click Save. see Creating a Smart Rule. 9. Select an attribute from the Assigned Attributes list in the Asset Selection Criteria section. Click Advanced and enter the LDAP query details. 2013 23 . Select a scope to apply to the container: This Object and All Child Objects. BeyondTrust® June 10.Retina CS User Guide Retina CS Tools 5. You can then select the attribute as a filter when you create a Smart Rule. Immediate Children Only. Minimum permissions assigned for the credentials must be Read on the computer assets that you are enumerating. Working with Attributes Not supported in Retina CS Community. 8. For more information. Enter a name and description for the filter. Click Test to ensure the query returns expected results. Set an attribute on each asset in a group using a Smart Rule. and then click Attributes. Click + and then select Attribute Type. You can also add attribute types and attributes that meet your particular requirements. select an attribute type. 6. BeyondTrust® June 10.Retina CS User Guide Retina CS Tools Retina CS ships with attributes already created. Click the Configure tab. You can use the Criticality attribute to weight the importance of an asset in your environment. Type an attribute name. 5. 3. To add an attribute type and attribute: 1. 2. 4. Click + and then select Attribute. Type an attribute name. Assign the criticality attribute using a Smart Rule or on the Asset Details page for an asset (see Changing Asset Properties). 2013 24 . To add an attribute. and malware. The team can review. you can create tickets for managing the life cycle of vulnerabilities. 2013 25 . Ensure your user groups have the correct ticket permissions assigned. Select the arrow for a vulnerability. remediate. BeyondTrust® June 10.Retina CS User Guide Retina CS Tools Working with Tickets Not supported in Retina CS Community. attacks. see User Group Permissions. Enter the details for the ticket. and resolve vulnerabilities and attacks on protected assets. and then select Create Ticket. and malware. For more information. The users that are members in the Active Directory group must log on to Retina CS at least once before the user name is displayed in the Assigned to list. You can create a ticket from the following pages: • Assets • Attacks • Vulnerabilities • Malware To create a ticket: 1. Creating a Ticket Using the ticket system. You can create tickets to manage the remediation of vulnerabilities. In this section. Logging on also activates the email notification for the user. 2. Note: You can create an Active Directory user group and assign the group ticket permissions. attacks. Creating a Ticket Managing Ticket Details Tracking Open Tickets Using a Smart Rule Use the ticket system to assign tickets to members of your security team. If available. attack or malware. If you select the Close status. On the Ticket Details dialog box. 3. the ticket is no longer displayed on the Tickets pane. 4. 2013 26 . The autogenerated tickets are not displayed in the Smart Rules browser pane. click the x revisions link to view details about activity on the ticket. 3. Select i. The next time the Smart Rule is processed. No intervention is required by you. affected assets where solutions are applied will no longer be part of the Smart Rule. Select the Assets tab. the Smart Rule autogenerated ticket is removed from the Smart Rules Manager. change the ticket properties as needed. BeyondTrust® June 10. and then select Tickets. 2.Retina CS User Guide Retina CS Tools A ticket ID is automatically generated after you save the details for the ticket. A Smart Rule is autogenerated when a ticket is saved. Managing Ticket Details To change the details for a ticket: 1. When all assets have the solution applied. Click Save. This Smart Rule is intended to help you keep track of assets affected by the vulnerability. 2. the Retina CS administrator can always see the tickets (active or inactive). and then select the Tickets tab. Select the criteria and actions as shown. Select the Assets tab.Retina CS User Guide Retina CS Tools 5. Tracking Open Tickets Using a Smart Rule Use Smart Rules to track open tickets and tickets that are overdue. An inactive ticket is essentially a ticket that is deleted. 3. 2. Clear the Active check box. To create a Smart Rule: 1. 3. Click Save. An inactive ticket is no longer displayed on the Tickets page. 6. BeyondTrust® June 10. However. Enter a rule name and description. Marking a Ticket as Inactive If a ticket is accidentally created or no longer needed. your security team member can mark the ticket as inactive. Click New Rule. 2013 27 . You can mark a ticket as inactive on the Ticket Details page or from the Smart Rules Manager. 4. Click Back to Ticket Details. and then click the Manage Smart Rules button. Select the ticket and then click i. Click Save. The ticket is no longer displayed on the Tickets page. Select the Assets tab. 4. The inactive ticket cannot be selected. To mark a ticket as inactive: 1. Select the Auto-close Ticket check box to close and remove the Smart Group from the Smart Rules Manager.Retina CS User Guide Retina CS Tools 5. Click Save. BeyondTrust® June 10. Select the ticket Smart Group and any other relevant parameters. Later. The ticket is only closed after all assets are remediated. 2013 28 . 6. you can run the Tickets report to view a current list of open tickets. . Running a Report on Existing Scan Data Reviewing Report Results Creating a Report Creating a Report Category Viewing Reports Managing Report Templates Setting Report Output Options Configuring Scan Settings Working with Audit Groups Working with Port Groups Creating a Custom Audit Reports and Scan Templates There are two report template types available: Scanning only. For more information. Scanning and running reports on existing data. see Managing Scan Report Templates. BeyondTrust® June 10. see Running a Report on Existing Scan Data.Retina CS User Guide Reports and Scan Templates Reports and Scan Templates In this section. For more information. 2013 30 . and then click Report. Select the report parameters: Note that the NONE export type provides a snapshot of the data and produces results faster than selecting PDF output. You cannot run reports on existing data using the Protection reports. BeyondTrust® June 10. and then click Scan. By default.Retina CS User Guide Reports and Scan Templates Running a Report on Existing Scan Data Not supported in Retina CS Community. You can run reports on scan information that is stored in the Retina CS database. Be sure to clear the All check box if you want to use specific parameters for your report. 2. Select the assets. 2013 31 . Reports will open in a new window. Selecting All uses all criteria available for that parameter. Select the Assets tab. 3. Checkpoint – Create a Smart Group to scope the assets to include in the report. For more information. Click Run Report. 4. Select the report. To run a report on existing data: 1. Ensure pop-up blockers are disabled for the Retina CS web site. the All check box is selected. see Creating a Smart Rule. 5. Select the check box and enter email addresses. 2. BeyondTrust® June 10. Alternatively. Separate entries using a comma.Retina CS User Guide Reports and Scan Templates Creating Scheduled Reports To schedule a report: 1. and then set the following: – Notify when complete . – Email report to . 3. click + and select users or user groups. Viewing Scheduled Reports in the Calendar View You can review the scheduled reports in a calendar that shows a summary of the reports scheduled for the month. 2013 32 . If you select Recurring. select the frequency of the schedule run times. 3. Alternatively. Email notification is sent when the scan and report are complete. and then click Scheduled in the Reports section. Click the Jobs tab. Click the Report icon to open the report for a completed report. Separate entries using a comma. 2. Click Toggle Calendar.Select the check box and enter email addresses. The reports will be emailed to the users entered. Click Subscription. – Schedule Type . click + and select users or user groups. Click Save after you enter the scheduling information. To view the scheduled reports for the month: 1.Select One Time or Recurring. Set the report parameters as described in the preceding procedure (To run a report on existing data). the list of vulnerabilities in the document map is displayed as bookmarks in the PDF.Retina CS User Guide Reports and Scan Templates Reviewing Report Results Expand the document map to view the list of vulnerabilities. If you export the report to PDF output. and CVSS score. fix information. 2013 33 . Click the link for the vulnerability in the document map list or in the main report. BeyondTrust® June 10. references. You can review more information about the vulnerability such as: description. 2013 34 . Select a section and then drag section parts into the section pane. 3. Every report that you create must be assigned to a category. Click Save. Drag an existing report from another category to populate the new category. To create a report: 1. 2. Click the Reports tab. 2. Creating a Report Category A report category is a container that helps to organize similar reports.Retina CS User Guide Reports and Scan Templates Creating a Report You can create a report template based on an existing report template. 5. Section parts vary based on the report template selected. 7. 3. Enter the name of the report and the report category. 4. ports. Select a template and click Create. A report template consists of: • Report output settings – Select options to determine how information is presented in the report output. Click Save. Includes report sections that present the information collected from the scan • Scan settings – Select options to determine the data to collect from assets. Click New Report. Includes audits. and additional scan options that make up the scan Report templates are organized using report categories. Select the Shared check box if this report template can be used by other Retina CS users. Enter a name for the report category and click Create. 6. To create a report category: 1. You can enter the name of the section part in the text box to select. 4. Click New Report Category. BeyondTrust® June 10. and then click Manage Report Templates. Click the Reports tab then click Manage Report Templates. 8. Select one of the following: – Double-click a report to view. – Click the delete button to delete the report. see Managing Report Templates. For more information. or use the default. Click the Reports tab.Retina CS User Guide Reports and Scan Templates Viewing and Downloading Reports On the Reports tab. 2013 35 . and then click Save. June 10. To view and download a report: 1. and then click i. Or. BeyondTrust® – Click the download button and then click Save File to save the report in PDF format. you can: • View reports • Download a report to PDF format • Access the Manage Report Templates page. select a report. Enter the report name. 2. 4. 3. Create a copy of the selected report. Click the pencil icon to display and select the parameters. Select Edit Report. – Rename Report. For some reports. you can edit parameters on the Header section. Click the Reports tab. and then click Manage Report Templates. 2013 36 . including sections in the report output and scan settings. Select a report section. – Edit Scan Settings. 2. See Setting Report Output Options. Select the report template and click the arrow to select a menu item. See Configuring Scan Settings. Setting Report Output Options You can select the sections to include in the report. – Delete Report.Retina CS User Guide Reports and Scan Templates Managing Report Templates You can customize template settings. – Edit Report. Confirm the deletion when prompted. Select Edit or Rename from the menu to continue. Select a report and click the arrow to display the menu. such as cover page and report content. Enter the new name when prompted. BeyondTrust® June 10. To change the report output: 1. To access a report template: Click the Reports tab. – Duplicate Report. Retina CS User Guide Reports and Scan Templates 5. 6. 9. You can also enter the name of the Section Parts in the Search box. 7. Click Save. select the section and select the garbage can. BeyondTrust® June 10. The Section Parts pane displays the sections that you can use. 8. Enter a name for the report and the report category. Click Save. To remove a section from the report. 2013 37 . Drag a section part into the middle pane. see Audit Groups. Select Ports. advanced options. and then drag an audit group to the scan settings pane. Click the Reports tab. Select Audits. 3. SANS20(Windows). To search for an audit group. 4. For more information. 2013 38 . • Options. see Audit Groups. and then the click Manage Report Templates. For more information. The audit groups provided are industry standard and include: SANS20 (All).Retina CS User Guide Reports and Scan Templates Configuring Scan Settings The following scan settings can be set when you are configuring an audit scan: • Audits. • Ports. The audit information is organized in audit groups. 6. type the port group name in the Search box. 5. Select the port or port group ranges that you want to include in the scan. For a complete list. and Zero-day. see Port Groups. BeyondTrust® June 10. Select Edit Scan Settings. and then drag port groups to the scan settings pane. Select the report and click the arrow to display the menu. Select Options. Select scan policy options. 2. To configure an audit scan: 1. type the audit group name in the Search box. and remote agent settings. An audit contains the vulnerabilities and risks that you want to search for on your selected assets. To search for a port group. On a Class B network. stack changes in Windows XP SP2 cause connect scans to slow greatly due to the 10 incomplete connection limit. 8. processes. you could be waiting for 65. hotfixes. machine information. such as a slow dial-up. – Get Reverse DNS . and UDP Scan simultaneously. Retina cannot determine a number of items. The parameters include registry. BeyondTrust® June 10.Determines packet routes across an IP network. In addition. groups. All users are enumerated if you set the value to 0. such as operating system. users. named pipes.535 devices to time-out on a minimum of 65.Scans remote database instances. – Get MAC Address . Force Scan. – Perform Database Scanning . audit policy. The operating system is negotiating a full connection to each device. – Enumerate [parameter] Via NetBIOS .Determines the hardware for the target. – Perform Traceroute .Sets the number of links to follow from the home page.Scans for the Media Access Control address or unique hardware number. shares. – Get NetBIOS Name .Run if other methods. user and group privileges and software. These instruct Retina to negotiate a full connection to each port on each device.Scans for reverse Domain Name System (rDNS) and retrieves the domain name for the target IP address. 2013 39 . – Maximum Number of Users to Enumerate .Sets a maximum number of users for providing detailed descriptions.Scans remote web servers and audits installed applications. files. per-user registry settings.535 connections each. Expand the Advanced Options and select the scan options: Note: Performance issues may be experienced when running a Connect Scan. – Web Scan Depth . – Hardware . – Enable Connect Scan Mode . are unreliable.Determines the operating system for the target. – Perform Web Scanning .Scans for a Network Basic Input/Output System. Expand Scan Policy Options and select the scan options: – Perform OS Detection .Uses the NetBIOS protocol to determine and list audits specified in the Audit Group. Because multiple port scanning methods are not used.Retina CS User Guide Reports and Scan Templates 7. Run if the targeted devices are not going to answer SYN or ICMP scanning.Enumerates local ports using netstat. fixed and not verified. OFF by default. The service is only active during the scan. – Disable Tarpit Detection . 9. The service is only active during the scan. – Enable Remote Registry Service . BeyondTrust® June 10. This can cause incorrect scan results. This load balances the target IP list across the network by distributing the target list across subnets rather than running all the targets in a subnet at the same time sequentially. OFF by default.Stops tarpit detection. – Detailed Audit Status . – Randomized Target List .Deploys a remote Retina scanner agent to target assets during a scan. The IP will eventually timeout. Expand Retina Local Scan Service Options to set the following: – Perform Local Scanning . Click Update. Force Scan should not be used in IP ranges.Starts (and then stops) the WMI service. – Extended UDP Scan . 2013 40 . set the tarpit to allow unimpeded connections from the Retina scanner. the deployed remote agent is removed from the asset. – Enumerate Ports via Local Scan Service . A TCP tarpit program intentionally reduces the size of data packets to slow communication transmissions.Starts (and then stops) the remote registry on a target. Only use in a highly locked down network where the standard port scanning methods will be filtered or blocked. To scan systems running tarpits.Retina CS User Guide Reports and Scan Templates – Enable Force Scan . 10. OFF by default. Deploy a remote Retina agent to run WMI and remote registry scans. After the scan runs. Forces Retina to run protocol discovery on each port of each device to determine the protocol. operating system and protocol scanned and details the vulnerabilities open. Forces Retina to expect an answer.Runs a complete scan on all User Datagram Protocol (UDP) frames without timing out.Uses a random list of target assets to scan rather than a sequential list of IP addresses. – Enable WMI Service .Retrieves data on the port. including active connections and the program or service using the port. Select Audits in the Settings pane. Each audit group has a preconfigured set of audits. Click Manage in the Audit Groups pane to: – Edit an audit – Select the audit and click the pencil icon. • Revert the settings to the default values Note that you cannot delete an audit group that ships with Retina CS. To search for an audit group. For more information. 2. You cannot change all audits. To manage audit groups: 1. you can: • Change the audits in the audit group • Create an audit group • Copy an audit group • Create an audit. On the Scan settings page for an audit group. 5. 4. see Creating a Custom Audit. 3. Enter the name of the new audit group. – BeyondTrust® Create an audit group – Click + at the bottom of the Audit Groups pane. Select All Editable Audits from the Show list to display all audits that you can change.Retina CS User Guide Reports and Scan Templates Working with Audit Groups Retina CS ships with audit groups that are populated with audits. Select a report and click the arrow to display the menu. Click the Reports tab and then the click Manage Report Templates. June 10. type the name in the Search box. 2013 41 . Select Edit Scan Settings. Click Revert to revert to either the last saved version of the selected audit group or the default value. You can also type the name of the port group in the box to search for and display the port group. 4. 2013 42 . – Edit a port group – Select the port group from the Port Groups pane. Alternatively. To change port groups: 1. 7.Retina CS User Guide Reports and Scan Templates – Copy an audit group – Click . and then select Clear from the Protocol menu. Select the report and click the arrow to display the menu. Note that you cannot delete a port group that ships with Retina CS. 8. 7. Select Edit Scan Settings. add port groups that will be available to all audit scans. Click the Reports tab and then click Manage Report Templates. enter the port number or port number range in the Select Ports box and click the arrow. Enter the name of the port group and click Create. Click Manage in the Port Groups pane to: Use the Grid Size slider to adjust the view. and delete port groups. 5. UDP. 6. You can change the ports assigned in a port group. BeyondTrust® June 10. The grid is updated with the corresponding color of the protocol. To select multiple ports. – Remove a port from a group – Select the port. drag and click on the range. You can also type the name of the audit group in the box to search for the audit group. Select Ports in the Settings pane. Select the Automatically enable new audits in this group check box to add all the new audits selected when created. Click Revert to cancel your changes. Click Update. Retina CS ships with port groups already configured with a range of ports (for example. 6. 3. 2. HTTP Ports and Discovery Ports). TCP. – Edit an audit group – Select the audit group from the Audit Groups pane. – Add a port or group of ports – Select the ports. Working with Port Groups Port groups contain the list of ports to scan. Click Update. Enter a name and click Copy. and then select the protocol from the list: Both. – Add a port group – Click + on the Port Groups pane. audit type and details. such as Database. Click the Reports tab.Risks associated with specific or unlikely circumstances. Mail Servers. Describe the vulnerability. From the Risk Level list. you can create the following audit: ensure the latest service pack and particular hotfix has been installed for Windows 2003 OS 32-bit/64-bit. e. but can be useful to the administrator to assess the security. On the Audit Description page: a Type the audit name. Describe how to remediate. and then the click Manage Report Templates. 4. Click Manage in the Audit Groups pane. investigate or mitigate the vulnerability. Miscellaneous. 2. d. Select the report and click the arrow to display the menu. select the severity level that corresponds to the severity of the vulnerability: – High . Vulnerabilities that severely impact the overall safety and usability of the network. You can select the rule category. 5. or Windows.Risks that allow a non-trusted user to take control of a susceptible host. Select Edit Scan Settings. 7. 8. These vulnerabilities can provide an attacker with information that could be combined with higher-risk vulnerabilities to compromise the host or users. Click Next. For example. – Medium . These alerts are displayed with the list of vulnerabilities. – Information . risk level associated with the rule.Host information that does not necessarily represent a security threat. Click +New Audit to start the Audit wizard. BeyondTrust® June 10. Select Audits in the Settings pane. c. 3.Risks that are serious security threats and would allow a trusted but non-privileged user to complete control of a host or would permit a non-trusted user to disrupt service or gain access to sensitive information.Retina CS User Guide Reports and Scan Templates Creating a Custom Audit You can create an audit that addresses particular risks or vulnerabilities that you want to protect your assets from. – Low . 6. Select the audit category. 2013 43 . To create customized audit scan settings: 1. b. Note that the registry path cannot contain the selected Hive value. – CGI Script audit details . – File Version . 10.Type the URL path to the script name.Verifies the software version. and then type the banner name.Determines vulnerabilities by scanning service packs. June 10. – Banner audit details . – Mobile Software .Determines if a file exists.Verifies if a specific Unix program or patch is installed on an operating system. BeyondTrust® – Service Pack – Hotfix . such as firewall name. select the type of audit: – Banner . – File Checksum .Determines if a share is accessed by unauthorized users.Determines vulnerabilities by scanning service packs. hotfixes and patches.Determines vulnerabilities in the common gateway interface that passes a Web user's request to an application program and to receive data back to forward to the user. On the Audit Type page. The audit can check if the file exists or not.Select the banner protocol. hotfixes and patches. The Audit Details page displays parameters based on the audit type that you select in step 9.Determines vulnerabilities based on file checksum comparisons. Network performance issues might occur if you use this feature. – Share . – CGI Script . Key. 2013 44 . IP addresses and server name. – Hotfix .Determines vulnerabilities in the banner information. – BlackBerry Device . and then click Next. SHA1. SHA256.Determines vulnerabilities based on BlackBerry device specifications. Select the operating systems that the vulnerability affects. Supported values include: MD5. – Registry . Use this feature with caution. or Value from the menu.Determines if software exists for mobile devices.Retina CS User Guide Reports and Scan Templates 9. – Remote Check . Enter the information for the audit type. – File Version . – Registry .Select Path.Detects vulnerabilities by scanning registry entries and values. Enter the name of the software. 13. and set if software exists. 11. and OS version. On the Audit Wizard Summary page. type of access on the share.Enter model. Can also audit on the version number. and select operating systems to check. and OS version. device ID. – File Checksum . platform version. such as vulnerabilities. Enter a file name. – Share . enter the BugTraq and CVE details. – Remote Check . CVE’s common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. list the accounts by SID.Select the file checksum from the list. and file version. set file version information (optional). 12. click the pencil to change the audit information.A security portal dedicated to issues about computer security. Use an asterisk (*) to compare all file versions. checksum value.Common Vulnerabilities and Exposures is a dictionary of publicly known information security vulnerabilities and exposures. methods of exploitation and remediation. Click Finish. BeyondTrust® June 10. On the Vulnerability Details page. – Mobile Software .Select user account access on the share.Retina CS User Guide Reports and Scan Templates Enter the file name. serial number.Verifies if a specific Unix program or patch is installed on an operating system. Optionally. 2013 45 . – BlackBerry Device . – CVE . as needed. – BugTraq . refer to the Retina Insight User Guide. For example. The following tables list the report templates and audit groups available with Retina CS. exploits and affected assets. For more information. Vulnerabilities Report Name Description Access Lists targets that are inaccessible and includes a reason. 2013 46 . or transmit cardholder data. printers. routers. the target does not exist on the network. The Retail Report pack is required for this report. Credentials are not required for a discovery scan. PCI Security scans are conducted over the Internet by an Approved Scanning Vendor (ASV). references. or administrative rights were not provided. laptops. All Audits Scan Lists all vulnerabilities found. process. You can run reports on existing scan information that is stored in the Retina CS database. Report Templates Table 5. PCI Compliance Report Details the vulnerability results of PCI security scans. Drill down by vulnerability to review more information.Retina CS User Guide Reports and Scan Templates Report Templates and Audit Groups Not all report templates or audit groups are supported in Retina CS Community. You can run all reports from Retina Insight. Discovery Scan Lists the targets found on the network. such as fixes. Payment Card Industry Data Security Standard (PCI DSS) specifies security requirements for merchants and service providers that store. BeyondTrust® June 10. including: workstations. Drill down into each malware attack for more information. etc.Retina CS User Guide Reports and Scan Templates Report Name Description Vulnerabilities by Reference Lists vulnerabilities by CVE reference ID. attacks per asset. asset and IP address. software. The Attacks report uses information gathered by Retina Protection Agents. Vulnerability Export Provides a tabular list of all vulnerabilities discovered and their associated details. a list of the top x attacks. Vulnerabilities Lists vulnerabilities grouped by assets. attacker IP address. 2013 47 . The references provide a link to the CVE web site. Delta reports are useful for comparing changes such as add/remove of user accounts. such as location of the malware. BeyondTrust® June 10. descriptions. Table 6. OS upgrades. The report details the vulnerabilities with criticality. such as action. trends over time. Drill down into an ID for more information. users and security issues. assets attacked. fix information and references. Attacks Report Name Description Attack Displays the total number of attacks. criticality and trends over time. and attacker. Drill down into each attack for more information. Vulnerability Exclusions Lists vulnerabilities that are set to exclude. port. a list of the top x malware attacks. You can run custom or standard reports to review the system. such as assets affected and potential fixes. protocol. Vulnerabilities Delta Provides the vulnerability differences between two scans. Includes the expiry date and reason properties. and assets affected. Malware Displays the total number of malware attacks. asset. ports. process. Share Delta BeyondTrust® Displays the shares differences between two scans. Port Delta Displays the port differences between two scans. 2013 48 . port. asset name. DNS name.csv format. domain and operating system. MAC address. Protection Agent Configuration Displays the policies applied on an asset.Retina CS User Guide Reports and Scan Templates Table 7. Click an asset to drill down to more information: vulnerabilities. services. processes. DNS name and risk. Assets Provides asset and risk information by hardware. DNS and risk level are included. Service Lists top 100 and bottom 100 discovered services for the assets included in the scan. Assets are grouped by port. processes. ports. and risk level are included. June 10. Assets Report Name Description Asset Export Displays assets in a selected scan in a . OS Delta Displays the differences in operating systems between two scans. operating system. Click an asset to drill down to more information: vulnerabilities. Information includes: the asset name. MAC address. Retina Protection Agent module. Service Delta Details the service differences between two scans. Assets are grouped by service. asset name. share and user account. Assets are grouped by OS. IP address. OS Lists top 100 and bottom 100 discovered operating systems. IP address. and more. DNS. and more. IP address. MAC address. Port Lists top 100 and bottom 100 discovered ports for the assets included in the scan. IP address. and more. operating system and criticality. asset name. 2013 49 . User Delta Lists the number of new. Retina Protection Agent module required. ports. DNS name. such as audits by machine and audits by severity. DNS name. Windows Event Report Lists Windows event types based on your selection: Application. Table 8. BeyondTrust® Patches Report Name Description Patches Lists the assets included in the scan and the number of patches that need to be applied to each asset. System. IP address. User Lists top 100 and bottom 100 discovered users for the assets included in the scan. MAC address. Executive Overview Report Name Description Executive Summary Provides an overview summary of assets and trends. asset name. Security. Assets are grouped by user. IP address. Drill down by asset to review a summary of the user updates. and risk level are included. DNS name. asset name. Table 9. Assets are grouped by software. Software Lists top 100 and bottom 100 discovered software for the assets included in the scan. unchanged and removed users. Software Delta Displays the software differences between two scans. June 10. and risk level are included.Retina CS User Guide Reports and Scan Templates Report Name Description Share Provides a summary of top and bottom shares and a breakdown by IP address. Click an asset to drill down to more information: vulnerabilities. processes. (a)(8) Standard: Evaluation. Each patch also provides the name of the violated audit. HIPAA Compliance Maps configuration. patch and zero-day vulnerabilities to HIPAA security rules.Retina CS User Guide Reports and Scan Templates Report Name Description Lists each patch available and includes a link to more information for the patch. Drill down by asset to review differences. BeyondTrust® June 10. Hardware Table 11. Hardware Report Name Description Hardware Delta Lists a summary of hardware differences between two scans. FERC-NERC Maps monitored controls to NERC requirements. Regulatory Compliance Report Name Description COBiT Compliance Provides a report that ensures your environment satisfies the framework identified in the COBiT framework. Running a scan using the default scan settings ensures compliance to Section 164. Table 10. Additional components: Government report pack. GLBA Compliance Provides security risk assessments that satisfy the requirements in the GLBA. Lists the hardware discovered on each asset included in the scan.308 Administrative safeguards. 2013 50 . Additional components: Any report pack. Additional components: Healthcare report pack. Additional components: Financial report pack. MASS 201 Maps configuration. NIST 800-53 Maps configuration. ISO-27002 Compliance Maps configuration. Additional components: Any report pack. Additional components: Government report pack. Table 12. Additional components: Government report pack. ITIL Compliance Maps compliance violations and vulnerabilities back to ITIL best categories. patch and zero-day vulnerabilities to MASS 201. patch and zero-day vulnerabilities to NIST 800-53 standard used to support FISMA compliance. patch and zero-day vulnerabilities to defined SOX requirements. SOX Compliance Maps configuration. BeyondTrust® Configuration Compliance Report Name Description Benchmark Compliance Runs a benchmark scan based on a selected benchmark template and policy. patch and zero-day vulnerabilities to satisfy ISO-27002. Table 13. 2013 51 . This report is intended to provide configuration information for your Retina Protection agent policies. Supported sections from the standard and vulnerability counts are displayed. Additional components: Any report pack. June 10. You cannot run reports on existing data for the Protection reports. Additional components: Retail or Healthcare report pack.Retina CS User Guide Reports and Scan Templates Report Name Description HITRUST Compliance Displays vulnerabilities mapped to HITRUST regulatory compliance standards. Protection Report Name Description Protection Policy Provides a summary of differences in a protection Differences Report policy. hash code of the binary file. Additional components: Patch Management module Table 15. Installed Patches Lists installed patches. product name. due date. New. file version. and certificate publisher. Severity. and ticket title. Mobility Report Name Description Mobile Assets Lists mobile assets discovered. Applications By Hash Displays information about all applications under management tracked by hash code. application name.Retina CS User Guide Reports and Scan Templates Report Name Description Benchmark Export Provides a summary of differences in a benchmark policy. etc. Assigned user. Required Patches Lists required patches. BeyondTrust® June 10. Mobile Vulnerabilities Lists vulnerabilities associated with mobile assets. Closed). Table 16. ID. Patch Management Report Name Description Approved Patches Lists assets where patches are approved. Tickets Report Name Description Ticket Displays details such as Status (Open. 2013 52 . Details include. PowerBroker Windows Report Name Description Application ActiveX Displays information about installation events for Details ActiveX controls in Internet Explorer. Additional components: Configuration Compliance module Table 14. Table 17. Applications by Computer Displays information about application usage on a client. June 10. charts about ActiveX controls. 2013 53 . BeyondTrust® File Integrity by Asset Displays the assets managed using PowerBroker for Windows File Integrity rules. triggering User Account Control (UAC). rules applied. requiring elevation. Also. launched by Shell rule. and the ratio of administrator users to standard users. Dashboard Report Displays charts about the applications most frequently launched. Shell Rule Executions Displays information about all applications that run based on a shell-rule. local administrators.Retina CS User Guide Reports and Scan Templates Report Name Description Applications By Path Displays information about all applications under management tracked by launch path. File Integrity by Rule Displays the assets organized by the PowerBroker for Windows rules. 2013 54 .Retina CS User Guide Reports and Scan Templates Audit Groups Access Scan All Audits Android ActiveSync BlackbBerry Databases Database Servers Domain Controllers FDCC-Windows XP FDCC-Windows Vista Mail Servers SANS20 (All) Secure Audits Configuration SANS20 (Unix) SCADA SANS20 (Windows) Third Party Patch Assessment Virtualization Web Applications Zero-Day Regulatory Reporting Pack Audit Groups COBiT Compliance GLBA Compliance HIPAA Compliance HITRUST ITIL Compliance ISO-27002 Compliance NERC/FERC Compliance Mass 201 CMR 17 Compliance PCI Compliance NIST 800-53 Compliance SOX Compliance BeyondTrust® June 10. Interpreting Scan Results on the Dashboard Reviewing Asset Details Risk Scores Changing Asset Properties Changing the Display Setting Display Preferences Filtering Records Managing Jobs Reviewing Job Details Reviewing Scheduled Job Details Viewing Scan Event Details Aborting or Pausing a Job Changing Job Page Settings BeyondTrust® June 10. 2013 55 .Retina CS User Guide Asset Management Asset Management In this section. June 10. Hover over the pie chart to display the percent call out. 3. Click on the graph to expand the display. Log on to Retina CS. For more information on risk scores. Change the Counts to display the results by type. 2013 56 . ports/software with lower frequency.Retina CS User Guide Asset Management Interpreting Scan Results on the Dashboard To review scan results: 1. – Asset Risk – Displays the risk for all assets in the environment. expired scans. Select a date tab to update the view with metrics for the selected date range. The values on the chart are calculated every 4 hours. Select the Custom dates tab and click the arrow to select a date range. expired reports. see Risk Scores. – Anomalies – Displays higher frequency malware/virus/spyware/attack/vulnerability occurrences. The middle pane displays the following information: – Overall Threat Level – Plots attacks and vulnerabilities over time by severity. – Operational Status – Information about scheduled scans. assets with higher risk. 2. and long scans. The lower pane displays the following information: BeyondTrust® – Critical Alerts – The event date and description. – Completed Reports – The reports that ran. Retina CS User Guide Asset Management 1. Click Show Status to display status detail, including the names of scans. Hover over the job icon to see more details. 2. Click the refresh button to update the information on the dashboard. Reviewing Asset Details On the Assets tab you can review your protected assets and determine if there are vulnerabilities, attacks, or malware compromising your assets. To review asset information: 1. Select the Assets tab, and then select a Smart Group. Click and to expand the assets pane. 2. Select an asset, and then click i. You can change properties for an asset. Click Edit. For more information, see Changing Asset Properties. On the Assets Details pane, select an item to review more information: Risk Scores The risk score indicates the potential for an asset to be attacked. You can use the risk score to determine which assets need the most urgent attention. The asset risk score is calculated using factors such as: vulnerability, number of attacks, exposure (open ports, number of users, shares, for example), and overall threat level. Risk scores range from 0 to 9.99: BeyondTrust® • 0 indicates a low risk or there is no data available to determine a potential risk. • 9.99 indicates the highest risk. Asset is most vulnerable to an attack. June 10, 2013 57 Retina CS User Guide Asset Management An asset risk score is displayed in the following areas: • Pie chart on the Dashboard page • On the Assets tab • Details page for each asset Changing Asset Properties You can use the Asset wizard to change the following asset properties: owner, active, and asset attributes such as business unit. Assign or change attributes to help organize and identify assets. For more information about attributes, see Working with Attributes. Run a discovery scan to populate the Assets pane. To change the details for an asset: 1. Select the Assets tab. 2. Select an asset, and then click the i. Alternatively, double-click the asset to open the asset details pane. 3. 4. 5. 6. On the Asset Details pane, click Edit. Click Next on the Welcome page of the Asset wizard. On the Edit Asset Details page, select the asset properties. On the Edit Asset Attributes page, select the attribute values and then click Next. The default attributes that you can apply are: Geography, Business Unit, Criticality, and Manufacturer. 7. Review the settings, and then click Finish. Changing the Display You can change the information displayed on Retina CS pages, including: BeyondTrust® • Columns • Number of records displayed at one time June 10, 2013 58 Retina CS User Guide Asset Management • Create filters to display records that meet the filter criteria Setting Display Preferences You can set display preferences on the following pages: • Assets page • Vulnerabilities page • Agents page • Jobs page • User Audits page Note that you can display a Domain and filter by Domain. If the domain name is not known or the asset is not part of a domain, then the field is blank. The Domain filter is not displayed by default. To set display preferences: 1. Select the Assets tab. 2. Click the preferences button. 3. On the Preferences dialog box, set the following: – Columns to Show - Select the check boxes for the columns that you want to display. – Show Filter - Select to always display the filtering text boxes and lists. For more information, see Filtering Records. – Records Per Page - Select the number of records to display at one time. 4. Click OK to close the Preferences dialog box. 5. Click to open the Save Preferences dialog box. 6. Select display settings, and then click Save Preferences. BeyondTrust® June 10, 2013 59 Retina CS User Guide Asset Management Filtering Records Create a filter to match certain records that you want to view on the page. To set filtering on assets: 1. Select the Assets tab. 2. Select the show filter button to display the filter options. 3. Enter filter criteria and click BeyondTrust® June 10, 2013 . 60 Retina CS User Guide Asset Management Managing Jobs On the Jobs page, you can review: • Active, scheduled, and completed scan jobs • Active and completed Retina Protection agent deployments • Active, scheduled, and completed reports • View scheduled scans and scheduled reports in a calendar view • SCCM package deployment status • Windows event details Reviewing Job Details You can review job details for a scan (running or complete). On the Job Details page, you can review the number of assets scanned, the number of processes successfully scanned, credentials used for the scan, and a drill-down to the assets scanned. A target is defined in a scan as a combination of: a single IP address, a computer name, a list of IP addresses, a list of computer names, an IP range, and cloud devices. An asset is a device that is discovered from the range of targets defined in the scan. For example, the scan properties include these IP addresses in a range: 10.100.10.20 and 10.100.10.21. During the scan, there might not be a device attached to 10.100.10.20. That will be reflected in the number shown in the Targets and Assets displayed on the job details page. The agent name indicates if the scanner is in a scanner pool. For more information, see Scanner Pooling. To review job details: 1. Select the Jobs tab. 2. Select the Active tab for the Scans section. 3. Double-click a job to open the Job Details pane. In the following example, you can review the job details while the job is in progress. BeyondTrust® June 10, 2013 61 Retina CS User Guide Asset Management Reviewing Scheduled Job Details You can change the following settings for a scheduled job: • Job name • Smart Rule • Credentials • Schedule The Last Refresh Date indicates the date when the Smart Rule was processed. Assets added or removed after the Last Refresh Date are not reflected in the Smart Rule. The Smart Rules are processed every 6 hours. Depending on the schedule and how frequently assets change in your environment, you might want to change the refresh rate. Otherwise, assets might not be included in the scan as you expect. For more information, see Refresh Settings. BeyondTrust® June 10, 2013 62 Retina CS User Guide Asset Management Viewing Scheduled Scans in the Calendar View You can review the scheduled scans in a calendar that shows a summary of the scans scheduled for the month. To view the scheduled scans for the month: 1. Click the Jobs tab, and then click Scheduled in the Scans section. 2. Click Toggle Calendar. 3. Click the Report icon to open the report for a completed scan. BeyondTrust® June 10, 2013 63 2013 64 . Aborting or Pausing a Job BeyondTrust® June 10.Retina CS User Guide Asset Management Viewing Scan Event Details You can review a summary of the gathered scan events. you can configure the default job type. and the maximum number of assets displayed on the page. On the Job Grid Settings dialog box. 2013 65 . BeyondTrust® June 10. refresh intervals.Retina CS User Guide Asset Management Changing Job Page Settings Click the Job Page settings icon to change display settings. . a Smart Group is created. Running a mobility scan also retrieves information such as device ID. Click the Configure tab. The Smart Group name is the same as the connector name. and select BlackBerry. and serial number on BlackBerry. for example. establishes a connection to the BlackBerry Admin service to retrieve the device information. and do not use a scanning agent. The Smart Group is populated with the devices that are detected when a scan runs. 2. Mobility scans run on the Retina CS server. You can use the predefined scan templates that ship with Retina CS or create a custom scan template. model. which uses RIM API technology. Android. 2013 67 . Configuring a BlackBerry Connector The BES connector. Click the Mobile tab.Retina CS User Guide Mobility Scanning Mobility Scanning In this section. 3. Click + in the Mobility Connectors pane. and mobile devices on ActiveSync server. Create a custom template to scan for particular device software and hardware versions. To configure a BlackBerry connector: 1. Overview Configuring a BlackBerry Connector Configuring an Android Connector Deploying the Application to Android Devices Configuring Settings on Android Devices Configuring an ActiveSync Connector Configuring a PowerBroker Mobile Connector Reviewing Mobility Scan Results Creating Custom Audits for Mobile Devices Overview A mobility scan scans mobile devices against scan templates to determine if there are any vulnerabilities. After you create a mobility connector. BeyondTrust® June 10. Select a synchronization schedule.Enter the information for the BES host.Select an audit group. Scan Now is only available after you click Update. 5.Retina CS User Guide Mobility Scanning – General . including software versions and any vulnerabilities found based on the audit group selected. all BlackBerry devices connected to the BES host are detected. Confirm the port number in your BlackBerry Admin service configuration. To run the scan now. Click Update. 2013 68 . During a synchronization. BeyondTrust® June 10. – Synchronization . – Connection Details . A Smart Group is populated with the devices that are detected when the connector is created. – Scan Options .Enter a name and description for the connector. click Scan Now. 4. Go to the Assets page to see the new Smart Group. Use the port number where BES is configured to listen. it is recommended to use a trusted SSL certificate. Click the Configure tab. Although this option is available. Note that this connector opens the 21691 port to communicate to Android devices. Ensure this port is available. 4. Click + in the Mobility Connectors pane. Select the check box to allow Android devices that are using the configuration file to communicate to the server using an untrusted SSL certificate. 3.Retina CS User Guide Mobility Scanning Configuring an Android Connector To configure a connection to an Android mobile device: • Create connection details on the Configure tab. When a valid connection is established the audits will be downloaded to the mobile device. 2013 69 . – Distribution . – Connection Details .Enter the authentication key for the Android connector. Click Update.Select an audit group. BeyondTrust® June 10.Enter a name and description for the connector. – Synchronization . • Create a configuration file that you can email to your mobile device users. – General . To configure an Android connector: 1.Select a synchronization schedule. – Scan Options . Click the Mobile tab. The device user needs the password to run the configuration file. and select Android. Scan results are then uploaded to the Retina CS server.Click Prepare Configuration File to generate a file that contains the server information for the connector. 2. – After your workstation recognizes the device. copy the APK file. open the APK file to start the installation. enable USB File Sharing and Mass Storage modes. If you chose not to distribute the configuration file to your users. 2013 70 . an Android connector Smart Group is displayed in the Assets pane. – After the application has been manually installed on the device. You can manually deploy the app in the following ways: • • Email – Ensure your Android devices are configured to receive email. The Android application installation dialog box is displayed. Configuring Settings on Android Devices After the BeyondTrustScanner is installed on the device. you can manually configure each mobile device using the BeyondTrustScanner Application’s Settings. The Android app installation dialog is displayed. you must enable the Unknown Sources setting. The user must enter the configuration file password before the BeyondTrustScanner is automatically configured with the Server information in the file. Be sure to provide the configuration file password using another method so the Retina CS Server information in the configuration file remains secure. USB – Connect the Android device to your workstation. If you using a configuration file. BeyondTrust® June 10. To install the BeyondTrustScanner APK on an Android Device.Retina CS User Guide Mobility Scanning After you create a connector. disable the Unknown Sources setting. – Using a file management app from the Android Market (such as EStrongs File Manager or Linda). – Email the APK file to the user's email address. If prompted. the device user can run the configuration file. If you do not want to install the BeyondTrustScanner using Google Play. – Select the attachment to start the installation. you can download the Android Package (APK) file from the Android Connector page. you can distribute the file now using email. Deploying the Application to Android Devices BeyondTrust Scanner for Android is available on Google Play. Tap to turn on notifications. While other mobile device types will be detected and scanned. Tap the BeyondTrustScanner application. This is the name that will be displayed on the Asset Details pane in Retina CS. Click + in the Mobility Connectors pane.Tap to enter the name for the asset.Enter a name and description for the connector. – Authentication Code . Click the Mobile tab. – Allow Untrusted SSL . Note that currently. BeyondTrust® June 10. If your server settings are correct and your server is accessible. 3. this is the user’s Google account name. 2013 71 . 2. – General . iPhones. 4. – Asset Name . OS). model.Enter the IP address and port for the Retina CS server. Updates on the status of scans are displayed to the user. Click the Configure tab. To register the device with the Retina CS Server. – Server . the Scan Time is dictated by the Android Connector. To manually configure the Android application: 1. Click Synchronize. Retina CS supports Windows Phone 7. a list of Android Connectors that match the Authentication Code are displayed. By default. select an Android Connector from the list.Enter the authentication code that you entered when configuring the connection in Retina CS. 2. and Android mobile devices. Any Scan Time values that have been previously configured in the BeyondTrustScanner Application will be ignored. and select ActiveSync. some information might not be displayed (such as device type. Set the following on each device: – Notifications . Enter the default port (21691) that is opened when a connector is created. 3. Configuring an ActiveSync Connector Create a connector to an ActiveSync server to scan all mobile devices associated with the server.Retina CS User Guide Mobility Scanning Note that after the mobile device is configured to communicate with a Retina CS Server.Tap to allow untrusted SSL. To configure an ActiveSync connector: 1. – Scan Options . Double-click a device to open the details page: Creating Custom Audits for Mobile Devices You can create a custom audit for your mobile devices. an ActiveSync Smart Group is displayed in the Assets pane. After you create a connector.Retina CS User Guide Mobility Scanning – Connection Details . – Synchronization .Enter the credentials that can access the Exchange Server.Select a synchronization schedule. – Credentials . The Smart Group will be populated with assets after a scan runs.Select an audit group. Click Update. BeyondTrust® June 10. 2013 72 . 4. Reviewing Mobility Scan Results You can review scan results on the Mobile tab.Click the Browse button to select the forest and domain where the Exchange Server resides. 2013 73 . BlackBerry Device Provide attributes for BlackBerry devices: model. device ID. if the software exists. including: software. ActiveSync Device Provide a list of device types and operating systems. and operating systems. version. operating systems and versions. BeyondTrust® Audit Type Audit Details Mobile Software Provide information. manufacturer. Android Device Choose from a list of Android attributes. release June 10. serial number. You can review the following table for details on audit types and audit details that are specific to mobile devices. including: model.Retina CS User Guide Mobility Scanning The procedure to create a custom audit is the same as in Creating a Custom Audit. VMWare vCenter. 2013 74 . Requirements Amazon EC2 Requirements VMWare VCenter Requirements Configuring a Cloud Connector Scanning Paused or Offline VMWare Images You can run scans on the following cloud types: Amazon EC2. Requirements Before you create a cloud connector. Ensure the following requirements are in place before you configure the VMWare connector in Retina CS.Retina CS User Guide Cloud Scanning Cloud Scanning In this section. Rackspace. describe instances) • Small or Micro instances cannot be scanned. GoGrid. Amazon EC2 Requirements To use the Amazon EC2 connector. The following minimum permissions are required to successfully enumerate a list of targets and run a scan: • ec2:DescribeInstances • ec2:DescribeInstanceStatus • ec2:StartInstances • ec2:StopInstances • ec2:DescribeImages VMWare VCenter Requirements You can scan VMWare virtual machines. ensure the following requirements are in place. you must adhere to the following recommendations from Amazon: • User accounts must have minimal permissions assigned (for example. • BeyondTrust® Retina 5.17 or later June 10. and IBM SmartCloud. and then click Manage Smart Rules. Click New.For VMWare cloud connections. Enter a title. – BeyondTrust® GoGrid . Retina CS needs access to https://<VMWare server>/sdk through port 443. • – Log on to the VMWare web site and download the Virtual Disk Development Kit (VDDK): http://www. Rackspace.Retina CS User Guide Cloud Scanning • Retina CS 3. June 10. enter the connector information: – Amazon . enter the VMWare server name and credentials. 4.com/support/developer/vddk/ – Retina only supports version 5. Click the browse button to open the Manage Cloud Connections dialog box. 6. and then select the provider: Amazon E2. Configuring a Cloud Connector You can configure a cloud connector in one of the following ways: • On the Configure tab. description.vmware. Select the Assets tab. and secret access key. access key ID. 2013 75 .1 of the VDDK. To configure a cloud connector and Smart Group: 1.5 or later • VMWare Tools must be installed on the targets that you want to scan. enter the user name and API key. • On-the-fly when you are creating a cloud connector Smart Group. – VMWare vCenter . Click Advanced to set a network for a VM if that VM needs to be turned on. Click New Rule.1. Instances associated with the region are displayed in the Connection Test Results section. 5.Select the account type. GoGrid.exe – Run the VDDK installer on the Retina computer using local Administrator credentials. 7. or IBM SmartCloud.For Amazon cloud connections.i386. VMWare VCenter. On the New Connection dialog box. 2.0-774844. and category. and then enter the name. Select Cloud Assets from the Asset Selection Criteria section. Ensure you copy the following file: VMware-vix-disklib-5. the results are displayed as attributes on the details pane for the VM. you must enter the region. 3. If you scan snapshots. you can turn on the VM in another secure network where other VMs will not be under potential threat. BeyondTrust® June 10. enter the user name and API key. After you configure the connector. paused or offline VMs are turned on during a scan. 9. you can run a scan and review the results to determine if any cloud assets are vulnerable. the VMs are reverted to the paused or offline state. click Test to ensure the connector works. – IBM SmartCloud . In the Perform Actions area of the Smart Rules Manager. Scanning Paused or Offline VMWare Images By default.Retina CS User Guide Cloud Scanning – Rackspace . To scan offline VMs. see Scanning VMDK Files.Select the account type.Select the region. You can configure each host that is a member of the vCenter instance. enter the user name and password. After you create a cloud connector. and then click Save. The option that you select applies to all VMs on the host. The list of available options includes all other networks configured for your vCenter instance or on your ESX server. When creating the connector click the Advanced button. If you suspect that a VM is suspicious. 2013 76 . After the scan runs. then the VM is reverted to the paused or offline state. Click Save. select Show asset as Smart Group. Note: The advanced options dialog box varies depending on your vCenter configuration. The scan runs as usual. 8. scan results might differ from scan results for VMs powered on (for example. Ensure the check box is selected as shown. 2013 77 . However. BeyondTrust® June 10.Retina CS User Guide Cloud Scanning Scanning VMDK Files You can scan a VMDK file rather than turning on a VM. Scan times are faster when VMs remain powered off. open ports and running processes might not be detected for VMs powered off). 2013 78 . tickets. and report templates.Retina CS User Guide Multi Tenant Multi Tenant Not supported in Retina CS Community. Most Retina CS features are available with Multi Tenant. including: • Smart Rules • Patch management module • Mobility connectors Features not available. include: exclusions. Overview Smart Rules Manager Working with Credentials Quick Rules Organization Filters Patch Management Module Mobility Connectors Retina Protection Agents Setting Up Organizations Step 1 Creating a Workgroup Step 2 Adding an Organization Step 3 Creating a User Group for a Tenant Overview The Multi Tenant feature in Retina CS allows you to define multiple organizations (or tenants) where each organization’s asset data is kept isolated from all other organizations. BeyondTrust® June 10. Only Smart Rules marked as Global can combine asset data across multiple organizations. while XYZ Financial is the organization selected. For more information. when using the multi-tenant feature. 2013 79 . However. In the following scenario. It is recommended to create credentials specific to each tenant. Create Smart Rules in the usual way. All users can see global credentials. You can easily switch between tenants on the Smart Groups browser pane and on the Smart Rules Manager page. The new organization is provisioned with an All Assets Smart Rule. you can choose to create credentials only for XYZ or select the Set as Global check box. Correct permissions are needed to see tenant-specific credentials. When you initially create an organization: l l The Default Organization is provisioned with an All Assets Smart Rule. then the Smart Rule applies to all assets in every organization. You can select the Global rules from the Smart Groups browser pane. BeyondTrust® June 10.Retina CS User Guide Multi Tenant Smart Rules Manager and Browser Pane All of the pre-packaged Smart Rules are part of the Global rules. see Creating a Smart Rule. Working with Scan Credentials You can create credentials when running a scan. you can create global credentials or credentials for an organization. When a prepackaged Smart Rule is turned on. The Organization filter is only displayed if more than one active organization is available to the currently logged-on user. • The list of available WSUS servers includes all global connections plus any specific to the organization. 2013 80 . • Credentials created when you create the Smart Rule are only associated to that organization. Organization Filters When working with more than one customer. • When creating a Smart Rule. see Adding Credentials. use the Organization filters to see only assets. June 10.Retina CS User Guide Multi Tenant For more information about credentials. you can filter Smart Rules by organization. when managing your user groups. Additionally. Patch Management Module If you are using Multi Tenant. Quick Rules When you create a quick rule from the Vulnerabilities page or the Attack page the rule applies to whichever organization is selected in the Smart Groups browser pane. you must select an organization. note the following when using the Patch Management Module: BeyondTrust® • For each WSUS server connection. the credentials displayed are only for the selected organization. When you create a quick rule from the Address Group. you can select the organization. Retina scan agents. or Retina protection agents associated with a particular customer. a workgroup does not need to be selected. For more detailed information about deployment. Note that you cannot enter a workgroup name when Global is selected in the Smart Groups browser pane. an error message is displayed. The workgroup name must be unique across all organizations. Assets might be unknown when using the settings: • Single IP address • IP range • CIDR notation • Named Hosts For known assets (assets detected and in the Retina CS database). If you enter a name that exists. see Mobility Scanning. then you can enter a workgroup name if one is not already created for the organization.Retina CS User Guide Multi Tenant For more information. The assets are already associated with a workgroup. Select the organization when creating the connector. 2013 81 . see Patch Management Module. Retina Protection Agents A workgroup is required when deploying Retina protection agents in a Multi Tenant environment. Selecting a Workgroup For unknown assets (assets not scanned by Retina CS). BeyondTrust® June 10. For more information. Assets are known when using the settings: • Currently selected Smart Group • Currently selected Assets Creating a Workgroup When an organization is selected in the Smart Groups browser pane. see Deploying the Protection Policies. Mobility Connectors You can associate an organization with any of the mobility connectors. you must select a workgroup associated with the organization. Only workgroups associated with the organization are displayed. BeyondTrust® June 10. • Organization . 2013 82 . Every Retina scanner agent or Retina protection agent must be assigned a workgroup. Setting Up Organizations Key steps in setting up the organization • Create a workgroup • Create an organization • Create a User Group Step 1 Creating a Workgroup Permissions: Users Accounts Management permission needed to assign workgroups to an organization.Retina CS User Guide Multi Tenant Viewing the Workgroups Available The workgroups displayed depend on the item selected in the Smart Groups browser pane. • Global . A workgroup is typically created when the agent is initially deployed. The organization is in parentheses.All workgroups are displayed. Log on to the asset where the agent resides. Click the Configure tab. 5.Retina CS User Guide Multi Tenant You can add and delete workgroups. Step 2 Adding an Organization An organization is automatically populated with an All Assets Smart Group. mobility connector. 3. You can only delete a workgroup if it is not associated with an organization. However. Select the Enabled Application tab. 3. Start the REM Client Configuration Tool. and select the check box for the agent. 2013 83 . you cannot rename workgroups. 4. Use the REM Client Configuration tool to create a workgroup. BeyondTrust® June 10. 2. Click OK. 2. Select the Workgroup tab and enter a name and description. Click the Create New Organization button. To create the workgroup: 1. and then click the Organizations tab. Retina scanner or Protection agents. Enter the name of the organization. To create an organization and associate with a workgroup: 1. When creating the user group. Scroll to the Workgroups tab. For more information. Click the Create button. The users in the group can then log on to Retina Insight and run reports. Creating a user group for a tenant is optional and only required if your client wants to run reports from Retina Insight. assign Read permissions to the tenant's Smart Rules. Click the check mark to save the changes.Retina CS User Guide Multi Tenant The Active check box is selected by default and must be selected to successfully run scans on the tenant's assets. 7. As a security measure. BeyondTrust® June 10. ensure that you assign the Retina Insight permission. The users can then run reports based on the Smart Rules. 5. 4. 6. Click the edit icon for the organization. see Managing Users. and then select the organization. Additionally. a tenant cannot log on to Retina CS. 2013 84 . Step 3 Creating a User Group for a Tenant You can create a user group for a tenant. 2013 85 . Creating User Groups You can create a user group based on the delegation model you designed for your Retina CS administrators. Creating User Groups User Group Permissions Access Levels Creating User Accounts Reset Retina CS Account Password Auditing Retina CS Users Create user groups and user accounts so that your Retina CS administrators can log on to Retina CS. Alternatively. To create a user group: 1. In this section. For a complete list of the Read and Write permissions available. When a user is added to a group. you can add an Active Directory group. After a user group is created. see User Group Permissions. Select the Configure tab then select the Accounts tab. The user account you created when you configured Retina CS is a member in the group. An Administrators user group is created by default. the user is assigned the permissions that are assigned to the group. create and add user accounts to the group. The permissions assigned to the group cannot be changed.Retina CS User Guide Managing Users Managing Users Not supported in Retina CS Community. Select the button to change the view between all users and all groups. You can delegate Retina CS administrator responsibilities by explicitly assigning certain Read and Write permissions to a user group. BeyondTrust® June 10. Members in that group can log on to Retina CS and perform tasks based on the permissions assigned to the group. Click Create. 8. you can use the Group Filter field to shorten the displayed list. Select the Smart Rules and access levels to the rules. A list of Security Groups in the selected domain is displayed. BeyondTrust® June 10. Select Group or Active Directory Group from the list. clear the check box and activate later. Otherwise. a maximum of 250 groups from Active Directory is retrieved.Retina CS User Guide Managing Users 2. that you might need to click Credentials if the Retina CS application pool identity does not have sufficient rights to query Active Directory. however. Some examples of other filters are: a* (returns all group names that start with a) *d (returns all group names that end with d) *sql* (returns all groups that contain 'sql' in the name) 5. select a domain from the drop-down menu. Select the Active check box to activate the user group. If you select Active Directory Group. you need to set proper credentials first (click Credentials) and then enter a valid Forest name and click Go. To create a user group. 9. These fields are required. then the Select Active Directory dialog box is displayed. Note. If the Retina CS server is not a member of a domain. 4. the Forest name is automatically populated. For performance reasons. click + in the User Groups pane. 6. 3. Select the permissions and access levels. The default filter is an asterisk (*) which is a wildcard filter that returns all groups. If the selected domain contains more than 250 security groups. Create and add user accounts. Next. Enter a name and description for the user group or Forest and Domain for Active Directory group. 7. 2013 86 . If the Retina CS server is a member of a domain. Retina CS User Guide Managing Users User Group Permissions Permissions in Retina CS must be assigned cumulatively. Scan Management. BeyondTrust® June 10. 2013 87 . For example. The following table provides information on the permissions that you can assign to your user groups. Benchmark Compliance. then you must assign Read and Write for the following permissions: Asset Management. if you want a Retina CS administrator to manage only Configuration Compliance scans. Scan Job Management. Reports Management. File Integrity Monitoring Work with File Integrity rules. Reports Management Run scans.Retina CS User Guide Managing Users Permission Name Apply Read and Write to… Asset Management Create Smart Rules. account lockout and account password settings). BeyondTrust® Option Management Change the application options settings (such as. Deployment Activate the Deploy button. and manage protection policies on the Configure tab. create report category. delete attributes when managing user groups. create address groups Attribute Management Add. Retina CS Login Access the Retina CS management console. Benchmark Compliance Configure and run benchmark compliance scans. create reports. create Active Directory queries. Patch Management Use Patch Management module. including PBW asset details and the exclusions page on the Configure tab. Credential Management Add and change credentials when running scans and deploying policies. Manual Range Entry Allows the user to manually enter ranges for Scans and Deployment rather than being restricted to Smart Groups. User groups can deploy policies. rename. The specified ranges must be within the selected Smart Group. 2013 88 . Protection Policy Management Activate the protection policy feature. PowerBroker for Unix & Linux Use the PowerBroker Servers module PowerBroker for Windows Activates access to the PowerBroker for Windows features. June 10. edit or delete on the Asset Details window. Configure tab. Activates Abort. and subscribe to reports. Scan Management Delete. delete. edit. generate reports. June 10. Ticket System View and use the ticket system. Data between Retina CS and the Insight cube must be synchronized. update and revert Audit Group settings.Policy Manager Activate the settings on the Edit Scan Settings view. update and revert Port Group settings. Resume. Session Monitoring Use the Session Monitoring features. Scan . delete. The ticket no longer exists when Inactive is selected.Job Management Activate Scan and Start Scan buttons. 2013 89 . Pause and Delete on the Job Details page. Ticket System Management Mark a ticket as Inactive. go to the Configure tab in Insight and run the process daily cube job.Retina CS User Guide Managing Users Permission Name Apply Read and Write to… Retina Insight Sign in to Retina Insight. duplicate.Port Groups Create. User Audits window. Activate Update button on the Edit Scan Settings view. Activate New Report and New Report Category. User Audits View audit details for Retina CS users. After you create a user group for Retina Insight. Scan . Scan .Audit Groups Create. delete. or change user groups and user accounts. BeyondTrust® User Accounts Management Add. and rename reports on the Manage Report Templates. Scan . BeyondTrust® Active Directory Queries Asset Management Address Groups Asset Management Attributes Asset Management Benchmark Management Benchmark Compliance Cloud Connections Asset Management Mobile Asset Management Organization User Accounts Management Patch Management Patch Management SCCM Patch Management Protection Policies Everyone can access Scan Options Scan Management Services Member of the build-in RCS Administrators group User Audits User Audits Workgroups User Accounts Management June 10. Users can only view the dashboard and corresponding views. Users without User Account Management permission can only edit their user record. 2013 90 . Permissions Required for Configuration Options Configure tab option Permission Accounts Everyone can access. Read Users can view selected areas. Read and Write Users can view and change information for the selected area.Retina CS User Guide Managing Users Access Levels Access Level Description No Access Neither Read nor Write check boxes are selected. but cannot change information. Select the Configure tab. and Confirm Password. The User Details pane is displayed. Password. Note: If you are changing the password. see Reset Retina CS Account Password. From the Groups/Users button select the Groups view. 10. 3. Checkpoint You must create a user group before you can create a user account. select the user account. 5. A user account must be a member in a user group. Select an Activation Date and an Expiration Date for the user account. Select the User Active check box to activate the user account. Select one or more user groups from the list and click Add. Click + in the Users pane. 4. Select the Account Locked check box to lock the account. To edit a user. 11. Enter the user’s phone numbers (optional).Retina CS User Guide Managing Users Creating User Accounts User accounts create the user identity that Retina CS uses to authenticate and authorize access to specific system resources. To create a user account: 1. 2. and then select the Accounts tab. Complete the First Name. User Name. Click Create. BeyondTrust® June 10. 2013 91 . 7. When you delete a user account or group that is assigned tickets. 9. These fields are required. Select a user group. 8. 6. Email Address. a dialog box is displayed where you can reassign the ticket to another user or group. see Creating User Groups. For more information. Select the Configure tab then select the Accounts tab. you can change the group membership. Change the view to the Users view. see Changing the Display. BeyondTrust® June 10. configure user settings. For example. Click Reset Password.Retina CS User Guide Managing Users Later. If there are a lot of audit activities. Enter the new password. You can also configure display preferences and filters to refine the information displayed. 2. Select a user account and change the group membership. 5. 3. 2013 92 . To reset a user password: 1. 4. You can review: • Logon and log off times • IP address where the admin logged on from • Any actions taken. Select the user name from the Users pane. Reset Retina CS Account Password You can change the password for a Retina CS user account. after you create a user. For more information. Click Update. Auditing Retina CS Users You can track the activities of your Retina CS administrators. you can use the search feature to display only those that are relevant. BeyondTrust® June 10.Retina CS User Guide Managing Users The following example shows that the Administrator added and then removed an address group. MS SQL Server. expand Credentials Management and click the pencil icon. 3. See Creating an SSH Credential. DSA and RSA key formats are supported. 5. 4. user name. MySQL. Adding Credentials You can create the following credential types: • SSH. See Creating Oracle Credentials. and key. Select the Use the same key for all check box. If you are creating more than one credential. Click Add. you can use the same confirmation key for all credentials. Creating an SSH Credential You can create Public Key Encryption credentials to connect to SSHconfigured targets. 2. Click Save. Select a credential type from the list: Any. select the authentication type. If you are creating Microsoft SQL Server credentials. You can select a credential that contains a public/private key pair used for SSH connections. 2013 93 . • Windows • MySQL • Microsoft SQL Server • Oracle. and then enter the key. To add a credential: 1. Windows. password. On the Set Scan Options page. Enter the user account information: domain. 6.14 (or later) is required to support this feature. Retina scanner agent version 5. 7. 3. BeyondTrust® June 10. – sudo – Enter a sudo user name and password. On the Set Scan Options page. Click Add. Enter a description and user name. you can elevate the credential when working with PowerBroker Servers for Unix & Linux target assets. Click Save. select Oracle. and password. Click Browse to navigate to the file. The tsanames.Retina CS User Guide Managing Users Optionally. • Use pbrun. 5. To create an SSH credential: 1. – Public Key . select one of the following from the Elevation list: Elevating credentials is optional.ora file is updated automatically after you create an Oracle credential. 2013 94 . To create Oracle credentials: 1. A public key is generated based on the contents of the private key. Click Add. From the Type list. you can create Oracle credentials. Provide a user name. On the Set Scan Options page. 2. 7. you can select to elevate the credential: • Use sudo. description. Using sudo. You can log on as a normal user and sudo to a more privileged account. you can use sudo to elevate the same account to get more permissions. 4. Creating Oracle Credentials If you are scanning Oracle databases. expand Credentials Management and click the pencil icon.Enter a password.Enter the private key file name and passphrase. when configuring SSH. you can access scan targets that are not configured to allow root accounts to log on remotely. Using pbrun. 3. You can use the user name provided in the Username box and leave the sudo username blank. – pbrun – Enter the pbrunuser user name. Additionally. select SSH. expand Credentials Management and click the pencil icon. To elevate credentials. 8. 2. From the Type list. 4. 6. Select an authentication type from the list: – Password . Enter a description and key. – Protocol . Click Test. 2. 8. Otherwise. Select additional connection options: – Connect To . Enter a key. Enter the forest name. Add credentials for each forest/domain combination. 7. – Database SID . 6. Named Service. – Port Number . 6. TCPS. the domain you enter in the Domain box is used. 2013 95 . – Host . user name. 4. Success is displayed when the credentials provided can successfully contact the domain. domain name. Click Save.Select from: Database SID. SYSDBA. Click Add.Retina CS User Guide Managing Users 5. Click Credentials. 3. Enter the user name using the format: <domain name>\user name. or SYSOPER. BeyondTrust® June 10. 5.Enter the host name where the Oracle database resides.Enter the database SID.Select a protocol: TCP. To add Active Directory credentials: 1. Click OK. NMP.Enter a port number. and password. Adding Credentials for Active Directory Access You can add credentials to access a particular Active Directory domain. Click the Configure tab then select the Accounts tab. Click + and select Active Directory Group. Select an access level from the list: Standard. 7. expand Account Lockout Options. Click Update. – Unlock Account upon Password Reset Notification . To set account lockout parameters: 1. 4. – Account Lockout Reset Interval . – Account Lockout Threshold .Retina CS User Guide Setting Retina CS Options Setting Retina CS Options In this section. 2013 96 . 2. Select Options. an email is sent with a new password but the account is not unlocked. 3. Account Lockout Options Account Password Options Auto Update Options Display Options Email Notification Options Maintenance Options Proxy Settings Refresh Settings Account Lockout Options Not supported in Retina CS Community. If not selected.Select the Yes check box to email a new password and unlock the account when Forgot Your Password is selected. BeyondTrust® June 10. such as lockout threshold and duration. On the Application Options dialog box. You can set lockout options.Sets the number of times a user can try their password before the account is locked out.Sets the number of minutes the user is locked out.Sets the number of unsuccessful password entry attempts before generating a reset notification. Set the following account lockout options: – Account Lockout Duration . 2013 97 . 4. Set the following password options: – Password Must Meet Complexity Req. Select Options. 4. To set account password parameters: 1. . 3. You can set account password parameters. Select Options. Auto Update is turned on. On the Application Options dialog box.Enter the number of passwords a user must create before an old password can be reused. 3. expand Auto-Update Options. – Enforce Password History . expand Account Password Options. BeyondTrust® June 10. Select the Yes check box. Downloading updates ensures your assets are secure against the latest vulnerabilities. Click Update. To activate Auto Update: 1.Enter the maximum number of days before a password must be changed. On the Application Options dialog box. 2. – Minimum Password Age . Click Update.Enter the minimum number of characters for the password. such as a complexity requirement and password length. – Maximum Password Age .Requires users to adhere to complex password rules when creating a password. Auto Update Options Retina CS contacts the Update Server to retrieve the latest product and audit updates. There are no restrictions on using past passwords when 0 is entered. By default. 2.Enter the minimum number of days that a password must be used before it can be changed. – Minimum Password Length .Retina CS User Guide Setting Retina CS Options Account Password Options Not supported in Retina CS Community. Enter 0 to not enforce a password history. Retina CS User Guide Setting Retina CS Options Display Options You can turn on auto-expansion and set the number of items to display per page. On the Application Options dialog box. 6. Email Notifications The email notification sends an email when an error occurs while running reports. expand Email Notification Options. Verify the SMTP server name and port. 2. 5. 4. The email address is stored in the Retina CS database. To add an email address for notification: 1. 3. Select Options. To specify the maintenance options: 1. expand Maintenance Options. Enter the username and password. Enter an email address in the From Email Address box. 6. Enter the number of days that pass before data is purged. To set display options: 1. Configure the number of days to retain data. Ensure that you use the same information here. 2. Click Update. BeyondTrust® June 10. Select the Yes check box to open the report in a new window. This feature is available only with reporting on existing data. Maintenance Options You can remove collected data from the Retina CS database. 2013 98 . Select Options. Enter the number of items to display per page. expand Display Options. 5. 3. Note: Email settings are initially set in the Retina CS configuration tool. 3. 2. On the Application Options dialog box. Select the Yes check box to turn on auto-expansion. On the Application Options dialog box. Not all maintenance options are supported in Retina CS Community. Select Options. 4. Click Update. The default value is 7. Recommended: 7 days. The default value is every 30 days.Purges the raw information sent by the protection agents.The vulnerabilities are displayed in the Vulnerabilities module until fixed or purged.Purges the raw information sent by the protection agents and Retina agents. but are never discovered again (the asset might be inactive or removed). Recommended: 7 days. Recommended: 90 days. The default value is 30.Purges the raw information sent by the protection agents and Retina agents.Purges jobs. Recommended: 7 days.Purges chart data. this can vary for different environments. – Purge Assets Older Than .Purges the raw information sent by the protection agents and Retina agents. – Purge Audit Data Older Than . – Purge Application Log Files Older Than . – Purge Windows Events Older Than . – Purge Attack Events Older Than .Purges the information sent by the protection agents.This covers assets that were discovered once. – Purge Scans Events Older Than .Purges the application events sent by the protection agent and Retina agents. However. The default value is 90 days.Retina CS User Guide Setting Retina CS Options – Purge General Events Older Than . – Purge Scans Older Than . Recommended: 7 days. – Purge Vulnerabilities Older Than . Once the data is purged.Purges the raw information sent by the protection agents and Retina agents. The default value is 90 days. Recommended: 30 days. Enter 0 if you do not want to purge the jobs. The default number of days is 7. – Purge Attacks Older Than . June 10. – Purge Asset Attributes Older Than .Purges the raw information sent by the protection agents. Recommended: 90 days. BeyondTrust® – Purge Chart Data Older Than . – Purge Application Events Older Than . – Purge Retina Agent Jobs every N days .Purges audit data. 2013 99 .Attacks are discovered by the protection agent. the vulnerabilities are removed from the database. If the purge setting is set to 7. On the Application Options dialog box. – Server Localization .en-US. Refresh Settings You can set refresh intervals for scan jobs and Smart Rules. enter the IP address or domain name of the proxy server. 2. On the Application Options dialog box. Select Options. Select Options.Purges the PowerBroker for Windows events. – Purge PBUL Events Older Than . The calculation for purging ensures the ticket is closed and uses the date the ticket was last updated. expand Proxy Settings. Select the Yes check box.Purges the File Integrity events captured by PowerBroker for Windows. 2013 100 . 4. 6.Retina CS User Guide Setting Retina CS Options – Purge Closed Tickets Older Than . 7. For example. Enter the user name and password for the proxy server. To set up a proxy server: 1. Reserved for future use.Enter the number of days before closed or inactive tickets are deleted. Click Update. expand Refresh Settings. Proxy Settings You can configure a proxy server if the Retina CS server does not have direct Internet access.Purges the events sent by PowerBroker Servers. In the Address box. 4. 3. then the ticket is purged even though the due date is in the future. 5. not the due date. – Purge PBW Events Older Than . – Purge FIM Events Older Than . a ticket has a due date 60 days in the future but the ticket was closed and not edited for over a week. BeyondTrust® June 10. Scans can run more efficiently when Smart Rules are set to refresh at longer intervals. To set refresh settings: 1. Click Update. 2. select the Yes check box. To override any local proxies. Set the number of minutes for the refresh interval for Smart Rules. The default value is 60 minutes. The default value is 360 minutes (6 hours). 2013 101 . – Maximum Smart Rule Refresh Frequency for asset updates (minutes) .Retina CS jobs are refreshed at the interval entered here. and Smart Rules will be updated for the job. Asset changes (assets added or removed from the Smart Rule) that occur between the refresh interval are reflected in the rule. scanners. When the refresh occurs. updates to schedules.Retina CS User Guide Setting Retina CS Options – Maximum job refresh frequency (minutes) . BeyondTrust® June 10. Determining if a Retina Agent is Available A Retina scanner agent might lose connectivity to Central Policy. 2013 102 . computer name. 2. June 10. and agent name and versions.Retina CS User Guide Maintenance Maintenance Viewing Status for Scanners and Agents Determining if a Retina Agent is Available Removing Retina Agent Files Configuring a Failover Agent Diagnostics Monitoring Services Creating a Support Package Viewing Status for Scanners and Agents You can review details about your deployed Retina scanners and protection agents. Click the i button to review additional information. Select Agents. there is a warning icon next to an agent name. You can determine connectivity in the following places: • BeyondTrust® When you are setting up a scan. The Agent Details page displays the following: IP address. For more information. You can select preferences and create filters to determine the list of agents and scanners that are displayed. OS. 3. see Changing the Display. Select the Assets tab. domain. Note that you can change viewing preferences for the Agents page. To view asset details: 1. Use the Agent Details page to determine if scanners or agents are out of date. workgroup. Retina CS User Guide Maintenance • On the Agents page for Vulnerability Scanners. including scheduled. 3. queued. 5. Click OK to save the settings. 2. Ensure the computer hosting the Retina agent is online. Click Reset Engine to restart the Retina CS services. 2013 103 . – Clean Retina Files . see Creating User Groups. there is a warning icon in the Retina Last Updated column. and then select the Agents tab. BeyondTrust® June 10. The agent might not be able to accept the job request. queued.Removes all jobs for the selected agent. and completed jobs. and completed jobs.Deletes files from the following directory: C:\Program Files (x86)\eEye Digital Security\Retina 5\Scans – Clean RCS Files . Select the agent in the list. 4. you can select this check box to reschedule jobs automatically. and then click i. To clean Retina agent files: 1. For more information. – Reschedule existing scheduled jobs . Select the Assets tab. Click Agent Maintenance. Removing Retina Agent Files Clean Retina CS records for scheduled. Ensure your Retina CS administrators are assigned the Scan Management permission.When the Clean RCS Files check box is selected. Select an agent. Expand Agents and Scanners. BeyondTrust® • All logs in the Retina CS Logs folder.Retina CS User Guide Maintenance Configuring a Failover Agent Not supported in Retina CS Community. Creating a Support Package Create a support package that can be used by Beyond Trust Technical Support. The Failover Agent field displays the name of the agent that you select. 3. and then click i. 7. On the Agent Details pane. Click the Agents tab. The default timeout is 15 minutes. 5. 4. The package includes. June 10. Select an agent. You can configure a backup agent to provide redundancy in case an agent fails. 2. and then click Vulnerability Scanners. 6. To configure a failover agent: 1. 2013 104 . Click OK. • Storage size statistics on the Retina CS database. Click the Assets tab. click Configure Failover Agent. You can configure a failover agent timeout on the Configure tab. Click Generate Support Package.zip file and email to your Technical Support representative.Retina CS User Guide Maintenance • Certain database tables that contain information on Retina Protection agents and Retina scanner agents and their jobs. Select Help > Generate Support Package. Click Save File. 4. 2013 105 . Save the . To generate the package: 1. 2. BeyondTrust® June 10. 3. Click View to open and review details in the log. Paused) • Change credentials for the service To review Retina CS services: 1. Monitoring Services Monitoring Services On the Services page. 4. To turn on debug logging: 1. you can: • Turn on debug logging • View the log files • See the status of the service (Running. 2013 106 . Select the Configure tab. Click Email to send the log to selected email addresses. Select the Services tab. All Retina CS services are restarted if you turn on debug logging. 2. Select the Services tab. 2. 3. BeyondTrust® June 10. click Enable Debug Logging. To turn on debug logging. 3. In this section.Retina CS User Guide Maintenance Diagnostics Not supported in Retina CS Community. Stopped. Select the Configure tab. 3.Retina CS User Guide Maintenance Turn off debug logging after you finish troubleshooting Retina CS to improve performance. 2013 107 . and then click OK. 2. Enter the credentials. Select the Services tab. Click the button as shown: 4. Select the Configure tab. To change the credentials for the service: 1. BeyondTrust® June 10. 2013 108 .Retina CS User Guide II. BeyondTrust Modules II. BeyondTrust Modules Retina Scanner Agents PowerBroker for Windows Patch Management Module System Center Configuration Manager Retina Protection Agents PowerBroker Servers for Unix & Linux PasswordSafe Regulatory Reports Pack Configuration Compliance Pack BeyondTrust® June 10. 2013 109 .Retina CS User Guide Retina Scanner Agents Retina Scanner Agents Discovery Scanning Running a Discovery Scan Discovering Assets Using a Smart Group Discovery Assets Manually Running a Vulnerability Scan Reviewing Vulnerability Scan Results Creating a Quick Rule Excluding Vulnerabilities Remediating Vulnerabilities Setting CVSS Metrics Setting CVSS Environmental Metrics Setting Base and Temporal Metrics Configuring Retina Agent Scan Options Performance Settings Timeout Values Event Routing Setting Restrictions on Scan Times Configuring General Scan Options Scanner Pooling BeyondTrust® June 10. • On the Scan Policy Options page. and printers. • Discovery ports. you can run audit scans using credentials to ensure more thorough scan results.139. Perform Traceroute Select this check box. See Configuring Scan Settings. here are some recommended settings: Perform OS Detection Select this check box. Typically. 110. After assets are detected. Review the following recommended Discovery scan settings: • On the Set Scan Options page. routers.554. 2013 110 .443. Running a Discovery Scan You run a discovery scan in the same way as a vulnerability scan. Note that discovered assets do not count toward your license. You can periodically repeat the discovery scans to verify the status of devices and programs and the delta between the current and previous scan. you want to ensure that all types of systems are detected and credentials are not necessary.80. A discovery scan also determines if an IP address is active. Enumerate * Clear all enumerate check boxes. for a discovery scan. laptops. setting credentials for other types of scan templates is recommended.22. See Running a Vulnerability Scan for a step-by-step procedure.1433.Retina CS User Guide Retina Scanner Agents Discovery Scanning Run a discovery scan to locate network assets. However.3389 Use more than one scanner to distribute the coverage across the network. setting credentials is not required.23. Randomize Target Select this check box. List Change the settings on the Edit Scan Settings page. The default TCP discovery port list: 21. BeyondTrust® June 10. such as workstations.25.445. BeyondTrust® June 10. If you create an address group that includes /19 CIDR block. or Cloud connector. that range includes 8190 potential assets (the discovery scan will always try to discover that many assets). you can create the address group or query on-the-fly when you are creating the Smart Group. Any assets online since the Smart Group was last processed are detected when the Use to discover new check box is selected.Retina CS User Guide Retina Scanner Agents Discovering Assets Using a Smart Group You can discover assets when the Smart Group filter is an address group. • Create a Smart Group that includes the address group or query as the filter. IP address or address range when running a discovery scan. Note that you can use the Discover New assets check box on any scan. Ensure the discover assets check box is selected. Alternatively. Discovering Assets Manually You can discover assets manually by entering a host name. However. Key steps: • Create an address group or Active Directory query that includes the IP address range or domain. 2013 111 . the scan is slower when this option is selected. It is recommended that you run a discovery scan at a regular interval (for example. See the step-by-step procedures: Creating an Active Directory Query or Creating an Address Group. monthly or weekly schedule). Keep this in mind when you are reviewing scan results. Full vulnerability scans can then run only on known targets. Active Directory query. The scan results on the Assets page reflects the number of assets found. Tip: Ad hoc Scanning You can enter any combination of IP address. Separate the entries using a comma. 10. then Retina CS automatically updates the scheduled job on the agent with the list of assets in the selected Smart Group as they change. For a complete list of report templates. 2. 10. or list named hosts.10. Currently selected Assets. or select the Assets tab and click Scan. 3. see Reports Templates and Audit Groups. you can create Smart Groups.168.10. You can enter more than one named host.0/24 Note.1. however. For example. 2013 112 . To run a scan: 1. • Determine the assets to include in the scan.10. For example. and CIDR notation in the Named Hosts box. Expand Scan and select one of the following: Currently selected Smart Group. Separate the entries using a comma. you must select a report template to determine the scope of the scanning. you can individually select the assets to scan.10.8. If you select Currently selected assets and select a schedule other than Immediate. 192. Select a report and click Scan. a Single IP. IP address range. ensure the following is in place: • When you run a scan in Retina CS.4-10. enter IP address ranges.Retina CS User Guide Retina Scanner Agents Running a Vulnerability Scan Before setting up your scan settings. an IP Range. Note that on the Assets page. or Named Hosts for the assets selected. BeyondTrust® June 10.10. if an IP address is invalid no error message indicates the address is invalid and will not be scanned. a CIDR Notation.20. Select the Dashboard tab and click Assess.10. Click Test Credential to ensure the correct credentials are entered. click + and select users or user groups. Otherwise. you can use the same confirmation key for all credentials. DOC. e. 5. and key. – Email report to .Retina CS User Guide Retina Scanner Agents 4. The test only applies to Windows credentials. Expand Benchmark Compliance Profile and select a scan profile.Select this option if you want to only scan and collect the results. Expand Report Delivery to select the report delivery options. NONE. If you are creating more than one credential. f. 7. Benchmark scans only. Note that the test is not to ensure access to target assets. You can store credentials to reuse later.Type a job name. Email notification is sent when the scan and report are complete. – Export type . 6. Separate entries using a comma. Alternatively. – Do not create a report for this vulnerability scan . Select the new credential and click OK. b. 2013 113 . Alternatively.Select a report format: PDF. a. To add credentials. – BeyondTrust® Agent . Enter the password. click + and select users or user groups. – Notify when complete . Click Save. the default job name is used. XLS. Expand Credentials Management and enter the credentials. June 10. For more information.Select the check box and enter email addresses. You can use Active Directory credentials or Retina CS web server credentials. d.Select the check box and enter email addresses. and then enter the key. The report will be emailed to the users entered. – Job Name . Select the Use the same key for all check box. click the pencil.Select the computer where the scan engine resides. Click Add. Expand Advanced to select the agent to run the scan. see Adding Credentials. c. Separate entries using a comma. description. No report will be generated. The export types available depend on the report selected. 10. Scans will not run during those times. You can delete or change the recurring scan job later on the Jobs page. – Weekly – schedules jobs every week selected (1-52).Select to schedule jobs to run one time. or every x number of days. Click Start Scan.Select to run the job now. the scan runs during the server time zone.Select one of the following: – Daily – schedules jobs for weekdays. Click the squares to set the restricted time frame. BeyondTrust® June 10. 8.Select the check box to display a scheduling grid. Options include the first/second/third/fourth and last day of the month selected. the scan can be aborted when the restriction window starts. 11. – One Time . If scans are scheduled to run during a scan restriction. Click Show Status to view the progress of the scan. Enter the number of days. – Monthly – schedules jobs for the day of the month selected for every month selected. – Recurring .Select the check box to store OVAL test results to the Retina CS database. – Immediate . This applies to one-time scans and recurring schedules. See Managing Jobs. starting on the day of the week selected. Select Abort the scan if it takes longer than and enter the time in minutes to restrict the length of time the scan runs. You can also view the progress on the dashboard or through the Jobs page.Store OVAL Test in database . Select the check box to apply this setting. 9. – Benchmark Scans only.Retina CS User Guide Retina Scanner Agents – Use job-specific Scan Restrictions . For more information. Select the start time and date. 2013 114 . see Setting Restrictions on Scan Times. Expand Schedule to select a schedule: Note: If the server and client computers are located in different time zones. select the following to review more information: – Exploit Count . 3. exploit information associated with the CVE-ID is also displayed.The number indicates the assets affected by the vulnerability. Click and to expand the vulnerabilities pane. and module URL. You can create Smart Rules based on vulnerabilities. refer to Microsoft documentation. 2013 115 . In some cases. For more information. Select the Assets tab. June 10. For any vulnerability with a CVE-ID.Retina CS User Guide Retina Scanner Agents Reviewing Vulnerability Scan Results After you run vulnerability scans you can review the results to determine the assets that are vulnerable and require remediation. Click the button to review the database. 4. Click i to view more information about a vulnerability. Select Vulnerabilities. – BeyondTrust® Assets . 2. You can set display preferences and create filters to change the information displayed on the Vulnerabilities page. You can view vulnerabilities that can be exploited. On the Vulnerabilities Details pane. To review the results: 1.The number indicates the exploits on the vulnerability. The index values correspond to the values that are provided in security bulletins issued from Microsoft. see Changing the Display. Using this tool can provide additional filtering selected assets. exploits are displayed that are not associated with a CVE-ID. The Microsoft Exploitability Index is also included in the Exploits information. module. For more information on interpreting the index values. In the Attacks.The number indicates the available resources for remediation of the vulnerability. – Patches . you can click the arrow to create a Quick Rule that instantly creates a grouping of assets in the Smart Groups pane. solution. or Malware view. – More Information . IA Controls. you can organize assets linked to a specific vulnerability.Retina CS User Guide Retina Scanner Agents Click the button to expand the details pane and review the asset information.The number indicates the STIGs associated with the vulnerability. see Managing Patch Updates. Click i to open the STIG Details window. see Excluding Vulnerabilities. or malware by creating a Quick Rule. You can also set or remove an exclusion property on the vulnerability. and CVSS score. attack. BeyondTrust® June 10. For more information. references. You can review the following information: MACs. – STIGs .Click to open the Vulnerability Details window to view a description of the vulnerability. Click the button to expand the details pane. Creating a Quick Rule After you run a scan. Vulnerabilities. Systems Affected. For more information.The number indicates the patches that can fix the vulnerability. Click the button to review more information about the patches. References. – References . 2013 116 . PCI severity. Select a web site to find out more information on the vulnerability. you can ignore these scan results. 2013 117 . The report includes the reason for the exclusion and the expiry date. Select the Assets tab. To set or remove the exclusion property on a vulnerability: 1. You can run the Vulnerability Exclusions report to keep track of the exclusions. Select the Vulnerabilities tab. accepted vulnerabilities (a false positive) might be reported in the scan. Depending on your environment. vulnerabilities will be reported in your scan results. Note: Vulnerability exclusions do not apply to the parent Smart Group when the exclusion is set at a child Smart Group. During an audit. if Anonymous FTP is configured on your network.Retina CS User Guide Retina Scanner Agents Excluding Vulnerabilities You can exclude vulnerabilities from the display and only view those that require remediation to satisfy regulatory compliance. Records for exclusions reside in the database. BeyondTrust® June 10. you can remove the exclusion on the record. For example. Since this type of vulnerability does not require remediation (patch or compliance updates). 2. – Reason/Note . 4.Select the expiration date on the exclusion.Retina CS User Guide Retina Scanner Agents 3. – Exclude Vulnerability .Provide a detailed description on why the vulnerability is excluded. Malware Toolkit Vulnerabilities A malware toolkit can be detected if there is one associated with a vulnerability. Select the Assets tab. For example.Select to set or remove the exclusion. The reason is required and is displayed in the Vulnerability Exclusions report to help you keep track of the exclusions. 2013 118 . – Expiration Date . 5. select the options: – Action . On the Manage Vulnerability Exclusion dialog box. Click the Exclusions check box for a vulnerability. Click Save. Select a vulnerability and click the i. Select the Vulnerabilities tab. The exclusion applies to all assets.Select the Smart Group where you want to apply the exclusion. BeyondTrust® June 10. 3. You can also select Globally. To see if a vulnerability belongs to a malware toolkit: 1. you might want to note that the vulnerability is an accepted false positive. 2. Setting CVSS Metrics Depending on your security plan. The Mitigation column provides information on action to take to remediate the vulnerability. Review more information about the malware toolkit and the recommended mitigation action.Retina CS User Guide Retina Scanner Agents A red T indicates that the vulnerability is associated with a malware toolkit. you might want to change CVSS scores. See Working with Tickets. and then click Vulnerabilities. Remediating Vulnerabilities You can remediate vulnerabilities by viewing solutions on the Vulnerability Details page. 1. 2. 4. You can use the ticket system to assign a vulnerability or attack to a member of your security team. Click i for a vulnerability. Click View Toolkits. 2013 119 . Select the Assets tab. A description and solution are displayed. BeyondTrust® June 10. Changing the score indicates to your security team the urgency to remediate a vulnerability. Select the Assets tab. you can update CVSS scores on the Vulnerabilities page. You can create a Smart Group that includes the assets where you want to assign the environmental metrics. To set the environmental metrics on assets: 1. Later when you edit the Smart Group. You can configure: • Environmental scores using the Smart Rules Manager. and set the Smart Rule criteria that determines the scope of the assets. 2013 120 . Setting CVSS Environmental Metrics The environmental metrics are based on your security plans. 6. Click New Rule. Select the metrics from the corresponding lists.Retina CS User Guide Retina Scanner Agents You can change the base and temporal values to change the CVSS score (depending on the weight of the vulnerability and the urgent nature to remediate the vulnerability). BeyondTrust® June 10. • Base and temporal scores using the Vulnerability Details page. 3. Click Save. Refer to the CVSS Scoring Guide. as shown: Setting Base and Temporal Metrics After you create a Smart Group that contains the assets with the preferred environmental metrics. Enter a name and description. In the Perform Actions area. 5. 2. 7. the Show asset as Smart Group list is also displayed. Click Manage Smart Rules. You must be familiar with CVSS scoring definitions and concepts. 4. select Set Environmental CVSS Metrics. Determine the level of impact a vulnerability has on your assets and assign environmental metrics accordingly. Change the base and temporal values. 5. The CVSS score and CVSS vector change as you change the base and temporal metrics. 2. 7. Click Vulnerabilities. 6.Retina CS User Guide Retina Scanner Agents To change the CVSS metrics for a vulnerability: 1. Click the pencil. Click the vector link to go to the National Vulnerability Database CVSS v. Select the Smart Group with the environment metrics configured.2 Calculator web site. Select the Assets tab. Select a vulnerability. BeyondTrust® June 10. 4. and then click i. 2013 121 . 3. Click Save. 4. Hover on the items to display vulnerability information. 2. Click the nodes on the map. Click Map. 5. select a Smart Group and view only those vulnerabilities you are interested in. 2013 122 . To filter the information displayed in the network map. The network map might disappear when you select other menu items or options on the window. Click Home to display the network map again. Select the Assets tab. BeyondTrust® June 10.Retina CS User Guide Retina Scanner Agents Reviewing Asset Risks on the Network Map On the network map you can review the assets at risk in your environment.0 SE Update (or later) to display correctly. To review assets using the network map: 1. 3. The network map requires Sun Java 5. Select the check box to override the TCP connection limit. 3. 2. The maximum is 128 targets. Click the Scan Options tab. such as known services not being found or known open ports not being identified.Retina CS User Guide Retina Scanner Agents Configuring Retina Agent Scan Options Not supported in Retina CS Community. Performance Settings The number of scan targets can affect server performance and scan quality. To improve performance. You can configure Retina scan options to improve performance and reliability.Set the number of targets to scan simultaneously. – Adaptive Scan Speed . 4. increase the ping timeout value. June 10. you can: • Reduce the number of targets • Adjust the scan speed downward • Override the TCP connection limit to increase the scan speed If you override the TCP connection limit. The result is an unresponsive or slow server or poor scan quality. 2013 123 .Set the delay between bursts of packets sent during a SYN scan. 1 = longest delay 5 = almost no delay – BeyondTrust® Enable TCP connection limit override . configure the following settings: – Number of Simultaneous scan targets . Click the Configure tab. To configure scan options: 1. Timeout Values Configure ping and data timeout values to compensate for network latency. Click the Scanner tab. the TCP incomplete connections limits are removed for all applications during the scan. If pings are not returning in time for Retina to detect them. In the Performance area. Defines risks associated with specific or unlikely circumstances. increase the timeout value.Enter the number of seconds. In the Reliability area. BeyondTrust® June 10. Click the Configure tab. 5. including: • Port information • Services • General scan information To turn on event routing: 1. – Data Timeout . This is not available for Windows NT or Windows 2000. 2. 2013 124 . 3.If the Retina agent is not receiving complete data from assets or hosts when services are under heavy load. but can be useful to the administrator to assess the security. Audits include a risk level that corresponds to the severity of the vulnerability detected. configure the following settings: – Ping Timeout . Click the Scan Options tab. Select the Enable Event Logging check box. 5. 4. Click Save. Click Save. – High . Select the risk level of the audits to include in routing to Retina CS.Retina CS User Guide Retina Scanner Agents Note: The TCP Connection Limit Override is available on Windows XP SP2 and later and Windows 2003 SP1 only. Click the Event Routing tab.Describes serious security threats that would allow a trusted but non-privileged user to gain access to sensitive information. 6. – Medium . – Information . Event Routing Turn on event logging to send scan data to Retina CS.Details host information that does not necessarily represent a security threat. – Low . 6.Indicates vulnerabilities that severely impact the overall safety and usability of the network. Select a start time and frequency. Click the Configure tab. otherwise running scans are paused and then resume when the scan restriction ends. 5. 2. Click the squares to set the restricted time frame. • Global. To automatically check for updates. Configuring General Scan Options To configure general scan options: 1. configure the following settings: – Check for updates to a schedule . Select the Use Global Scan Restrictions check box to apply the global settings. select the logging check box. you might want to override scan restrictions already set for that agent. Select the Scan Options tab. BeyondTrust® Click the Scan Options tab. Select the Configure tab. 3. Configure the restricted scan time when you are configuring the scan. Select the Abort in progress scans check box to stop all scans that are running when the scan restriction window starts. Click the General tab. Apply scan restrictions on: • One scan only. 5. From the Agent list. If you select an agent. To turn on logging. 3. 2013 125 . June 10.Retina CS User Guide Retina Scanner Agents Setting Restrictions on Scan Times You can set a scan restriction so that scans will not run during the restricted time frame. To set a scan restriction on all scans: 1. 2. Configure the restricted scan time on the Configure tab. 4. select an agent or select Global. 4. 9. 7. Set maintenance options to purge Retina information. Click Save. The default value is 15 minutes. see Configuring a Failover Agent. Set the minutes that pass before Retina checks for updates from the Central Policy server. – Number of seconds to prompt before launching .Enter the number of seconds to wait before starting the updater. 6. BeyondTrust® June 10. Set a timeout value for a failover agent. 2013 126 . To configure a failover agent.Retina CS User Guide Retina Scanner Agents – Check for updates when launching Retina .Select the check box to check for updates when you start Retina. 8. Select the Assets tab. 4. When more than one scanner is selected for a scan job. Select the distribution algorithm. or use the "Set Scanner" action in a Smart Rule to lock a set of scanners to that Smart Group. and then click Manage Smart Rules. 2013 127 . To use scanner pooling. 7. and then select Set Scanner. 5. Note that when using scanner pooling. the list of target assets is divided among the selected scanners in a round-robin style. Click the +. Enter a name and description. To lock a scanner agent to a Smart Group: 1. evenly distributing the target scan range. 6. From the Perform Actions area.Targets are assigned to scanners one-by-one. – Round Robin Asset Distribution . Click New Rule.Retina CS User Guide Retina Scanner Agents Scanner Pooling You can use scanner pooling to select more than one scanner agent when scanning a large number of assets. 2. select Show asset as Smart Group. This method balances the distribution of scan targets. Click the browse button to select the scanners to associate with the Smart Group. select more than one scan agent when running a scan. 3. BeyondTrust® June 10. you cannot automatically generate a report when a scan finishes. Each child Smart Rule will always use the scanner assigned in the child Smart Rule when this distribution algorithm is used. This ensures that scanners assigned in child Smart Rules will not scan across other child targets. Note that on the Job Details page. Click Save. BeyondTrust® June 10.The Rule Locked distribution algorithm is designed and recommended for multiple scanner jobs where child Smart Rules are defined in a parent Smart Rule. 8. the agent name indicates if the scanner is part of a pool. 2013 128 .Retina CS User Guide Retina Scanner Agents – Rule Locked Asset Distribution . and how they are launched. This data includes information about the applications being used. June 10. deploy the rules to your managed assets. install Retina CS on a compatible host with the proper prerequisites or install an appliance with the solution from BeyondTrust. and information about which users have administrator privileges. An administrator loads a Group Policy Option (GPO) snap-in onto an asset that uses the Microsoft Management Console (MMC). • Sort and filter data into useful reports and generate PowerBroker rules for applications based on user needs for privilege elevation. • Configure Session Monitoring in PowerBroker for Windows and review the events in the Retina CS console. the privileges they require. Overview u PowerBroker for Windows (PBW) is designed to integrate directly into your corporate Active Directory (AD) structure without modifying your existing schema. • Deploy PowerBroker for Windows policies to your assets. Upload the policies to Retina CS and using the Central Policy technology. Create your PowerBroker for Windows rules and policies as usual using PowerBroker for Windows. For more information about the PowerBroker reports available in Retina CS. 2013 129 . • Create File Integrity rules in PowerBroker for Windows and manage the results in Retina CS. you can: • Collect privilege-related event log data from assets. see PowerBroker for Windows Reports. This is a best practice approach for discovering applications and the construction of quick and concise rules for any user or computer.Retina CS User Guide PowerBroker for Windows PowerBroker for Windows Using Retina CS and PowerBroker for Windows together. Note: Before you can use the Application Discovery functions of PowerBroker to create rules.  BeyondTrust® An administrator can then create policies and rules that are stored in the AD domain. Retina CS User Guide PowerBroker for Windows Ž An administrator can also access the Retina CS management console through a web interface to run reports or create additional rules based on collected events from the environment. or remote clients labeled “4”) they receive policy from the domain controller that is processed by the PBWagent. As domain assets log on (servers. and PowerBroker Windows events. workstations. 2013 130 . This enforces privilege identity management rules on the endpoint and sends status events back to Retina CS for additional reporting. and rule creation.  The PBWagent is installed on each device and can be distributed through a software delivery solution or even through GPO. You can set filters based on the PowerBroker client. BeyondTrust® June 10. Windows events. Creating a Smart Group You can create a Smart Group to organize your PowerBroker assets. trending. The PowerBroker Rule XML dialog box is displayed. To create a PowerBroker for Windows rule: 1. On the Retina CS console. Publisher. In the All view. Creating PowerBroker Rules You can create rules after event data is collected from PowerBroker for Windows. The Rollup view displays all events grouped by Message. EventType. Application/ActiveX. Hash. The rule types that you can create from Retina CS include. refer to the PowerBroker for Windows product documentation. Publisher. 3. see Working with Smart Rules. Click the arrow for the events and select the rule type. Path. then Hash. Copy the XML code to the collection in the PowerBroker for Windows GPMC snap-in. Exclusions rules can also be created. 2. For more detailed information about rules. In the Rollup view you can select more than one event.Retina CS User Guide PowerBroker for Windows For detailed instructions on Smart Groups. 2013 131 . and then click the PowerBroker tab. Active X. MSI. select the Assets tab. RuleType. Path. Note: There are two ways that you can view events: Rollup and All. BeyondTrust® June 10. select one event at a time. 2013 132 .Retina CS User Guide BeyondTrust® PowerBroker for Windows June 10. click the Configure tab. c:\windows\system32\* will exclude any exe’s in system32 and any executables in a subdirectory of system32. On the Retina CS management console.msi. . and then click Exclusions.Retina CS User Guide PowerBroker for Windows Including Arguments in a Rule When you are creating a rule you can include arguments. Select the exclusion type: – Admin rights – Exclude all events that match the ‘path’ for the exclusion you chose. BeyondTrust® June 10. Marking Events to Exclude You can exclude events from rules. For example. Retina CS provides a predefined list of these exclusions. For example. 3. Any exclusion path with a “*” will recurse directories. Select an existing exclusion or click + to create an exclusion. 2. Creating rules for a denied application (28698) will include arguments when the check box is selected. To exclude events: 1. you might want to exclude certain applications that are flagged as requiring administrative privileges. 2013 133 . This list contains applications that are commonly incorrectly detected as requiring administrative privileges. Arguments can be included when creating the following rule types: Path. hash. Select the Yes check box on the Application Options dialog box. C:\Windows\HelpPane.exe – Application Exclusion – Excludes all events that match the application you are excluding.exe – Publisher Exclusion – Excludes all events that have the same ‘publisher’ value.Retina CS User Guide PowerBroker for Windows You must provide the full path. HelpPane. You must follow the format: "O=Microsoft Corporation. Ensure the following Central Policy setting is selected: BeyondTrust® June 10. 2013 134 . For example. Deploying and Managing Policies Using Retina CS You can configure PowerBroker for Windows to use Central Policy to deploy policies through Retina CS rather than using GPMC. Click Save.S=Washington. During the installation of PowerBroker for Windows. You must provide the application name only. For example. you can choose to deploy policies using Central Policy. L=Redmond.C=US" 4. Retina CS User Guide PowerBroker for Windows For more information about deploying PowerBroker for Windows. refer to the PowerBroker for Windows product documentation. Select the PowerBroker for Windows assets and the policy that you want to deploy. Reviewing Policies You can review the list of policies available from PowerBroker for Windows on the Configure tab. 2. For more information on configuring session monitoring. Deploying Policies Create your rules and policies in PowerBroker for Windows as usual. BeyondTrust® June 10. Create Smart Rules to determine the assets where the policies need to be deployed. Log on to Retina CS. To use Retina CS to deploy PowerBroker for Windows policies: 1. and then go to the Smart Rules Manager. Click Save. refer to the PowerBroker for Windows Installation Guide. 2013 135 . Session Monitoring You can track the following events: • Keystroke logging • Mouse events • Process events • Screen captures The events are configured in PowerBroker for Windows. 3. 2. Click i for a particular asset. you can view more details about the events. Select PowerBroker for Windows from the list. 3. On the Assets page. select the Smart Group where the assets reside. BeyondTrust® June 10. Contact your BeyondTrust representative for more information. Viewing Events on the Session Viewer To view events: 1. 2013 136 . Filtering Events You can filter the events that are displayed in the Session Viewer. Double-click an event (or click i) to view more details about the event on the right pane. On the Session Viewer page. and then click Session Monitoring.Retina CS User Guide PowerBroker for Windows Note: To use this feature you must have the Session Monitoring license key activated. 4. Display2. you can zoom in and zoom out..Retina CS User Guide PowerBroker for Windows Viewing Screen Capture Events When viewing screen captures. BeyondTrust® June 10. If there is more than one monitor for an asset the Session Viewer displays the following titles: Display1. and scroll through all of the screen captures saved during the session. 2013 137 .. Save the file to the preferred location. 3. and then click Session Monitoring. 4. Click the arrow for an asset. It might take a few minutes to save the file depending on the number of events captured. and the select Download Session Data. BeyondTrust® June 10. On the Assets page. select the Smart Group where the assets reside.Retina CS User Guide PowerBroker for Windows Saving Session Data You can save the session monitoring data to a zip file to view the information offline at a later time. Select PowerBroker for Windows from the list. To save session data to a file: 1. 2013 138 . 2. 2013 139 . In this section.Retina CS User Guide Patch Management Module Patch Management Module The Patch Management module requires a license to activate the feature set. Overview How Patching with WSUS Works How a Patch Deployment Works Third-party Patch Deployment Connecting to a WSUS Server Requirements Adding a Connection Connecting to a Downstream Server Installing the WSUS Administration Console Registering Smart Groups Redeploying Configuration Approving Patch Updates Reviewing Patch Details Deleting Patches Third-Party Patching Generating a Certificate Subscribing to Vendor Patch Updates List of Supported Vendors BeyondTrust® June 10. Contact your BeyondTrust representative.  BeyondTrust® Clients periodically check WSUS for approved patches which are then subsequently downloaded and installed. The WSUS client is built into the Microsoft OS. In typical WSUS-only environments this is accomplished through GPOs. You must be familiar with WSUS features to understand the Retina CS integration with WSUS. How Patching with WSUS Works Retina CS integrates with WSUS to facilitate Microsoft and third-party patching. it needs to be enabled and configured. for WSUS by making changes to the registry. The Retina CS configuration and patch deployment process is outlined here. Those policies are retained and applied as usual.. Retina CS uses WSUS as the patching engine and effectively becomes a management console to WSUS. however. Configure Smart Groups for patch management. the clients. June 10. This configures  members of the Smart Group.e. i. Ž Identify and approve patches. When using Retina CS. 2013 140 . Retina CS becomes a management console for WSUS. u Configure a Retina CS connection to an existing WSUS Server.Retina CS User Guide Patch Management Module Overview Use the Patch Management Module to deploy important patches to selected assets. clients are enabled and configured through Retina CS. Note: Using the Patch Management Module does not override any automation policies you might have in place with your existing Windows Server Update Services (WSUS) configuration. Optionally. per the Smart Group settings. approved patches. Ž Patches are downloaded to the client. the client may be notified that patches have been downloaded and then prompted to install them. Optionally. consequently.Retina CS User Guide Patch Management Module How a Patch Deployment Works u Patches are approved in Retina CS. the client may be notified that approved patches are available and then prompted to download and install them. ‘ Retina CS retrieves the current patch status from WSUS BeyondTrust® June 10.  The new patch status is sent to WSUS. per the Smart Group settings.  Patches are automatically installed per default settings. they are marked as approved in WSUS.  The client polls WSUS for any relevant. 2013 141 . The certificate from WSUS is verified against the existing certificate on the client that it received when its associate Smart Group was  enabled for patch management.Retina CS User Guide Patch Management Module Third-party Patch Deployment Third-party patching is the same as Windows patching with the following differences at these steps. Third party patches are sent to the client with the third-party Ž certificate that was generated when the connection to WSUS was created. BeyondTrust® June 10. Trust is now established for third party patch deployment per Microsoft requirements. 2013 142 . you must connect to a Windows Server Update Services (WSUS) server.microsoft.NET – 6.0 Redistributable Package (x86) 32-bit (http://go.NET Framework 2.microsoft.0 update are part of the Windows Server 2008 OS. you can create connections to the downstream servers in the Patch Management configuration.0 Ensure the user installing and configuring WSUS is a member in the group IIS_WPG • Update for BITS 2. BeyondTrust® June 10. Ensure the following components are turned on: – Windows Authentication – ASP.microsoft.NET Framework Version 2.0.Retina CS User Guide Patch Management Module Connecting to a WSUS Server To deploy patch updates.com/fwlink/?LinkID=70410) • Microsoft Management Console 3.com/fwlink/?LinkID=70412) 64-bit (http://go.0 and WinHTTP 5.microsoft.com/fwlink/?LinkID=70410) • Microsoft SQL Server 2005 SP1 Note that .microsoft. 2013 143 . If you are working in a larger environment and use downstream servers to apply patch updates.0 and BITS 2.com/fwlink/?LinkID=70637) • Microsoft Report Viewer Redistributable 2005 (http://go.1 (http://go.0 Management Compatibility – IIS Metabase Compatibility • Microsoft Report Viewer Redistributable 2005 (http://go. Requirements Installing on Windows Server 2003 SP1 • Microsoft IIS 6.microsoft.com/fwlink/?LinkID=68935) 64-bit (http://go.com/fwlink/?LinkID=47251) • Microsoft .0 for Windows Server 2003 (KB907265) 32-bit (http://go.com/fwlink/?LinkID=70638) Installing Windows Server 2008 • Microsoft IIS 7.microsoft. This helps distribute the workload of applying patches to many assets. 2. Note that the Groups feature is not supported in Retina CS Community. – Third Party Certificate . and then enter the server name. – Products and Classifications . 2013 144 . and then click the Patch Management tab.Generate or import a certificate to subscribe to vendor patch updates. the initial synchronization can take several hours depending on the number of items selected in the Products and Classification section. Ports available: 80.Displays the downstream servers for the selected server. Note: The WSUS Administration Console must be installed if WSUS and Retina CS are not on the same server. On the Retina CS console. click Mitigate. Click Save. Click +. see Third-Party Patching. select Configure. After you connect to a WSUS server. The schedule determines the frequency that WSUS checks with Microsoft Update Servers for new patches. 2. see Installing the WSUS Administration Console. Click Test Connection to ensure the information is correct. 8530. – Downstream Servers . 1.Select the time that you want to synchronize the patches with the WSUS server. For more information. 443 (SSL). If this is a new installation. Alternatively.Retina CS User Guide Patch Management Module Adding a Connection You can create a connection to an upstream and downstream server. 3.Select the updates to subscribe to. BeyondTrust® June 10. set the following options. increase the frequency of the synchronizations per day. To connect to a WSUS server: 1. or 8531 (SSL). For more information. – Synchronization . Note that downstream servers are configured in WSUS. and credentials for the server. All updates and approvals occur on the upstream server. on the Dashboard. port number. If you are using downstream servers. The downstream server synchronizes with the upstream server to manage patch updates. Increasing the frequency ensures that all assets receiving updates from the downstream server are updated when the approvals are applied on the upstream server. you can choose the downstream server that will apply the updates and patches to the assets. A downstream server is displayed with a green arrow.0 Administration Console installer file: http://go. a patch-enabled Smart Group for each WSUS group that you selected is displayed in the Smart Groups browser pane. select synchronization frequency.microsoft. Connecting to a Downstream Server When you configure assets for patch updates in the Smart Rule. In the Patch management Configure area. and how you want patches applied. After you click Save.com/fwlink/?LinkId=88321 After you install the administration console. 2013 145 . credentials.Retina CS User Guide Patch Management Module – Groups .Select the check boxes for the groups that already exist in WSUS. Additionally. Download the WSUS 3. BeyondTrust® June 10. you can view information on upstream servers and if there are any downstream servers configured on that upstream. Installing the WSUS Administration Console You must install the WSUS Administration Console if you want to connect to an installation of WSUS on a different server. start the console and verify that you can connect to the WSUS server that will be configured as the active software update point. Retina CS User Guide Patch Management Module Registering Smart Rules Registering the group adds the group to the WSUS server database. Ensure the credentials provided can access the registry and install the certificate on the target asset. The assets in the group are then available for the updates. Click Manage Smart Rules and then click New Rule. A Smart Rule is required. Select an existing category or create a new category. notifications are sent to the system log and notification area of Retina CS.Select if you want to: Download and install updates automatically – Client computers poll WSUS at the selected day and time and download and install approved updates. Select the asset matching criteria. Current Policy.Click the browse button to open the Manage Patch Credentials page. For more information. 4. click i). 6. 3. If an asset is a member in two groups. Enter a name and description for the patch group. You can review the status of a patch group on the Asset Details pane (select the Assets tab. Pending Policy. If the status is registered. From the Perform Actions area. Status. Wsus Status. – WSUS Servers . The credentials apply only to the Patch module. After downloaded. patches can be approved and installed on the patch group. select Enable for Patch Management. The credentials are not related to vulnerability scans or the WSUS server connection. Check for updates but do not download. Create or select the preferred patch credentials. BeyondTrust® June 10. Download updates but let me choose if the updates are installed – Client computers poll WSUS at regular intervals (1 hour by default). 2. Select Asset fields from the list then select matching criteria: Last Updated Date. and download approved and relevant updates. 5.Select the WSUS servers from the list. Checkpoint – Create a Smart Rule to associate with the patch update schedule. To register patch updates for a Smart Group: 1. then select values for the following: – Credentials . the patch update applied will be the most recent one. Select the Assets tab. or Patch Install Schedule. see Creating a Smart Rule. 2013 146 . – Important Updates . 7 or greater). The client is configured for WSUS and then pointed to the WSUS Server. 4. 7. BeyondTrust® June 10.Select a day and time the client computers will poll the WSUS server. Updates are installed during the time that you selected in step 6. registry changes occur through the Remote Registry API. the following occurs: • • The client is contacted by one of three methods. Retina CS downloads the third party certificate to the client. listed in priority: – If the client has the Retina Protection Agent (v. this is standard WSUS client behavior. – Retry registration of errored Patch Management assets . 2013 147 .Retina CS User Guide Patch Management Module – Every / At . see: HKEY_LOCAL_ MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_ MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU • Optionally. Click Save. After the group is registered. a service running on the endpoint. registry changes occur through the Central Policy connection. – If the client does not have the RPA.Select the check box to try registration again if the initial registration attempt fails. The client is now configured to poll WSUS for any approved updates. – If the first two fail. Note that polling may not occur immediately and it may take up to 6 hours for WSUS clients to display as patch-enabled assets in Retina CS. All other relevant registry parameters are set. The supplied credentials must have permissions for Remote Registry. you must approve the patches that you want to apply to the assets. Remote Registry service must be enabled on the client. After clicking Save. then registry changes are facilitated through WMI. Retina CS uses the supplied credentials to access and edit the client’s registry. The patch group is displayed in the Smart Groups browser pane. Any older patches superseded by new patches are no longer displayed. Select the Assets tab then Patch. You can however. select the Show Superseded Patches check box to review older patches not applied.Retina CS User Guide Patch Management Module Redeploying Configuration You might need to redeploy the Smart Rule configuration settings in the following scenarios: • Registry settings are not properly set on the client • Certificate for 3rd party patching not properly set Select Redeploy Configuration to apply the settings in the Patch-enabled Smart Rule. the most recent patches available are always displayed. Note that on the Approvals page. 2013 148 . To display the Superseded column. On the Approvals page. click the Preferences button and then select Superseded. you can approve the patches for installation. and more. To approve patch updates for registered Smart Groups: BeyondTrust® June 10. you can filter the patch status to determine the patches that are installed. not installed. Track the status of patch updates on the Patch pane. Approving Patch Updates After you register a Smart Group for patch updates. failed. hover on the icon. Select a registered Smart Group from the browser pane. 2013 149 . Patches are superseded when a new patch is available. 4. only critical updates are displayed. To view the number of patch updates installed and not installed. BeyondTrust® June 10. By default. Select a patch. you can access the last accessed group through the Mitigate button on the Dashboard. To view superseded patches. and then click i. 3. and then select Patch. Microsoft patches are superseded automatically when a synchronization occurs with WSUS. 2. and then select Approve. select the Show Superseded Patches check box. After a patch group is registered.Retina CS User Guide Patch Management Module 1. Click the Filters button and select the filters. You might need to change the filters to display the relevant patches. Select an asset. Select the Assets tab. Reviewing Patch Details Click i to review more information about the update. The credentials in the Smart Group are used to apply the patch. the patch is still displayed in the Not Installed list. However. This ensures that all previously approved patches will still be deployed at the scheduled time. the clients are forced to check in with WSUS. The assets are set to check in with the WSUS server every hour. Note that the client evaluates and downloads the patch before the installation occurs. Click Apply Patch Now to install the update to the designated assets. Select Not Approved will not apply the patch to the select Smart Group. Select the All Groups check box to apply the patch to all registered patch Smart Groups. When selected. BeyondTrust® June 10. or select the check box for a particular Smart Group. and a group already has approved patches. the menu changes to Keep existing approvals. If you select All Groups. The patch is applied immediately regardless of the installation settings in the Smart Group associated with the clients. 2013 150 .Retina CS User Guide Patch Management Module 5. Select Decline to remove the patch from the Not Installed list. WinZip. see List of Supported Vendors. and Apple. You can subscribe to vendor patches through the Retina CS Configure tab. Third-Party Patching You can download and deploy patches for third-party products such as Adobe. 2013 151 .Retina CS User Guide Patch Management Module Deleting Patches You can delete patches either on the Asset details page or on the approval page where patches are listed. For a complete list. BeyondTrust® June 10. 4. The certificate establishes trust between the WSUS server and the client. Self-signed Certificates If you are using a self-signed certificate for 3rd Party Patching. 2013 152 . and then click OK. then the downstream server automatically receives the certificate. 5. Select Internet Communication settings. Subscribing to Vendor Patch Updates To subscribe to vendor patch updates: BeyondTrust® June 10. Click Start > Run > “gpedit. 2. If the WSUS connection is configured to use SSL. The certificate feature is not available for only downstream servers. Select Enabled. A message indicates that a certificate is required when you initially log on and go to the Third Party section. Double-click Turn off Automatic Root Certificates Update. Double-click Administrative Templates > System > Internet Communication Management. you can use the Import button on the Third Party Certificate tab to import an external certificate or use the Generate button to create a self-signed certificate. If it does not match Windows will remove it and log the following in the application log: Event ID: 4108 Successful auto delete of third-party root certificate To disable this feature and keep your root certificate installed: 1.Retina CS User Guide Patch Management Module Generating a Certificate After setting up a connection to WSUS. Note that if the upstream server has a third-party certificate. If Windows finds a discrepancy with an intermediate certificate on the server it will check it against their list of approved SSL’s.msc” > OK. 3. sometimes Windows will automatically delete it. Click Generate. a Third Party section is available. 2013 153 . In the Products and Classifications section.Retina CS User Guide Patch Management Module 1. Select the Configure tab. 2. and then select Patch Management. 3. Note that the patch classifications apply to Microsoft updates only. BeyondTrust® June 10. select the vendor patches that you want to subscribe to. Select the check boxes for the vendor products. and then click Save. Retina CS User Guide Patch Management Module List of Supported Vendors Adobe Flash Player Adobe Systems Incorporated Adobe Acrobat Adobe Reader Adobe Shockwave . 2013 154 .rar GmbH WinRAR WinZip International LLC WinZip June 10.Firefox/IE BeyondTrust® Apple Incorporated Safari Foxit Corporation Foxit Reader Google Incorporated Chrome Igor Pavlov (LGPL) 7-Zip Mozilla Foundation Mozilla Firefox Opera Software ASA Opera Browser Oracle Corporation Sun Java Skype Limited Skype win. On the Retina CS console. The assets have not been scanned by Retina CS. The package deployment feature in Retina CS is similar to SCCM and offers most of the options that you are already familiar with. Click Save. • The SCCM instance must have an Active Software Update Point component configured prior to making a connection from Retina CS. • The SCCM Smart Groups are not patch-enabled like the WSUS Smart Groups. 3. domain. and then click the SCCM tab. Click +. you can create a connection to your Microsoft System Center Configuration Manager (SCCM) site server and manage the software updates to the collections. You can use the synchronize feature on the SCCM configure page to ensure the most current data resides in the Retina CS database. select Configure. BeyondTrust® June 10. user name and credentials for the server. In Retina CS. 2013 155 .Retina CS User Guide System Center Configuration Manager System Center Configuration Manager Not supported in Retina CS Community. Click Test Connection to ensure the information is correct. Overview The SCCM feature in Retina CS offers you a way to create a connection to your SCCM server and manage deploying software packages to selected collections. 2. and then enter the server name. Requirements • The client must have SCCM installed or patches cannot be deployed and applied. 4. An important difference between traditional Smart Groups in Retina CS and the SCCM Smart Groups is that asset data is gathered from the collections in SCCM and is stored in the Retina CS database. Creating a Connection to a SCCM Site Server To connect to a SCCM Site Server: 1. BeyondTrust® June 10. Review and select updates. Collections are displayed here if at least one asset is detected in the collection. A unique identifier (the site code) is added to every SCCM Smart Group. Deploying a Package to a Collection Patches are immediately applied to the assets in the collection. event information. Select the collections. additional tabs are available. Includes such information as: current status. Select the collection in the Smart Groups browser pane. 4. and then click Deploy. 6. and then click Save.Retina CS User Guide System Center Configuration Manager 5. Review the client list to ensure that all targets have the SCCM client installed. After you create the connection to a SCCM Site Server. 2. Click Updates. Click the SCCM tab.Displays a site status only. server availability (online or offline). This helps to identify the SCCM Site Server where the collection is from. A collection includes the assets that you want to apply patches to. Click the Collections tab. – Site Details . 3. You must select the collections to include in the Smart Group. version. site code. To deploy a package: 1. 2013 156 . 7. Status information is provided for the following: – Site Status .Displays information about the MS System Center Configuration Manager. Note: You cannot change the autogenerated Smart Group. SCCM and 3rd Party Patching If you are using SCCM. 5. You can keep track of the successfully deployed packages on the Job page. The share must already be created on the server. This is SCCM behaviour. On the Deployment Package Details page. N/A. Select the optional additional settings: – Enforce an installation deadline for this deployment – Enable Wake On Lan when the deadline for this deployment has been reached – Enable user notifications – Enable reboot of client machines outside of maintenance window – Suppress system restart on Workstations – Suppress system restart on Servers 7. description and deployment package location. 6.Retina CS User Guide System Center Configuration Manager The page identifies the software available to deploy and the status of the software on the assets in the collection: Installed. 2013 157 . BeyondTrust® June 10. Note: The package source location must be entered as a UNC path (\\servername\share\package name) and must be unique for every package that you deploy. you can publish 3rd party patches to an Active Software Update Point (SUP) by configuring the Update Point (WSUS server) on the Configure > Patch Management tab in Retina CS. enter the following information: – Package name. and Unknown. Click Deploy. Required. refer to the Help file available with the Certificates snap-in. For detailed information on exporting a certificate. 4. Be sure to select Computer account. Using Group Policy to Configure SCCM Assets for 3rd Party Patches Configuring SCCM assets to accept 3rd Party Patches involves two steps: • Exporting the WSUS Certificate • Configuring the Group Policy Object Exporting the WSUS Certificate Go through the steps in this section on the WSUS server that is the Active Software Update Point for SCCM. do not export the private key BeyondTrust® – DER encode binary X.mmc. 2013 158 . For more information. 3. Expand the WSUS node. 2. see Connecting to a WSUS Server.Retina CS User Guide System Center Configuration Manager Any SUP that has an active WSUS connection in RCS should not be used to create Patch-enabled Smart Rules. June 10. In the Certificate Export Wizard. select the following: – No. Run . To export a WSUS certificate: 1. and then add the Certificates snap-in. and Local computer. Right-click WSUS Publishers Self-signed and select All Tasks > Export.509 (.CER) – Enter a file name for the certificate and go through the remaining pages of the wizard. 5. it must be linked to an OU that contains the SCCM assets that you want to receive 3rd party patches. enter Patch Management Client Configuration Policy. Enter a name for the GPO.Retina CS User Guide System Center Configuration Manager Configuring the GPO Use the following procedures to configure the Group Policy Object (GPO) to deploy configuration to SCCM enabled assets. To configure assets using Group Policy on Windows Server domains: 1. Import the WSUS publishing certificate to the Trusted Root Certification Authorities and Trusted Publishers stores. Create a GPO for the certificate at the domain level: a. Select the new object. Open Group Policy Management Console (GPMC) on a domain controller. After the GPO is created. 3. and then click Action > Edit . For example. BeyondTrust® June 10. and Link it here. 2013 159 . and then click Action > Create a GPO in this domain. 2. The GPO saves the WSUS certificate to the appropriate certificate stores and configures the assets to accept third-party patches from non-Microsoft sources. 4. and then click OK. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Select the domain you want to use. b. Expand Computer Configuration >Policies> Administrative Templates > Windows Components.Retina CS User Guide System Center Configuration Manager 6. Select Enabled. 2013 160 . and then click OK. and then select Windows Update. b. c. 7. Double-click Allow signed updates from an intranet Microsoft update service location . BeyondTrust® June 10. Select an OU or domain and create a link to this new GPO. Turn on signed updates in the Windows Update administrative template: a. 2013 161 . In this section.Retina CS User Guide Retina Protection Agents Retina Protection Agents Not supported in Retina CS Community. Overview Downloading Retina Protection Agents Configuring a Default Policy Preparing Target Assets Using the 3rd Party Deployment Tool Updating RPA Licenses Deploying the Protection Policies Storing Retina Protection Agent Serial Numbers Reviewing Details About Protection Agents Removing Protection Agents Configuring Protection Policies Working with Rules and Rule Groups Creating a Rule Group and Setting Rules Creating a Protection Policy Organizing Your Policies Rules Reference BeyondTrust® June 10. pfx. A deployment package is created and includes these files: l l u l l l l BlinkSetup. How RP Agent Deployments Work The Application Bus service receives a message from Retina CS to start a deployment.exe). The service runs BlinkSetup. RPA Reports to Retina CS that installation was successful. 2013 162 . the deployc.pfx file includes a security certificate.pfx msxml3.  The package is queued and ready to be copied to a share on the target asset.dll msxml3r. eEyeEmsClientCert. This starts the deployment service (startdeplservice.xml deployc. Ž This service sends a message to Retina CS indicating the job status.Retina CS User Guide Retina Protection Agents Overview This section provides information on how the Retina Protection agent deployment works. the startdeplservice.exe To ensure secure deployment.exe #deploy.exe is removed from the asset. When the deployment is complete. BeyondTrust® June 10.dll startdeplservice.exe and installs:  l l The VS2008 runtime environment if required. Retina CS User Guide Retina Protection Agents Downloading Retina Protection Agents The Retina Protection Agent must be downloaded before you can deploy policies to selected assets. You can deploy Retina Protection Agents using one of the following ways: • Download through the Retina CS console • Copy the Retina protection agent installer to the following directory: $Common Files\eEye Digital Security\Shared Services Host\data\Setups\Blink\4.0.0. Change the name of the installer file to: BlinkSetup.exe • Use the 3rd Party Deployment tool. See Using the 3rd Party Deployment Wizard. To deploy the protection agent: 1. Select the Assets tab. 2. Click Protect. 3. If the protection agent deployment package is not found, click Download Protection Agent. Progress messages are displayed during the download. A file size indicator updates every 10 seconds to show the status of the download. After the Retina protection agent is downloaded, you must configure the Default policy. Air Gapped Connectivity to Retina CS If the server where Retina CS resides does not have an Internet connection, you can download Blink Professional and Blink Server from the client portal. • Change the name of Blink Professional to BlinkSetup.exe and copy to the following directory: C:\Program Files (x86)\Common Files\eEye Digital Security\Shared Services Host\data\Setups\Blink\4.0.0\ • Change the name of Blink Server to BlinkSetup.exe and copy to the following directory: C:\Program Files (x86)\Common Files\eEye Digital Security\Shared Services Host\data\Setups\Blink Server\4.0.0\ Configuring a Default Policy You must configure the Default policy to use the Retina CS server as the central policy agent. To configure the Default policy: 1. Select the Configure tab. 2. Click Protection Policies. 3. Select Default policy, and then select Edit Policy. BeyondTrust® June 10, 2013 163 Retina CS User Guide Retina Protection Agents 4. Click the pencil icon next to Master Rules. 5. Expand Misc Options then select General. 6. Expand Central Policy. 7. Select the Yes check box to use central policy. 8. Use the default protocol, https. 9. Enter the Retina CS server name and password. 10. Click Update. Preparing Target Assets Assets must have appropriate permissions in place so that the protection policies can be copied to the asset. BeyondTrust® June 10, 2013 164 Retina CS User Guide Retina Protection Agents Using the 3rd Party Deployment Tool Use the 3rd Party Deployment wizard to create Retina Protection Agent deployment packages. You can create a directory, executable, or .msi. To create a deployment package: 1. Select Start > All Programs > eEye Digital Security > Tools > 3rd Party Deployment Wizard. 2. Select the directory where you want to create the package files and where the package will be deployed. 3. Select the check boxes for the type of deployment package: Create Directory, Create Executable, Create MSI. 4. Select Retina Protection Agent Setup information: – Setup filename - Displays the name for the .exe. The default value is BlinkSetup.exe. – Serial number - Enter the serial number for the Retina Protection Agent. – Mode - Select a mode: Interactive, Alert Only, Silent, Hidden. – Administrator password/confirm password - Enter a password. – Enable Firewall - Select to turn on firewall protection. – Enable Virus and Spyware Protection - Select to turn on virus and spyware protection. – Enable Intrusion Prevention - Select to turn on intrusion prevention. – Enable System Protection - Select to turn on system protection. – 3rd party AV uninstall password - Enter the password to uninstall existing anti-virus and intrusion prevention applications if detected during deployment. 5. Click Next. 6. To activate central policy, select the Use Central Policy check box. a. b. c. d. e. Select the protocol: https, rem. Select the server name where Retina CS resides. Select the default policy. Enter the password for central policy. Enter the time interval to check for updates. 7. Click Next. 8. Select the Send REM events check box to activate REM events. 9. Click Next. 10. Enter your registration information and click Next. 11. Enter the URL to download updates. Click Next. BeyondTrust® June 10, 2013 165 Retina CS User Guide Retina Protection Agents 12. Click Finish. Updating RPA Licenses When your Retina Protection Agents (RPA) serial numbers are close to expiry, you can deploy a serial number to all assets where RPAs are deployed. To update the serial number: 1. Select the Assets tab. 2. Select Agents, and then click Relicense. 3. Select the assets from the Smart Groups browser pane. 4. In the Deploy section, select: currently selected assets, single IP address, IP range, CIDR notation or named host. 5. Select the check box to skip the assets that do not have an RPA deployed. 6. Enter credentials. 7. Enter the serial number. 8. Click Run. Deploying the Protection Policies Use the following procedure to deploy protection policies to selected assets and agents. Checkpoint – Policies are only available after you deploy Retina protection agents. For more information, see Downloading Retina Protection Agents. – Before proceeding, you might want to customize your policies. For more information, see Configuring Protection Policies. Note: Turn off the Require SSL setting in IIS Manager for the Retina CS default web site. Otherwise, the status displayed does not indicate when the deployment has successfully completed. BeyondTrust® June 10, 2013 166 Select Don't perform deployment on these (n) assets. or select the Assets tab and click Protect. 4. and select the Enabled check box. with n being the number of assets that do not have the protection agent installed. 9. If you are assigned the Protection Policy Management permission. Expand Advanced and enter the serial number and installation directory for the Retina protection agent. Expand Software Removal Tool. 2. 8. Click Request Protection Agent Update to automatically download updates for the protection agent. or Named Host. Select a policy and click Deploy. The serial number is displayed differently depending on the permissions that you are assigned. For IP Range and CIDR Notation. 2013 167 . Select the Enable Event Forwarding check box to view malware and vulnerability events on the Retina CS console. Select the Dashboard tab and click Protect. 10. 6. Select the Force installation of Protection Agent check box to deploy the protection agent to the selected targets. Single IP. all digits for a saved serial number are displayed and the Save as Default button is available. Click Show Status to view the progress of the deployment. Expand Deploy to select the assets you want to apply the protection policies to: Smart Groups. Expand Status to determine the assets that already have Retina protection agents deployed. CIDR Notation. Credentials are required. 5. BeyondTrust® June 10. and password credentials for the assets to deploy on. 7. 11. Storing Retina Protection Agent Serial Numbers You can set a serial number as the default so that you do not need to enter the serial number every time you deploy an agent. the policies are deployed to the assets that match the credentials entered. or click the Jobs tab. Third-party anti-virus and intrusion prevention applications are uninstalled if detected during deployment. IP Range. if required.Retina CS User Guide Retina Protection Agents To deploy protection policies: 1. Click Start Deploy. 3. Enter a password. Expand Credentials Management to enter the domain. username. This step is optional. 3. Reviewing Details about Protection Agents You can review the following information for a protection agent on the Agents tab: • Policy name • Protection agent version • Computer name where the agent is deployed • Operating system To review protection agent details: 1. Click the Filters button to set sorting information on the protection agents. To review only protection agent information. BeyondTrust® June 10. This is helpful if there are a lot of protection agents deployed in your environment. Retina Version and Agent Name). This is optional. You can clear the Use Default Serial check box at any time and then enter another serial number. click the Preferences button and clear any Retina scanner check boxes (for example. 2013 168 . Note that you cannot sort by Protection Agent Policy name. 2. see User Group Permissions. For more information about permissions. Select the Agents tab. This is optional.Retina CS User Guide Retina Protection Agents If you are only assigned the Deployment permission the last section of the serial number is displayed and the Save as Default button is not displayed. and then click Run. Enter the credentials. 4. June 10. 2. Click the Assets tab. Enter the IP addresses for the assets. BeyondTrust® Click the Agents tab. 5. 2013 169 . To remove a protection agent: 1.Retina CS User Guide Retina Protection Agents Removing Protection Agents You can remove a deployed protection agent from an asset. Click Uninstall. 3. the rules for all attached groups are automatically merged into an effective set of rules for the policy. from a rule category in a Rule Group. you can attach the rule groups to a policy. select “Revert to factory. After you determine the rule set and configure rules. select that category and click the arrow next to the category title. Retina CS ships with a set of default rules and rule groups. Working with Rules and Rule Groups Creating a Rule Group and Setting Rules Creating a Protection Policy Organizing Your Policies Rules Reference When setting up a protection solution using Retina CS. You can click and drag on attached Rule Groups to modify their ordering and thus their resulting relative priority. The policy is then deployed to your assets.” Changing a default value is considered an override even if that setting is later changed to its default state. review the following sections to understand how they work. Rule Group Ordering When there is more than one rule group attached to a policy. 2013 170 . the group that is located higher in the list of attached groups takes priority.Retina CS User Guide Retina Protection Agents Configuring Protection Policies In this section.” BeyondTrust® June 10. Working with Rules and Rule Groups When creating rules and rule groups. Some rules are “on” while others are “off. This is important to understand since a rule setting override is considered when multiple Rule Groups are merged in a given Policy. Each new policy automatically inherits these default settings. In the context menu that appears. you need to determine the rules that you want to use to protect your assets. To remove all rule setting overrides. but rules considered to be in their “factory default” state are not. In the case where a specific rule is set in more than one attached group. Retina CS ships with a set of default rules. or select the Assets tab. BeyondTrust® – Select the rule group from the Rule Groups pane to change the rule group properties. Creating a Rule Group and Setting Rules A Rule Group is a container for the rules that you want to apply to protect your assets. Since this “off” setting is now considered an override over the default setting. The factory default setting for a particular rule is “off”. In each rule category. 2. Any rule set in the Master Rules section will override the same rule setting in any attached groups. The rule in Group A has never been changed and is considered the “default. application firewall. a rule group can contain any combination of rule categories that includes: system firewall. June 10. When assigned to a policy. – Select the rule group and click .to delete the rule group. You can type the name of the rule group in the box to search for the rule group. servers. this case now being identical to the first. IPS signatures. you can: – Click + to add a rule group. Enter a name for the rule group.” Case 3: The rule category where this rule resides is “reverted to factory default” for Group A and now the effective merged setting is once again “on”. consider three cases where two Rule Groups are attached to a policy.Retina CS User Guide Retina Protection Agents For example. Master Rules Every policy has a set of Master Rules which can be considered a non-shared Rule Group (it is specific to one policy only) that always has the highest priority when rules are merged. there are particular rules that you can activate if you want to provide that specific protection to your asset. On the Manage Rule Groups page. and then click Protect. To create a rule group: 1. Select the Dashboard tab and click Protect. and Trusted and Banned IPs. Group A (highest priority) and Group B. workstations and laptops. internal attack and machine misuse. that rule is set to on.” The effective merged rule setting will be “on”. but later set to “off”. o o o Case 1: In Group B. the effective merged rule setting will now be “off. but in Group A that rule has been set to “on” previously. 2013 171 . Click Manage Rule Groups. Rule groups provide proactive and reactive protection against intruder. such as networks. rule groups are applied to assets. In Retina CS. 3. Case 2: The rule in Group B is set to “on”. then select a rule category to display the associated rules. rule groups and locations in the policy are also processed. Click New Policy. 5. select the subcategory to display the rules. To create a protection policy: 1. Creating a Protection Policy Create a policy that defines the rules you want to apply to your assets. 4. 6. 7. Click Revert to revert to either last saved or the default value for the rule category. Click Protect. 3. Click Update when editing an existing policy. Click Create. Click the arrow to display the subcategories. Drag rule groups to the rules pane. Enter the name of the policy and the policy group to which it is a member. Checkpoint – At least one policy category must be created to create a policy. See Organizing Policies. l l BeyondTrust® Location – One or more conditions. A dynamic policy includes conditions that determine the assets where the protection policy will be applied.Retina CS User Guide Retina Protection Agents 4. go to Rules. To create a rule. see Rule Groups. For more information. Click Update. 5. June 10. Select a rule group. Locations and conditions define when a policy will be deployed to particular assets. You can also create a policy from the Configure tab. Creating a Dynamic Policy You can attach a location to a policy. 2. Rule categories with arrows contain subcategories. Select a rule name check box to activate the rule. Condition – A set of criteria that determines the assets. see Creating a Dynamic Protection Policy. For more information. When a policy is processed. 2013 172 . You can create a dynamic protection policy. Select the Assets tab. Retina CS User Guide Retina Protection Agents Assets in an environment can change or be removed. Pings the IP address or domain name to verify access in the network. 4. 3. For example. From the Location menu. Enter a name and click Create. if the IP address or domain is reachable. BeyondTrust® June 10. Click + to create a condition. select the location from the Location pane and click the . and then click Protect. Select the Dashboard tab. Click New Policy. Click Manage. To delete a location.sign. select the location from the Location pane. 2013 173 . Select Command or Script from the Command Type list. then the policy can be applied. To manage locations. you must access an existing policy or through a new policy. The policy is dynamic since only those assets that meet the criteria in the condition are included. To edit an existing location. 2. you can create and delete conditions. b. Reachable type the IP address or domain name. To create a dynamic policy: 1. On the Manage Conditions window. You can also add locations to existing policies. The following procedure shows you how to create a condition and add the condition to a location. a. 6. Enter a name and click Create. Click Add Location. select Manage Locations. or select the Assets tab and click Protect. Command options: Check In the Command Parameters box. 5. Click the + sign. The following operators are available: And = & Or = | Not = ! Parentheses group conditions BeyondTrust® June 10. Select the Network Status Change Events check box if you want to log network status changes. Verify DNS In the Command Parameters box. Parameters c. More than one condition can apply to a location. type the IP address.Retina CS User Guide Retina Protection Agents Compare Version Verifies which version of protection agent is installed on the assets. 8. Verify DHCP In the Command Parameters box. Drag the condition from the Conditions pane. Click Upload Script to upload a script. Script Script file location. d. 2013 174 . Confirms the Dynamic Host Configuration Protocol server. This feature will be available at a later date. Confirms the Domain Name System server. 7. Click Update. Script options: Script Name Java or Visual Basic script file. type the IP address. Retina CS User Guide Retina Protection Agents 9. BeyondTrust® June 10. 2013 175 . Click Update. 2. 4. 3. BeyondTrust® June 10. Drag policies from other policy categories to populate the new policy category. or select the Assets tab and click Protect.Retina CS User Guide Retina Protection Agents Organizing Your Policies A policy category is a set of similar policies. 2013 176 . You can also create a category from the Configure tab. Enter the policy category name and click Create. A policy must be assigned to a category when the policy is created. To organize policies: 1. Select the Dashboard tab and click Protect. Click New Policy Category. or delete a rule: 1. You can also manage rule groups from the Configure tab (Protection Policies). Click Manage Rule Groups. or select the Assets tab and click Protect. Select the rule. copy. 2. 6.Retina CS User Guide Retina Protection Agents Rules Reference As mentioned earlier. System Wide Firewall Rules System Wide Firewall rules control the flow of data by examining each packet and determining whether to forward the packet toward a specific destination. click the arrow and select one of the following menu items: – Edit Rule—to edit the selected rule. Edit the new rule as needed. 3. or select the Assets tab and click Protect. and delete rules. You can also type the name of the rule group in the box to search for a rule group. a protection policy contains the security rules that are deployed to your assets. Click the pencil icon to change the settings. 2013 177 . You can create. Select a rule group from the Rule Groups pane. edit. To create system-wide firewall rules: 1. You can also type the name of the rule group in the box to search for a rule group. 4. Select the rule category. BeyondTrust® June 10. To copy. Select the Dashboard tab and click Protect. Click Manage Rule Groups. Select a rule name check box to activate the rule. – Duplicate Rule—to create a copy of the rule. – Delete Rule—to delete the selected rule. 3.  5. edit. Note that menu items are not available on all rules. Select a rule group from the Rule Groups pane. You cannot create rules for the following rule categories: Identity Theft and Analyzers. This section details the rules available to you. 2. Select the Dashboard tab and click Protect. Select the System Firewall rule.filters only inbound traffic received by your computer. This can create a flood of alerts and increase the size of the log file. Action – Allow – traffic that matches the rule can pass through the firewall. Click Set. or Subnet. – Alert user – receive and log alerts from Blink when the rule is matched. Single IP.filters both inbound and outbound traffic. port list. and then select: Determine IP(s) at run-time. 2013 178 . – Specific local IP addresses – Click +. UDP. IP c. 6. a. ICMP. – Any Direction . TCP or UDP. – Ask – a message is displayed requesting permission to pass through the firewall. – Traffic from This Computer . – Rule applies to all ports – Create a rule for all ports. – Log event – select to create an event log when the rule is matched. Click Create New Rule to start the wizard. 5.Retina CS User Guide Retina Protection Agents 4.filters only outbound traffic sent from your computer. b. Local IPs & Ports BeyondTrust® – Rule applies to all IP addresses – Create a rule for all local IP addresses. June 10. or port range. IP Range. Complete the following pages. and then enter a port number. d. Protocol – Select a protocol – TCP. – Specific ports – Click +. Traffic Direction – Traffic from Other Computers . – Deny – traffic that matches the rule cannot pass through the firewall. a. 2. f. 3. Select a rule group from the Rule Groups pane. Click Manage Rule Groups. Select the Dashboard tab and click Protect. The rule triggers when there is a match. Rule Summary Application Firewall Rules Application Firewall rules tailor the protection closer to the applications and the specific network environment being protected. The rule triggers when there is a match. You can also type the name of the rule group in the text box to search for the rule group. Enter a name and description for the rule. Rule Summary – Click Finish. Place at the top of the rule list – select to run the rule first. Application – Full Path – Retina CS compares the path stored in the firewall rule to the path of the application requesting network access. Ports in a range are separated with a hypen.  5. Remote IPs & Ports Options on this page are the same as Local IPs & Ports page. To create an Application Firewall rule: 1. or select the Assets tab and click Protect. – Process Name . e. 4.Retina CS User Guide Retina Protection Agents Use a comma to separate values. Select the Application Firewall rules category. Select this option for applications that are typically updated during normal use. Click Create New Rule to start the rule wizard. This is the least secure option. BeyondTrust® June 10.Retina CS compares the application process name to the process that is requesting network access. 2013 179 . filters only outbound traffic sent from your computer. 2013 180 . e. – Deny – traffic that matches the rule cannot pass through the firewall. – Alert user check box . Retina CS compares this MD5 checksum to the checksum of the application that is requesting network access. c.receive and log alerts from Blink when the rule is matched. Traffic Direction – Traffic from Other Computers . Action – Allow – traffic that matches the rule can pass through the firewall. – Traffic from This Computer . The MD5 algorithm is a method for signing and verifying a file and its contents mathematically. The rule triggers when there is a match. – System Process – filters the system process requests from the Operating System or Kernel Drivers running under a system context. – Log event check box – select to create an event log when the rule is matched.  b. – Ask – a message is displayed requesting permission to pass through the firewall. At run-time. if the application changes during an auto-update. – Any Direction . June 10. If selected. This is the default value and the most secure option. Typical system processes include printing and file sharing. enter the MD5 value.Retina CS creates and stores an MD5 checksum of the specified application. – Rule applies to all ports – Create a rule for all ports.filters both inbound and outbound traffic. or TCP or UDP d. UDP. This can create a lot of alerts and increase the size of the log file. Protocol – Select a protocol – TCP.Retina CS User Guide Retina Protection Agents – MD5 . Local IPs & Ports BeyondTrust® – Rule applies to all IP addresses – Create a rule for all local IP addresses.filters only inbound traffic received by your computer. the rule becomes invalid. however. or select the Assets tab and click Protect. Protocol Select a protocol. Enter a name and description for the rule. June 10. Click Manage Rule Groups. 2013 181 . Ports in a range are separated with a hypen. port list. the wizard pages described assume CGI Scripts and Network Layer options are selected. 4. f. IPS Signature Rules You can create IPS network signatures that filter a specific protocol. you can choose the Network Layer or Application Layer protocol. and SMTP. Click Create New Rule to start the wizard. you can create an application layer IPS signature that filters traffic from the subject line of all incoming or outgoing email messages associated with the EMAIL protocol. You can type the name of the rule group in the box to search for the rule group. Select a rule group from the Rule Groups pane. The wizard pages change depending on the protocol that you select. Remote IPs and Ports Options on this page are the same as Local IPs & Ports page. For the following procedure. 5. or port range.Retina CS User Guide Retina Protection Agents – Specific ports – Click +. To create an IPS signature rule: 1. IP Protocol – Fragment Flags – Select the check box then select: More Fragment. Place at the top of the rule list – select to run the rule first. 3. Use a comma to separate values. such as FTP. and then enter a port number. For example. Don't Fragment Bit. 2. Reserved Bit. Rule Summary – Click Finish. Select the Dashboard tab and click Protect. g.  When you create an IPS signature rule. – BeyondTrust® Don't Care – The value is ignored. Expand IPS Signatures and select a subcategory to display the associated rules. ICMP. or Greater Than and set the ID number. or port range. – IP Options – Select Record Route. Use a comma to separate values. or Greater Than and set the time. 2013 182 . and then select: Determine IP(s) at run-time. – IP ID – Select Less Than. – Rule applies to all ports – Create a rule for all ports. IP Range. No Operation. or Subnet. – Time to Live – Select Less Than. – Outbound – Filters only outbound traffic sent from your computer. Search Pattern – Click +. Single IP. End of Option List. Equal To. port list. You can create patterns using hex characters or a combination of ASCII and hex characters. Traffic Direction – Inbound – Filters only inbound traffic received by your computer. – Not Set – The binary value of the corresponding flag for 0s only is verified. Ports in a range are separated with a hyphen. Security. Internet Timestamp. – Type of Service – Select the service: Minimize Delay. Local IPs & Ports – Rule applies to all IP addresses – Create a rule for all local IP addresses. or Greater Than and set the protocol.Retina CS User Guide Retina Protection Agents – Set – The binary value of the corresponding flag for 1s only is verified. BeyondTrust® June 10. – Specific local IP addresses – Click +. Equal To. Maximize Throughput. or Minimize Monetary Cost. or Strict Source Routing. A hex sequence must be enclosed in < >. Remote IPs & Ports Options on this page are the same as Local IPs & Ports page. – Both – Filters both inbound and outbound traffic. Click Set. and then type the pattern to search on. Equal To. Loose Source Routing. and then enter a port number. – IP Protocol – Select Less Than. Maximum Reliability. – Specific ports – Click +. In a spoofable attack. – Capture Packets – Hold the packet for review by the user. Action – Stop attack – Stop the attack by terminating the session or dropping packets. – Depth – Enter the total number of bytes to search in the packet’s payload. the action defined on the Actions page occurs. – Block IP for – Stop the attack for the specified number of minutes. UDP and ICMP. – Match only on patterns of same size – (Optional) Find a pattern that matches the size in the Pattern field.Retina CS User Guide Retina Protection Agents – Start – (Optional) Enter the number of bytes to skip from the beginning of the packet’s payload. Specify References – BeyondTrust® (Optional) Enter more information about the vulnerabilities and exploits. an attacker mimics the IP address of critical systems and then forces the IP address to be added to the banned list. The default is one event every one second. 2013 183 . June 10. – Trigger rule if pattern not found – (Optional) Stop the action from completing when the pattern is matched. Specify the frequency of the action. This can create a flood of alerts and increase the size of the log file. Available only for TCP-based IPS signatures. Specify Threshold – Take action for every occurrence of the event – When the pattern is found. such as IP. the action defined on the Action page occurs. – Match case on pattern – (Optional) Find a pattern that matches the case in the Pattern field. – Take action when the threshold is exceeded – When the threshold is exceeded. – Alert user – Receive and log alerts from RPA when the rule is matched. This is not recommended for spoofable protocols. – Log event – Create an event log when the rule is matched. – Use regular expressions – (Optional) Find a specific word followed by an alphanumeric. 2. All IPS Analyzer rules and signatures can be configured to ban the attacker IP for a certain amount of time.Retina CS User Guide Retina Protection Agents The information helps to define what the IPS signature protects against. You can also type the name of the rule group in the box to search for a rule group. you may want to slow down someone trying to guess your FTP password account by stopping them from accessing the server for 10 minutes after each 10 failed attempts occurring in less than three minutes. Data flowing from known problematic hosts can be discarded without further processing. 3. that IP address is banned. Enter a name and description for the rule. Trusted and Banned IPs You can set trusted and banned IP addresses to manage lists of hosts processed by the Firewall and IPS protection engines. Click Manage Rule Groups. the attack will not be detected. The severity level is included in the event log. Rule Summary Click Finish. You can ban an IP for a period of time or indefinitely. Set More Details – Enter more information about the rule. – Rule severity – Select a severity between 0 and 9 (highest severity). l Banned IPs – Provides time-based traffic blocking from an IP address. You must activate Intrusion Prevention or System Firewall to use the Trusted and Banned IPs feature. BeyondTrust® June 10. Note that if a trusted system attacks your Retina CS-protected server or workstation. For example. 2013 184 . l Trusted IPs – Add the IP address or range of IP addresses of trusted critical machines. All data is then allowed from the trusted systems. Place at the top of the rule list – select to run the rule first. To create a Trusted IP or Banned IP rule: 1. Select a rule group from the Rule Groups pane. or select the Assets tab and click Protect. Select the Dashboard tab and click Protect. If an IP address is added to the Trusted list and Banned list. Enter a description for the IP address. 2013 185 . 3. or subnet. See Caller Path page details for descriptions. – Match Type – Select a matching type. This is the second fastest matching. 6. Select the Registry rule category. Select the Dashboard tab and click Protect. Select a rule group from the Rule Groups pane.Retina CS User Guide Retina Protection Agents 4. Enter the IP address. 9. You can also include a date and time. Click Create New Rule to start the wizard. You can type the name of the rule group in the text box to search for the rule group. Registry Protection Rules Registry rules protect registry resources against unauthorized modifications. Select the Trust IPs or Banned IPs rule category. 7. Exact – Matches only the exact path. To create a Registry rule: 1. 8. c. Partial – Matches if the pattern is found anywhere in the path. Click Create New Rule to start the wizard. Resource Path – Registry Key Path – Enter the registry path. The IP address is automatically deleted from the IP list after the time period elapses. or select the Assets tab and click Protect. Click Update. Caller Path – Caller Path – Enter the path. Click Set.  5. The IP address displays in either Trusted IPs or Banned IPs list. Select Resource Type Registry is selected. Specify the time the IP remains on the list as either Permanent or Keep for [n] Minutes. 10. 4. This is the fastest matching. Click Manage Rule Groups. a. b. IP address range. – Match Type – Select a matching type. 5. BeyondTrust® June 10. 2. the rule is triggered. such as location and MD5 checksum. User specified caller MD5 – Enter a hex MD5 caller. Auto-calculate caller MD5 – Calculates MD5 if access to the file is provided on disk. The MD5 algorithm is a method for signing and verifying a file and its contents mathematically. If either matches. e. – Deny – Traffic that matches the rule cannot pass through the firewall. This can create a lot of alerts and increase the size of the log file. Enter a name and description for the rule. – Log – Select to create an event log when the rule is matched. – MD5 Validation Do not use caller MD5. At run-time. – Allow – Traffic that matches the rule can pass through the firewall. # for any single numerical character and ? for any single alpha character. Retina CS compares this MD5 checksum to the checksum of the application that is requesting network access. – Alert – Receive and log alerts from Blink when the rule is matched. 2013 186 . To create an Execution rule: BeyondTrust® June 10. Place at the top of the rule list – select to run the rule first. This can be the slowest and should be used with care. Regex – Creates the most complex matching rules.Retina CS User Guide Retina Protection Agents Wildcard – Creates more complex rules that use * for any sequence of characters. d. Execution Protection Rules Execution rules prevent the system from executing unauthorized processes. Rule Summary – Click Finish. This is the default. There is an implicit OR between the two types of matching. Specify an Action Select a Read or Write action to be matched by this rule. 3. Caller Path – Caller Path – Enter the path. – Match Type – Select a matching type. and select that Rule Group. This is the fastest matching. User specified caller MD5 – Enter a hex MD5 caller. Partial – Matches if the pattern is found anywhere in the path. Select the Execution rule category. c.Retina CS User Guide Retina Protection Agents 1. # for any single numerical character and ? for any single alpha character. a.  5. Click Manage Rule Groups. This is the second fastest matching. BeyondTrust® June 10. Select a rule group from the Rule Groups pane. See Caller Path page details for descriptions. Regex – Creates the most complex matching rules. Select the Dashboard tab and click Protect. Resource Path – Registry Key Path – Enter the registry path. – Match Type – Select a matching type. Select Resource Type Execution is selected. Exact – Matches only the exact path. display. You can also type the name of the rule group in the text box to search for. 2013 187 . Wildcard – Creates more complex rules that use * for any sequence of characters. or select the Assets tab and click Protect. b. – MD5 Validation Do not use caller MD5 Auto-calculate caller MD5 – Calculates MD5 if access to the file is provided on disk. 4. 2. This can be the slowest and should be used with care. Click Create New Rule to start the wizard. If either matches. – Deny – Traffic that matches the rule cannot pass through the firewall. Select a rule group from the Rule Groups pane. You can type the name of the rule group in the text box to search for the rule group. or deleted.Retina CS User Guide Retina Protection Agents The MD5 algorithm is a method for signing and verifying a file and its contents mathematically. • Authorized applications – Applications which are allowed to modify any file. Enter a name and description for the rule. This is the default. Place at the top of the rule list – select to run the rule first. Custom rules are processed first. such as location and MD5 checksum. To create a file integrity rule: 1. At run-time. 2013 188 . 3. e. Retina CS compares this MD5 checksum to the checksum of the application that is requesting network access. Rule Summary – Click Finish. 2. There is an implicit OR between the two types of matching. Specify an Action The Execute check box is selected and cannot be changed. renamed. the rule is triggered. • Custom rules – Exceptions to any other rules. Add a Protected File Rule A protected file rule applies PowerBroker EPP protection on the file. Click Manage Rule Groups. File Integrity Rules There are three types of integrity rules: • Protected files – Folders and files that you want to monitor for changes. or select the Assets tab and click Protect. d. BeyondTrust® June 10. – Allow – Traffic that matches the rule can pass through the firewall. – Log – Select to create an event log when the rule is matched. A file protection rule activates when the protected file is changed. Select the Dashboard tab and click Protect. Select the Dashboard tab and click Protect. 3. Complete the following pages. Select the File Integrity rule category and select the Authorized Applications subcategory to display the associated rules. Select Create New Rule. Enter a name and description for the rule. Place at the top of the rule list – select to run the rule first. You can also create a category to organize rules. Enter a list of file extensions that you want to protect. or select the Assets tab and click Protect. Complete the following pages. 5. 2013 189 . Select the Also Protect Subfolders check box to protect all folders in the directory. BeyondTrust® June 10. – Protect files inside a directory Enter folder that you want to protect. 5. 6. 2. You can type the name of the rule group in the text box to search for the rule group.Retina CS User Guide Retina Protection Agents 4. Specify File/Folder Path – Protect a file Enter the file that you want to protect. 4. The default value is 1. a. Set the rule severity. The severity level is included in the event log. b. Select a rule group from the Rule Groups pane. To create a file integrity rule: 1. 6. Select the File Integrity rule category and select the Protected Files subcategory to display the associated rules. Select Create New Rule. c. Click Manage Rule Groups. Specify an action Select the Log check box to track the rule activities. Rule Summary – Click Finish. Add an Authorized Application Rule An authorized application rule allows an application to access protected files. BeyondTrust® – File Size – Enter the file size. – File Location – Select from: Hard drive. – Executable is packed – Select True to pack the executable. then an argument might be -k tapisvr. – Contains – Matches if the pattern is found anywhere in the key. PBEPP can detect the type of hash used (MD5 or SHA1). and then select the matching type: – Exact – Matches only the exact registry key. – Process Arguments – Add process arguments to filter the scope of the rule. Specify Authorized Application Path Enter the caller attributes: – File Path – Browse to the executable location for the caller. SHA1 is a more secure hashing algorithm and is recommended over MD5. 2013 190 . This is the fastest matching. June 10. – MD5 or SHA1 – Enter a hex MD5 or SH1 caller. The MD5 or SHA1 checksum algorithm is a method for creating a file content checksum and verifying the content has not changed. – Product Name. Product Description. due to user changes or software updates). Use MD5 or SHA1 when you can access the file and you are certain the file does not normally change (for example. CD ROM and Network. # for any single numerical character and ? for any single alpha character.Retina CS User Guide Retina Protection Agents a. The rule then only applies to the TapiSvr service. – Regex – Creates the most complex matching rules.exe. – Not Contains – Matches when the pattern is not found. USB. if the file path is c:\Windows\System32\svchost. Company – Enter the product information. This can be the slowest matching. For example. This is the second fastest matching. – Wildcard – Creates more complex rules that use * for any sequence of characters. Place at the top of the rule list – select to run the rule first. – User Group – Enter one or more user groups. enter the SID for the user group. Alternatively. 6. or select the Assets tab and click Protect. Add a Custom Rule A custom rule applies protection on a folder (all files in the folder are protected regardless of the file type). Set the rule severity. Files and folders included in the rule are not included in the scheduled scan. Select the File Integrity rule category and select the Custom subcategory to display the associated rules. Specify an action Select the Log check box to track the rule activities. 3. the property will match. Select the Dashboard tab and click Protect. Select Create New Rule. c. 4. If the user running the executable belongs to one of the listed groups. June 10. Complete the following pages. To create a custom rule: 1. Alternatively. a. The default value is 1. – Process Owner – Enter the name of the user account running the executable. You can type the name of the rule group in the text box to search for the rule group. Click Manage Rule Groups. 5. Enter a name and description for the rule. 2. Specify File/Folder Path – BeyondTrust® Protect a file – Enter the file that you want to protect. The severity level is included in the event log.Retina CS User Guide Retina Protection Agents – Digital Signature Name. You can also create a category to organize rules. 2013 191 . b. Rule Summary – Click Finish. enter the SID for the process owner. Select a rule group from the Rule Groups pane. Digital Signature Validity – Select the signature parameters. The MD5 or SHA1 checksum algorithm is a method for creating a file content checksum and verifying the content has not changed. This is the fastest matching. due to user changes or software updates).Retina CS User Guide Retina Protection Agents – Protect files inside a directory – Enter folder that you want to protect. – Regex – Creates the most complex matching rules. SHA1 is a more secure hashing algorithm and is recommended over MD5.exe. – MD5 or SHA1 – Enter a hex MD5 or SH1 caller. CD ROM and Network. then an argument might be -k tapisvr. Enter a list of file extensions that you want to protect. – Process Arguments – Add process arguments to filter the scope of the rule. This is the second fastest matching. Select the Also Protect Subfolders check box to protect all folders in the directory. The rule then only applies to the TapiSvr service. 2013 192 . – File Location – Select from: Hard drive. PBEPP can detect the type of hash used (MD5 or SHA1). – Not Contains – Matches when the pattern is not found. if the file path is c:\Windows\System32\svchost. b. and then select the matching type: – Exact – Matches only the exact registry key. # for any single numerical character and ? for any single alpha character. USB. This can be the slowest matching. – Executable is packed – Select True to pack the executable. BeyondTrust® – File Size – Enter the file size. June 10. For example. Use MD5 or SHA1 when you can access the file and you are certain the file does not normally change (for example. Specify Authorized Application Path Enter the caller attributes: – File Path – Browse to the executable location for the caller. – Contains – Matches if the pattern is found anywhere in the key. – Wildcard – Creates more complex rules that use * for any sequence of characters. Alternatively.Retina CS User Guide Retina Protection Agents – Product Name. c. Company – Enter the product information. and Security. Digital Signature Validity – Select the signature parameters. enter the SID for the user group. d. June 10. The default value is 1. – Digital Signature Name. Specify an action Select the action to take when the rule is matched: Allow or Deny. Windows XP Windows 2003 BeyondTrust® Use the name in the Windows Event Viewer Source column. The source name that you enter depends on the operating system that is forwarding the events. System. Alternatively. Source Names The source name is the name of the Windows event. Select the Log check box to track the rule activities. Set the rule severity. Place at the top of the rule list – select to run the rule first. – Process Owner – Enter the name of the user account running the executable. enter the SID for the process owner. Rule Summary – Click Finish. The severity level is included in the event log. including: Application. – User Group – Enter one or more user groups. If the user running the executable belongs to one of the listed groups. Product Description. Windows Events Rules You can create a rule that tracks Windows Event logs. You can also create a category to organize rules. Enter a name and description for the rule. 2013 193 . the property will match. or select the Assets tab and click Protect. – Add . 2013 194 . Note that All includes Information events. Otherwise. – Enabled . Errors and Warnings. One or more Windows event sources must be provided to activate the rule. – Severity . System. Expand Windows Events. 2. Select the Dashboard tab and click Protect. 3. All. use [Name]. See Source Names.Select the severity level from the list: Only Errors. Click Manage Rule Groups. if available. or Security. Events are only forwarded when a source is provided.Select the check box to activate the rule. June 10. 4.Retina CS User Guide Retina Protection Agents Use System-Provider[EventSourceName] on the Details tab of the event. and select that Rule Group.Click to provide the following information about the event log you want to track: – BeyondTrust® Source name – The name of the application that issued the event. display. Select a rule group from the Rule Groups pane. and then select: Application. Vista Windows 7 Windows 2008 To create a Windows event rule: 1. You can also type the name of the rule group in the text box to search for. Trusted List Options The Trusted List displays trusted malware by name and category. 3. Select the Trusted List rule category. 6. Select the Dashboard tab and click Protect. 2. 7. Miscellaneous Options Miscellaneous options allow you to set rules for Retina CS operations. Select a rule group from the Rule Groups pane. Click Create New Rule to start the wizard. To access Trusted List rules: 1. You can also type the name of the rule group in the box to search for a rule group. – Exclude – Enter the Event IDs to exclude. – Include – Enter the Event IDs to forward to Retina CS. Select a malware name check box and click Save. Click Save. 5. or select the Assets tab and click Protect. 8. Note that the excluded list overrides the included list. 2013 195 . To access miscellaneous options: BeyondTrust® June 10. Click Update. The following example shows a range of event IDs to include and two IDs in that range to exclude. All events from the source will be forwarded. Click Save. 5. Click Manage Rule Groups.Retina CS User Guide Retina Protection Agents You can enter the source name without providing Event IDs. 4. click Update. refer to the Retina Protection Agent User Guide. 3. Select a rule group from the Rule Groups pane. 2013 196 . After you change the properties for a subcategory. 4. BeyondTrust® June 10. You can type the name of the rule group in the text box to search for the rule group. Select the Dashboard tab and click Protect. Click Manage Rule Groups. Options and select a subcategory:  – Virus and Spyware – General – System Protection – Scheduler – Auto-Updater – Vulnerability Assessment – Intrusion Prevention – IIS Protection – Firewall – Events For more information. or select the Assets tab and click Protect. 2. 5.Retina CS User Guide Retina Protection Agents 1. Expand Misc. The event information is used as the source information to determine the heartbeat of your assets. Retina CS and PowerBroker Servers Architecture The following diagram shows how Retina CS and PowerBroker Servers send information between their respective components. Apache Solr software is used to index PBUL I/O logs. The indexed results are forwarded to Retina CS where they can be sorted and viewed. Accept and Reject events can help you determine if your assets are sending events (indicating that the asset is up and running successfully). Overview Use Retina CS to manage PowerBroker Servers event log records. For example. you can run reports to analyze your Unix and Linux assets. Configure Retina CS and PowerBroker Servers to work together to send the event logs to the Retina CS management console. include: Accept and Reject. BeyondTrust® June 10. is the asset running. You can create Smart Groups based on the argument types to track the event types in the I/O logs. 2013 197 . Event Types The event types forwarded to Retina CS. refer to the PowerBroker Servers product documentation.Retina CS User Guide PowerBroker Servers for Unix & Linux PowerBroker Servers for Unix & Linux Overview Managing PowerBroker Servers Events Creating a Smart Group for PowerBroker Servers Assets Using pbreplay to Play the Logged Events Searching the I/O Logs Search Parameters For detailed information about PowerBroker Servers for Unix and Linux features. Secure Retina CS certificates are deployed to the PowerBroker Servers assets. After the event log records are sent to the Retina CS database. 2013 198 .Retina CS User Guide BeyondTrust® PowerBroker Servers for Unix & Linux June 10. you can review the run arguments and I/O logs captured for an asset. see Working with Smart Rules. PowerBroker Servers events are tied to runhost events. 2013 199 . and run arguments. See Maintenance Options. Creating a Smart Group You can create a Smart Group to organize your PowerBroker Servers assets. You can configure the number of days events remain in the database before purging.Retina CS User Guide PowerBroker Servers for Unix & Linux Managing PowerBroker Servers Events On the Assets page. You can access pbreplay in two ways from Retina CS: BeyondTrust® • From the Search results page on the Assets page • From the Event Details page June 10. exit status. Purge Events PowerBroker Servers events are purged after 30 days. You can set filters based on the PowerBroker Servers assets and the event types. You can run reports on PowerBroker Servers assets using Retina Insight. For detailed instructions on Smart Groups. command. Using pbreplay to Play the Logged Events Use pbreplay. to replay the events logged to that point in time. Create your Smart Groups using runhost as a filter. including user name. a tool available in PowerBroker Servers for Unix & Linux. Click the arrow for an I/O log to start pbreplay. 2013 200 . For information about search commands. To search the index of the I/O logs: 1. see Search Parameters. Searching the I/O Logs You can search the index of the PowerBroker Servers I/O logs.Retina CS User Guide PowerBroker Servers for Unix & Linux To run pbreplay: 1. Select the Assets tab. select the i for an asset to review collected arguments and I/O logs. Log on to Retina CS. and then select the Search tab. On the PowerBroker Servers page. Select PowerBroker for Unix & Linux. 2. 3. BeyondTrust® June 10. 4. Select the Smart Group where the PowerBroker Servers assets reside. 2. you will need to import the SSL Certificates and Certificate Authorities correctly on the RCS side. as well as the following fields: user. Search Parameters A query is broken up into terms and operators. Basic and Compound Searching Search Pattern Finds. The instructions for importing the certificates are in the PowerBrokers Servers Install Guide. Examples of search on the event log variables in the I/O Logs: Table 18. A Single Term is a single word such as "test" or "hello".. Note: In order to allow the Search Window to securely connect to the Solr Servers.. 2013 201 . BeyondTrust® June 10. you can also search on those variables using the following syntax in the "Search" field. Select the Solr host your I/O Logs were indexed on from the drop-down menu "Search Hosts". runuser:root all documents where the runuser was 'root' user:oracle AND runcommand:bash 'all documents where the user was 'oracle' and the runcommand was 'bash' If you have added custom policy variables to the list of indexed variables (using the setting 'solrvariables <var>_pbul'in PowerBroker Servers pb.Retina CS User Guide PowerBroker Servers for Unix & Linux 5. Multiple terms can be combined together with Boolean operators to form a more complex query (see below). runuser. PowerBroker Servers I/O Log files are indexed on the content of the I/O Log. You can search any field by typing the field name followed by a colon ":" and then the term you are looking for. under "Post-Install" section of "Solr Installation". There are two types of terms:Single terms and Phrases. runargy.settings file). A Phrase is a group of words surrounded by double quotes such as "hello dolly". runcommand. refer to Proximity Search below. ticketnum_ pbul:1523XA5 all documents where the 'ticketnum_pbul' is set to 1523XA5 You can combine the above queries for eventlogs variables in the query to search the content of the I/O Logs.. 2013 202 . For example: Search Pattern Finds. To search using the date and time within the I/O Log sessions. you can search on it using the syntax: Search Pattern Finds.Retina CS User Guide PowerBroker Servers for Unix & Linux For example.. These are not the date and time when a secured task was executed by PowerBroker Servers. if you had a policy variable called 'ticketnum_pbul' and added it to solrvariables to be indexed. Note: These are the date and time where the I/O Log files (sessions) were created and completed.. runuser:root AND rm all documents where the runuser was root and the word 'rm' was found in the I/O Log file You can also narrow down your search using the Start and End time fields. These dates are in the local time zone of browser (where Retina CS is accesssed). Simple Search Example BeyondTrust® June 10.. rm* any word that starts with "rm" in the title field. P?sswd any word that start with P followed by any one letter and ends with 'asswd' Note: Lucene does not support using * and ? as the first character of a search.. This is equivalent to a union using sets. This means that if there is no Boolean operator between two terms. and NOT as Boolean operators (Note: Boolean operators must be ALL CAPS). All indexed documents returned. 2013 203 . rm *someFile any word that starts with "rm" and ends with someFile in the title field.. Table 19. BeyondTrust® June 10. the OR operator is used. To search for documents that contain either "cat/etc/passwd" or just "passwd" user the query: "cat/etc/passwd" OR passwd. *:* Everything. grep*someFile any word that starts with "grep" and ends with someFile in the title field. The OR operator links two terms and finds a matching document if either of the terms exist in a document. grep* any word that starts with "grep" in the title field. Supported Booleans are AND. The OR operator is the default conjunction operator.Retina CS User Guide PowerBroker Servers for Unix & Linux Compound Search Example Boolean operators allow terms to be combined through logic operators. OR. Wildcard matching Search Pattern Finds. This is equivalent to a difference using sets. including Aida and Carmen runuser:{Aida TO Carmen} all documents whose runuser are between Aida and Carmen. Search Pattern Finds. To search for documents that contain "rm passwd" but not "cat services" use the query: "rm passwd" NOT "cat services" Note: The NOT operator cannot be used with just one term. Sorting is done lexicographically. 2013 204 .. runuser:[Aida TO Carmen] all documents whose runuser are between Aida and Carmen. To search for either "rm" or "cat" and "passwd" use the query: (rm OR cat) AND passwd Field Grouping Use parentheses to group multiple clauses to a single field. the following search will return no results: NOT "cat services" Grouping Use parentheses to group clauses to form sub queries. but not including Aida and Carmen Inclusive range queries are denoted by square brackets. Exclusive range queries are denoted by curly brackets.. BeyondTrust® June 10. To search for documents that contain "cat services" and rm passwd" use the query:"cat services" AND "rm passwd" NOT The NOT operator excludes documents that contain the term after NOT. Range Queries can be inclusive or exclusive of the upper and lower bounds. This can be very useful if you want to control the boolean logic for a query. AND The AND operator matches documents where both terms exist anywhere in the text of a single document.Retina CS User Guide PowerBroker Servers for Unix & Linux Range Searched Range Queries allow one to match documents whose field(s) values are between the lower and upper bound specified by the Range Query. This is equivalent to an intersection using sets. For example. Retina CS User Guide PowerBroker Servers for Unix & Linux To search for a runargv that contains both the word "rm" and the phrase "-rf" use the query: runargv:(rm AND "-rf") Escaping Special Characters Escaping special characters that are part of the query syntax is supported. For proximity searches. 2013 205 . Table 20. and word transpositions (someFile grep) are proximity 1. By default. "grep someFile"~4 "grep someFile" within 4 words from each other. The current list special characters are +.. "2013 04 rm"~100 BeyondTrust® expands the search to April. PowerBroker Servers indexes a timestamp in the following format: "2013 04 23 22:10" This time-stamp appears in the output every time a CR is in stdin. "2013 04 26 rm"~100 expands the search to today. Proximity matching Search Pattern Finds. "2013 04 26 09:20 rm"~100 for “rm” near today at 09:20 (using Solr's proximity syntax). use a tilde (~) at the end of the phrase..&&||!( ) { } [ ] ^ " ~ * ? : \ To escape these character use the \ before the character. For example to search for (1+1):2 use the query: \(1\+1\)\:2 To search for /etc/passwd use \/etc\/passwd Proximity Search The proximity search finds words that are within a specific distance away from each other. exact matches are proximity 0. For proximity searches. June 10. 2013 206 .Retina CS User Guide PowerBroker Servers for Unix & Linux Proximity Search Example BeyondTrust® June 10. Using the PasswordSafe appliance to manage these items can result in unrecoverable configuration or synchronization errors. Overview PasswordSafe integrates with BeyondTrust's PowerBroker PasswordSafe. you must: • Create a connection to your PowerBroker PasswordSafe appliance. 2013 207 . secure storage of credentials. Configure PasswordSafe to monitor and manage passwords. managed systems.Retina CS User Guide PasswordSafe PasswordSafe Overview Configuring PasswordSafe Creating a Connection to Your Appliance Creating User Groups Adding a Managed System Managing Passwords Requesting a Password Approving a Password Retrieving a Password For detailed information about PowerBroker PasswordSafe features. encryption. PowerBroker PasswordSafe is a hardened appliance that creates and secures privileged accounts through automated password management. BeyondTrust® June 10. refer to the PowerBroker PasswordSafe product documentation. Configuring PasswordSafe To configure PasswordSafe. Always use Retina CS to edit or delete the following PasswordSafe items created in Retina CS: users. Emails are sent during the request and approval process. • Create user groups that are assigned roles to manage password releases. user groups. collections. Email notification is configured from the PowerBroker Safe appliance. and a sealed operating system. In Retina CS. – Key – The key is generated on the appliance. 4. 2. Click the PasswordSafe Connections tab. After you enter the information. 5. To create a connection: 1. Note that if you are assigned this role. and then click New. 2013 208 . there must be user groups created to manage the following tasks in the process: • Requestor – Assign this role to users that can request a password. – Appliance IP – Enter the IP address for the appliance. Click Save. • Approver – Assign this role to your users that will approve password releases. you cannot approve your requests. the PasswordSafe tab is available on the Retina CS page. Provide the following information for the appliance: – Title – Enter a name for the appliance.Retina CS User Guide PasswordSafe Creating a Connection to Your Appliance You must create a connection between Retina CS and your PowerBroker PasswordSafe appliance. Note that you cannot assign roles to the Retina CS administrator. • No Roles – Assign this role to remove any previously assigned roles to a user group. Roles are only available to PasswordSafe features. • Auditor – Assign the Auditor role to run reports in Retina Insight. click Test to ensure the connection is established to the appliance. Note: You can only create one connection. • Requestor/Approver – Assign this role to user that can approve and request password releases. • Information Security Administrator – This role is responsible for setting up managed systems and accounts. click the Configure tab. 3. The Auditor role can be assigned in combination with other roles available. BeyondTrust® June 10. Creating User Groups In the PasswordSafe password release process. – CLI User – The CLI user is generated from the appliance and cannot be changed. After you create a connection to an appliance. and then click the Accounts tab. BeyondTrust® June 10. 2013 209 . Click +. 2. and then Group or Active Directory Group. Create the group information as usual. 4. Click the Configure tab. See Creating User Groups. and then click Save. 5. Select a Smart Rule where the PasswordSafe assets will be added. To create a PasswordSafe user group: 1. The role changes are synchronized with the PasswordSafe appliance. Select the role to assign. 3.Retina CS User Guide PasswordSafe Note: All changes to PasswordSafe user accounts (users with PasswordSafe roles assigned) must be managed by the Retina CS Administrator account. click the Connection tab. and then click Add to PasswordSafe. 2. 2. – Platform – Select the platform of the system that you want to manage. Enter the system settings: – System Name – Enter a name for the managed system. To configure the connection settings: 1. To configure system settings: 1. After you configure the system settings. Enter the connection information for the appliance: BeyondTrust® June 10. Enter information about the system. – Default Password Rule – Select a password rule.Retina CS User Guide PasswordSafe Adding a Managed System Note: Only a user group assigned the Information Security Administrator role can add an asset to PasswordSafe. Right-click the asset on the Asset page. – Description – (Optional). Ensure any password rules that you create are similar to the password rules that are in place for the platform. complexity rules). – Contact E-mail – Enter an email account for email notifications. 2013 210 . – Enable Automatic Password Management – Select the check box to activate password management with PasswordSafe. – Default Maximum Release Duration – Set the length of time before a released password expires. Create a password rule in PowerBroker PasswordSafe. The rule determines the password requirements (for example. – Network Address – Enter the IP address of the managed system. These settings are similar to the PowerBroker PasswordSafe appliance settings. You must configure system and connection settings when you add a system to PasswordSafe. You want PasswordSafe rules to be compliant with the native password rules. 2. – Change Frequency – Select how frequently you want to reset a password. Select the management settings: – Check Password – Select to check the managed account passwords daily. Increase the timeout if connections to the managed systems take longer than usual. – Account Type. On the Managed Systems Settings page. – Default duration of ISA releases of password – Set the length of time that occurs between the ISA retrieval of the password and the automatic reset of the password. – Connection Timeout – Enter the length of time that passes before a connection to a managed system times out. 2. click the Management tab. Password – Enter the account credntials used to access the managed system. Add managed accounts from the managed systems. and then click Add. – NetBIOS – If the platform is Windows. – Network Address – Enter the IP address of the managed system. The stored password is compared to the current password on the managed system. click the Accounts tab. Account Name. then an email notification is sent when a mismatch is detected. Add administrator accounts (such as root or Administrator). If email is configured and this check box is not selected. After you configure the connection settings.Retina CS User Guide PasswordSafe – Platform Name – The platform of the system. 2013 211 . BeyondTrust® June 10. – Change password after any release – Select to automatically reset a password after the password is released. then enter the NetBIOS domain name. To configure accounts: 1. – Reset Password on Mismatch – Select this check box if the comparison detected differences in the passwords. – Change Time – Select the time of day to change a password. Provide the following information for the managed account: – System Name – Provide the name of the managed system where the account resides. To configure management settings: 1. – Send Release Notification Email to – Enter the email address for the approvers. Security applied to the operating systems rely on authentication certificates stored for the account.Retina CS User Guide PasswordSafe – Account Name. – Enable Automatic Password Changing/Testing – Select the check box to override the system settings. Click Save. Managing Passwords There are three stages in the password release process: • Requesting a password • Approving a password • Retrieving a password Requesting a Password You must be assigned the Requestor role in Retina CS to request a password release. Password changes are then managed at the account level. For example. – Approvals Required – Enter the number of approvals before the password is released. 2013 212 . Password rules are configured on your appliance. if the account you are configuring here is an Administrator account that runs system services and you want the services to continue to run uninterrupted with the password change. – Maximum Release Duration – Select the maximum length of time that a requestor can choose for the password release duration. Current Password – Enter the credentials for the account. 3. – Change password for Windows Services started by this account – Select this check box to update Windows services that the account runs. – Password Rule – Select the password rule. – Use this account's current password to change the password – Select this check box for managed systems using Windows XP or Windows Server 2003 operating systems. BeyondTrust® June 10. An email notification will be sent to you confirming the password request. 2. and the click Request Password. 2013 213 . and active. refer to the PowerBroker Safe Administration Guide. you can view all of your requests or create a new request. expired.Retina CS User Guide PasswordSafe The Ticket System is managed from the appliance. The All filter displays all password requests including pending. Click the Request Password tab. BeyondTrust® June 10. 3. PowerBroker Safe does not interact with a ticket system. The ticket information is added for reference only to track password requests related to a ticket. Log on to the PasswordSafe website using your Retina CS credentials. Provide the request information. You can review all of your password requests on the Request Password page. To request a password release: 1. A message is displayed indicating that your request is in the approval queue. At this point. Select the tabs to filter the password requests. An Active password is a password that is approved and checked out. For more information. Click the Approve Requests tab. 2013 214 . 2. Select a request in the list. BeyondTrust® June 10. The Approval History displays the number of approvals required and if any approvals are applied. Click Approve.Retina CS User Guide PasswordSafe Approving a Password You must be assigned the Approver role to approve password releases. 3. 4. Log on to the PasswordSafe website using your Retina CS credentials. There might be more than one approver required depending on how the managed systems are configured. To approve a password request: 1. 3. 2013 215 . Click Retrieve Password. The password is then no longer available to use. BeyondTrust® June 10. Retrieving a Password To retrieve a password: 1. and then Ctrl+C to copy the password the Clipboard. and then select an account. Log on to the PasswordSafe website using your Retina CS credentials. Select the Request Password tab. Click Highlight Password.Retina CS User Guide PasswordSafe The Retrieve Password button is now available to the original requestor in the Approval History section of the Approve Request page. 2. 4. Click Check-in Password at any time to expire the released password. Review the following sections to learn more about the compliance scan templates available. BeyondTrust® June 10. 2013 216 . Compliance Scans Healthcare Pack Finance Pack Government Pack Running a Compliance Scan Reviewing Compliance Scan Results You can run regulatory reports to ensure that your assets are in compliance. Contact your BeyondTrust representative. running a scan. compliance coverage. In this section.Retina CS User Guide Regulatory Reports Pack Regulatory Reports Pack The Regulatory Reporting packs require a license to activate the feature set. Not supported in Retina CS Community. and reviewing scan results. 308 Administrative safeguards. Contact BeyondTrust for a license key to activate the compliance pack.1 Control of technical vulnerabilities COBiT Scans Compliance Area Section DS11. SOX Scans Compliance Area Section 404 Management Assessment of Internal Controls. (a)(8) Standard: Evaluation.Retina CS User Guide Regulatory Reports Pack Compliance Scans By default the following scan templates are available. GLBA Scans Compliance Area Section 6801 Protection of nonpublic personal information. BeyondTrust® June 10. HIPAA Scans Compliance Area Section 164. 2013 217 . Healthcare. Finance Pack Compliance Scans The Finance Pack includes a SOX and GLBA scan template.6. Contact BeyondTrust for a license key to activate the compliance pack. ISO-27002 Scans Compliance Area Section 12. and Government packs need an updated license key. Government Pack Compliance Scans The Government Pack includes the FERC-NERC.6 Security Requirements for Data Management Healthcare Pack Compliance Scans The Healthcare Pack includes a HIPAA scan template. NIST 800-53 and MASS 201 scan templates. Finance. see Scanning. Select the scan options. Ensure the correct license key is applied to activate the compliance scans. and then click Start Scan.03(2)(b)(3) Duty to Protect and Standards for Protecting Personal Information . Select the asset group and then select Scan. To run a compliance scan: 1. 2013 218 . Compliance Area CIP-005-3 R4 Cyber Vulnerability Assessment NIST-800-53 Scans Compliance Area SA System and Services Acquisition.Retina CS User Guide Regulatory Reports Pack Contact BeyondTrust for a license key to activate the compliance pack. For detailed information on scan options. SA-10 Developer Configuration management MASS 201 Scans Compliance Area Section 17. 2. BeyondTrust® June 10.Detect and Prevent Security Systems Failures Running a Compliance Scan The following procedure is an overview on running a scan. Click Scan. 4. 3. Select the scan template and click Scan. Scroll through the list of vulnerabilities provided in the report. 2013 219 . and additional information for the vulnerability as shown in the following example from a report. BeyondTrust® June 10.Retina CS User Guide Regulatory Reports Pack Reviewing Compliance Scan Results The following shows report information from the HIPAA Compliance scan. The summary of the vulnerability details breaks down the vulnerability by severity. CVSS scores. You can review remediation fixes. Click the Configure tab. 5. Click + in the User Groups pane to create a group. and then click Accounts. To create a group and set the permission: 1. Configuration Compliance reports. Includes two reports: Benchmark Compliance and Benchmark Export. Import benchmark templates. Not supported in Retina CS Community. 4. Select the Read and Write check boxes for the Benchmark Compliance permission. The Secure Configuration Audits audit group ships with the Configuration Compliance module. Setting Permissions for Configuration Compliance You must create a user group and set permissions for the user group to run configuration compliance scans. and review versions of benchmark templates that ship with Retina CS. 2013 220 . Setting Permissions for Configuration Compliance Managing Benchmarks Importing Benchmarks Setting OVAL Tests Option The following tools are available to run benchmark scans: l l l XCCDF audit groups. Enter a group name and description. 3.Retina CS User Guide Configuration Compliance Pack Configuration Compliance Pack The Configuration Compliance module requires a license to activate the feature set. BeyondTrust® June 10. see Running a Scan. For information about running a scan. Benchmark configuration. Add an IP range for the group. 2. synchronize templates. In this section. Use this audit group to run your scan. Contact your BeyondTrust representative. 1.xml – Windows-7-cpe-oval. click Import New Benchmark.1. Managing Benchmarks Retina CS ships with a default set of benchmark templates. Add your configuration compliance users to the group. Policies included with benchmark templates can be inactivated if they do not apply. Clear policies as needed. 3.xml – Windows-7-cpe-dictionary.0_oval. If you are working with your benchmark profiles outside Retina CS.0. Expand a benchmark to review more detail. Click Update. 2. Importing Benchmarks You can import .Retina CS User Guide Configuration Compliance Pack 6. To import templates. 4.0_oval. 7. Select attributes (optional). Click the Benchmark Management tab. Click the Configure tab. 2013 221 .xml June 10. You can import additional or updated benchmarks.zip files that include the following: • • For Windows 7: – CIS_Windows_7_Benchmark_v1. To overwrite an existing template click Yes. then you can synchronize the templates using the Retina CS Configuration tool. To download an editor to change your benchmarks.xml For Windows Server 2008: – BeyondTrust® CIS_Windows_2008_Server_Benchmark_v1. click the Download Editor button. See User Accounts.xml – CIS_Windows_7_Benchmark_v1. navigate to the file and click Open.cab or .1. and synchronize benchmarks. To manage benchmarks: 1. 2.1.xml Setting OVAL Tests Option You can store OVAL XML data to the Retina CS database. To store OVAL tests in Benchmark reports: 1. 3.Retina CS User Guide Configuration Compliance Pack – CIS_Windows_2008_Server_Benchmark_v1. BeyondTrust® June 10.xml – Windows-2008-cpe-dictionary.0.xml – Windows-2008-cpe-oval. 4. expand Benchmark Compliance. Select the Yes check box to store OVAL tests. If selected. On the Application Options dialog box. Click Update. Select Options. 2013 222 . OVAL values used to determine if a rule was compliant are parsed from OVAL output files and stored in the Retina CS database. – Run Data Sources (ODBC). – Select the Drivers tab. To ensure that your database can be successfully scanned by Retina.Retina CS User Guide Appendix A: Preparing Your Database Appendix A: Preparing Your Database Application for Scans Not supported in Retina CS Community. 2013 223 . You can set your database applications as targets for scanning. Preparing Your MySQL Database Review your MySQL settings and ensure the following is in place: • • BeyondTrust® Verify the latest GA release of MySQL ODBC driver is installed on the scanner system. – Go to Administrator tools. review the following section on MySQL to prepare your database. June 10. – Search for the MySQL driver. Ensure a remote connection can be established to the target database using the ‘mysql’ tool provided with the MySQL database installation. then download and install the latest GA released MySQL driver from the MySQL website. – If no driver is found. The parameters configured in the Smart Group include the assets (and data) that will be exported to the Remedy system. Click the Configure tab.com/en-us/library/az4se3k1.NET date format string: HKEY_LOCAL_ MACHINE\SOFTWARE\eEye\RetinaCS\RemedyExportDateFormatString View examples of standard date format strings here: http://msdn. Enter a connector name. To configure Retina CS. 2009-06-15T13:45:30. then click the Export Connectors tab.Retina CS User Guide Appendix B: BMC Remedy Appendix B: BMC Remedy You can export asset and vulnerability data from Retina CS to your BMC Remedy server. However. BeyondTrust® June 10. 2. Creating a Connector to your BMC Remedy Server Settings from your Remedy WSDL file are required to create the connector. Sample data from a WSDL file: Note: Remedy web service endpoints expect a sortable date format. and a Remedy user name and password. Your Remedy system must already have forms created to accept asset and vulnerability information. you must: • Create a connector to Remedy. • Create a Smart Group.aspx To create a connector: 1. The connector name can be any name. you can override the default format in the registry with a valid . For example. 3. Click +. 2013 224 . then click BMC Remedy Connector.microsoft. BeyondTrust® June 10. After you provide the information. Select the check boxes depending on the data that you want to export: Export Assets.defines the location where data will be exported. – Field Mappings . The Active check box is selected by default.Enter the fields that you want to include in the export data. – SOAP Action .Enter the target namespace from the WSDL file. enter the following information: – Web Service URL . Export Vulnerabilities. 5.Retina CS User Guide Appendix B: BMC Remedy The credentials for the Remedy system must provide access to the web service and be able to create requests. Data is only exported when the check box is selected. 7. – Target Namespace . For the export options. You can select both. 4. 6. Note that the test creates a record in the Remedy system. The order of the fields must match the order of the fields in the WSDL file. Use the arrows to change the order.Enter the action as defined in the WSDL file. Click Update. 2013 225 . click Test to ensure a connection is established to your Remedy system. Enter the expiration period. select Export Data. Export results or alerts on progress are not shown in Retina CS. After the expiration period passes. To configure the Remedy Smart Group: 1.Retina CS User Guide Appendix B: BMC Remedy Creating a Smart Group Assets and vulnerabilities exported are defined in the Smart Group. However. You can change the default export time in the RemManagerSvc. the data is set to be collected and exported every hour on the hour. Select an audit group from the list. In the Perform Actions area. 3. the item is exported again if it remains in the Smart Group. 6.config file located in the Retina CS install directory. in days. Assets and vulnerabilities (depending on what is defined in the collector details) are only exported once in the defined expiration period. Configure the Smart Group as usual. Only vulnerabilities in the selected audit group will be exported. 2013 226 .exe. Select the name of the Remedy connector. the item is not included in the Smart Group but then is included again later. BeyondTrust® June 10. an item (asset or vulnerability) might be exported more than once. 2. See Creating a Smart Rule. All vulnerabilities for all assets will be exported if no audit group is selected. 5. View export results in your Remedy system. Exporting the Data After the Smart Group is created. for any reason. To stop exporting data. This might occur if. Click Save. 4. clear the Active check box on the Remedy Connector Details page.