InTrust 11.4.2 - Deployment Guide

Default Roles Implementing Role-Based Administration Switching Role-Based Administration On and Off Examples: Who Can Do What Case Study: Regional Scenario Case Study: Managing Access to Reporting Configuration

InTrust Configuration

Configuring Access Rights

InTrust Organization Administrators AMS Organization Servers AMS Readers

Configuring InTrust Sites Configuring Notification Groups and Recipients Configuring InTrust Monitoring Console

Licensing Sample Deployment and Configuration Scenario

Lab Configuration Overview InTrust Organization Configuration Overview Gathering Configuration Overview Real-Time Monitoring Configuration Overview Installing Servers Installing Agents Configuring and Populating InTrust Sites Setting Up Gathering and Reporting on Events Setting Up Real-Time Monitoring of Security Events

InTrust Agents

You can deploy InTrust agents on site computers to locally perform audit data gathering and monitoring. An agent is an executable that keeps track of events logged on the computer, filters data, compresses it and sends it to the InTrust server it responds to.

Caution: Agents are optional for audit data gathering, but required for real-time monitoring. Using agents for gathering, however, helps minimize network impact when communicating data from the target computer to the InTrust server.

Usually, agents are installed automatically, but in some cases you need to deploy them manually (for example, if a computer is behind a firewall or if it is a Unix host).

To install agents on all site computers in bulk, right-click that site and select Install Agents.
To avoid automatic agent installation on site computers, right-click that site, select Properties, and on the General tab, select the Prohibit automatic agent deployment on site computers option.

For more details about agent installation, see Deploying Agents.

If using an agent on the target computer, you can set a limit for the agent so that its CPU usage does not go beyond the specified percentage. For that, do the following:

Under the InTrust Server node, select Agents, right-click the agent you need.
In the agent’s properties, go to the Parameters tab; select the Agent_ThrottleCPU parameter, click Edit and set parameter value to 1—to activate CPU throttling.
Select Agent_ThrottleCPUPercent parameter, click Edit and specify value for the limit. Note that if an agent responds to multiple InTrust servers, and this option is configured on more than one of those servers, the least of the specified values is used.

Besides, on the General tab of the agent's properties page, you can specify the location of temporary files and agent log backup (for more information on agent log backup, refer to the Keeping Event Data on the Agent Side topic). You can change these settings for a list of agents responding to the InTrust server that InTrust Manager is connected to.

Using Filters in InTrust Manager

In some parts of InTrust configuration, filters can be used for fine tuning. See below for details about setting up filters for data and objects.

Data Filters

Data filters specify what kind of data is retrieved. Data filters are associated with individual data sources within policies. Data filtering is configured separately for repositories and databases.

When creating a new data source, the New Data Source Wizard will offer you to create the data filters you want to be used. There are two varieties of filters: including and excluding. Apply including filters to include the selected events in the data store. Apply excluding filters to ignore the selected events.

Note: You can configure excluding filters only if at least one including filter exists.

To configure the data filters of existing data sources, expand the policy which involves the necessary data source, and from the data source’s shortcut menu, select Properties. Use the Repository Filter and Database Filter tabs to modify the filters as you need.

Object Filters

Object filters specify the objects from which data is retrieved. Object filters are associated with the following:

Entire gathering policies (not individual data sources in those policies)
InTrust sites (both predefined and custom) involved in gathering and real-time monitoring

Object selection for the site filters is based on the logical operators AND, OR and NOT. Highlight an item in the Filter tab tree and select an expression or attribute to supplant or expand the item. Filter attributes are selected from an extensible list.

For example, if you need to include all IIS servers whose names start with “WEB” and do not contain the character “0”, do the following:

Open the properties of the site or policy for which you are configuring the filter, and to the Filter tab.
Click the root item Expression, click Operation and select AND. An AND node appears, expanded by two placeholders for expressions or attributes.
Click the first placeholder and click Attribute to select the Microsoft IIS Server attribute from the list.
Highlight the second placeholder, click Operation and select AND. Again, two placeholders appear.
Click the first, click Attribute, select Computer Name and type “WEB*”.
Click the second placeholder, click Operation and select NOT. A placeholder appears.
Click the placeholder, click Attribute, select Computer Name and type “*0*”.

Click OK to save the changes and close the dialog box.

Role-Based Administration of InTrust

By default, after your InTrust installation is complete, the role-based administration feature of InTrust is disabled.

In large, complex environments, InTrust administration can require multiple people. Often, it makes sense to define several scopes of control, or roles, for these InTrust administrators to clearly delineate their responsibilities. For example, you might use the roles of auditing administrator, monitoring administrator, and InTrust server administrator.

A role can be represented by an Active Directory group. You implement roles by setting InTrust object permissions for each group, thereby granting or denying the group members access to InTrust configuration objects or InTrust features.

A user can belong to more than one group and so have more that one role. For example, a user might be both an auditing administrator and an InTrust server administrator.

It is up to you what roles you introduce in your InTrust framework. Consider that your roles can control the following:

Access to specific content
For example, you might want an Active Directory team, a Linux team, or an InTrust Server team.
Level of responsibility
For example, a user might be an InTrust administrator or a notification recipient.
Geographical location
For example, users are located in the United States or Europe.

This list is just a starting point. You may want to define your roles based on different criteria.

Caution: By default, after your InTrust installation is complete, the role-based administration feature of InTrust is disabled. After upgrade, the enabled or disabled state of this feature does not change.

When role-based administration is disabled, the following object access configuration is in effect:

Accounts from the list of InTrust organization administrators have full control of InTrust objects: they can use, create, modify and delete objects. For details about this list, see the Users with Unrestricted Access section of the Default Roles topic.
Accounts from the computer local AMS Readers group on the InTrust server have read-only access to objects—most importantly, this means that they can run tasks and jobs. For details about this group, see the Users Who Can View Configuration Objects in InTrust Manager section of the Default Roles topic.
Accounts that are not included in the organization administrators list or AMS Readers group cannot connect InTrust Manager to an InTrust server.

Default Roles

Users with Unrestricted Access

Accounts (users or groups) in the list of InTrust Organization Administrators are not affected by the security settings on InTrust objects; they have unlimited rights over the configuration in an InTrust organization.

To access this list, right-click the root node in the InTrust Manager treeview and select Properties. In the dialog box that opens, use the Add and Remove buttons to work with the list. Only users who are already in the list can add or remove accounts.

By default, the organization administrators list contains the following:

The user account under which you install InTrust Server
The user account specified as the InTrust Server service account

Note: If you decide that using roles is not justified in your environment, you can add to this list either the accounts of all your InTrust administrators or a group that they are members of. This way, you can disregard administration role considerations entirely.

Importantly, in the current version of InTrust, several configuration objects can be created only by accounts that are listed as InTrust organization administrators. These are objects under the following Configuration nodes: Notifications, Data Stores, and Advanced. Other users, however, can be assigned any rights they need to access the configuration objects under these nodes.

Users Who Can View Configuration Objects in InTrust Manager

By default, Everyone has Read access to InTrust configuration objects. However, to use InTrust Manager, a user must be a member of the AMS Readers computer local group on the InTrust server or an InTrust organization administrator. The AMS Readers group initially has no members. To enable users to view InTrust configuration in InTrust Manager, take the following steps:

Create an Active Directory security group named, for example, Configuration Readers.
Include the necessary accounts in this group.
Add this group to the local AMS Readers group on your InTrust server.

Then, any time you need to grant Read access to another account, simply make it a member of the Configuration Readers group.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem