Change Auditor 7.5 - User Guide

Deploying a Threat Detection server on Hyper-V

Deploying a Threat Detection server on Hyper-V

To optimize your server utilization and reduce costs, you can choose to deploy a virtual Threat Detection server using a Hyper-V virtual machine deployment.

The Threat Detection server, which is a a version of Red Hat Enterprise Linux 7 (64 bit), is available as .zip file that must be deployed on a Microsoft Hyper-V host environment by running a PowerShell script.

Begin by downloading the Change Auditor Hyper-V template (https://support.quest.com/change-auditor/7.0.3/download-new-releases) to the Hyper-V server.

NOTE: PowerShell version 5 or higher is required.

To deploy the Threat Detection server

1	For remote deployments using an IP address to connect the Hyper-V server (in absence of a Hyper-V server DNS record), perform the following:

▪	Start the Windows Remote Management (WS-Management) /(WinRM) service.

▪	Run this PowerShell command as an administrator to add the Hyper-V server IP address to the TrustedHosts list:

set-item wsman:\localhost\Client\TrustedHosts -value <Your_Hyper-V_Host_IP_Address>

2	From the Change Auditor client browse to the DeployThreatDetectionHyper-VServer.ps1 deployment script. By default it is located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts.

NOTE: You can run the script on the same computer as where you are deploying the Threat Detection server (local deployment) or from any other computer in the network (remote deployment).

3	Right-click the deployment script and select Run with PowerShell.

4	Enter the deployment properties for the Threat Detection sever.

Property	Description
Hostname or IP address	The hostname or IP address of the Hyper-V server.
Hyper-V administrator	The account used to deploy the Threat Detection server. The user specified must be a Hyper-V administrator.
Hyper-V password	Password for the Hyper-V administrator.
Threat Detection Hyper-V template location	Location of the Threat Detection Hyper-V template zip file on the Hyper-V server.
Folder for the virtual machine HD files	The path of the folder where the Threat Detection server's hard disk files will be installed on the Hyper-V server during deployment. If the folder does not exist, it will be created.
Folder for the virtual machine configuration files	The path of the folder where the Threat Detection server’s configuration files will be installed on the Hyper-V server during deployment. If the folder does not exist, it will be created.
Virtual machine name	The name of the Threat Detection server in the Hyper-V management console.
Number of virtual machine cores	The number of machine cores (8 or 16). NOTE: 16 cores is recommended, 8 cores can be used if processing less than 5 million events per day.
Network adapter	The script returns the list of available network adapters for the Threat Detection server. Select one from the list.
VLAN identifier	The virtual local area network (VLAN) identifier which is a number between 1 and 4094. (This is only required if your network uses a VLAN.)
Hostname	Fully qualified domain name of the Threat Detection server registered in DNS. For example: hostname.yourcompany.com
IP address	Static IPv4 address of the Threat Detection server.
Subnet mask	Subnet mask for the Threat Detection server. For example: 255.255.255.0
Default gateway	IP address of the default gateway for the Threat Detection server.
DNS	DNS server IP for the Threat Detection server.
Integration Password	Password required for the integration between Change Auditor and the Threat Detection server. The integration password is used during the Threat Detection configuration. The password must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$. Maintain this password for use when creating the Threat Detection configuration.
Root Password	The root password. It must be 8-24 characters and can only include the following supported values: a-z, A-Z, 1-0, @,$.

5	Review and confirm the Threat Detection server settings. To continue enter Yes. To change the properties, enter No.

The Hyper-V Threat Detection server will now be deployed. This may take several minutes.

6	If you are using System Center Virtual Machine Manager (SCVMM) to manage your Hyper-V hosts, refresh the Virtual Machine Manager (VMM) dashboard to display the Threat Detection server.

a	Open the Virtual Machine Manager (VMM) dashboard. Under VMs and Services, select All Hosts.

b	Right-click the Hyper-V host where the Threat Detection server is hosted and click Refresh Virtual Machines.

Quest recommends that you take a checkpoint of the newly deployed virtual server. This allows you to revert to a clean state without redeploying the server if you need to start over or re-create a configuration.

You are now ready to create a Threat Detection configuration in Change Auditor. See Creating a Threat Detection configuration.

NOTE: The Threat Detection server uses Dynamic MAC address for its network adapter. If you are using SCVMM to manage your Hyper-V hosts and you plan to move the Threat Detection server from one Hyper-V server to another, ensure that after moving, the server is allocated an unused MAC address or alternatively change the address to a static MAC address.

Hyper-V resource control settings

Hyper-V resource control settings

After you have deployed the Threat Detection server, you can select to adjust the Hyper-V processor settings to reserve an amount of processor capacity for a specific virtual machine or, alternatively, configure which virtual machine is given priority in your environment.

Change Auditor’s deployment of a Threat Detection server uses the system defaults unless otherwise specified.
To change the values for these properties, open the virtual machine’s setting, select the Processor, and configure the associated resource control setting.

Table 3. Hyper-V CPU settings

Property	Description	Best Practice
Reserve	The percentage of logical processor resources that are reserved for the Threat Detection server. For example, if the host machine has 8 logical CPUs, then setting this value to 25% would reserve 2 of those CPUs for the Threat Detection server. The default value is dynamic based on the CPU.	Set this value to 100% to ensure the Threat Detection server will have access to the resources that it requires.
Relative Weight	Determines how the CPU is distributed when you want to set which virtual machine takes priority when there is contention for the processor. For example, a virtual machine with a relative weight of 200, receives twice as much processor time than one set to 100. The default value for all virtual machines is 100.	The weight ranges from 1-10000. To give the Threat Detection server priority, assign it with a higher weight than all other computers in your environment.

Upgrading the Threat Detection server

Upgrading the Threat Detection server

For the Threat Detection system to function properly, the Threat Detection server must be compatible with the installed version of Change Auditor. To see if your Threat Detection server is compatible or if an upgrade is required see Reviewing configuration status.

The upgrade process is dependent on your current version.

•	Upgrade from Change Auditor version 7.0.2

•	Upgrade from Change Auditor version 7.0 and 7.0.1

 

IMPORTANT: Quest recommends that you take a snapshot (for ESX deployments) and a checkpoint (for Hyper-v deployments) of the Threat Detection server before beginning the upgrade process. This allows you to revert to the initial state. For details see: • vSphere documentation • Microsoft documentation

Upgrade from Change Auditor version 7.0.2

Upgrade from Change Auditor version 7.0.2

You can upgrade your existing Threat Detection server with the Update-CAThreatDetectionServer command.

To upgrade the Threat Detection server:

1	Download the update package (UpdateTDServer-7.0.3.11486.zip) from https://support.quest.com/change-auditor/7.0.3/download-new-releases.

2	Run the Update-CAThreatDetectionServer command.

NOTE: To run the command, you must have the Change Auditor PowerShell module installed and imported. By default, it is installed with the Change Auditor client and coordinator. You must also be a member of the Change Auditor Administrator group.

This command performs a series of steps to complete the upgrade of the Threat Detection Server:

▪	The update package is uploaded to to the coordinator that you connected to through the Connect- CAClient command. A message displays when the upload is complete.

▪	The coordinator then uploads the update package to the Threat Detection server.

▪	The upgrade process will then begin on the Threat Detection server. The upgrade will take about 15 minutes to complete.

3	You can monitor the upgrade progress through the Change Auditor client under Administration Tasks | Configuration | Threat Detection or by running the Get-CAThreatDetectionConfiguration command.

Once complete, the configuration state will be “Configured”, the upgrade status will be “Upgrade succeeded”, and the Threat Detection server version will be updated to the current version.

NOTE: Change Auditor provides a sample script (UpdateThreatDetectionServer.ps1) that can be used to perform the upgrade. By default the script is located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts.