Quest IT Security Search provides IT administrators, IT managers and security teams with a way to navigate the expanse of information about the enterprise network. It helps you achieve the following:
The search engine-like interface helps you pinpoint the data you need using only a few searches and clicks.
To set up IT Security Search, run the ITSearchSuite.exe installation package present inside Components folder of IT Security Search package. You can customize the installation path and the port that will be used for getting data.
The following versions of data-providing systems are supported in this version of IT Security Search:
NOTE:The ARS installer is removed from the ITSS installer to adhere with the new AirGap compliance requirements. |
NOTE:Change Auditor components can be deployed on virtual machines running in Infrastructure as a Service (IaaS), such as Amazon Web Services and Microsoft Azure. |
The IT Security Search Web interface works correctly with the following browsers:
The minimum supported monitor resolution is 1024x768.
To find out the disk requirements for IT Security Search installation, consider the sections below. They describe how much disk space is used for indexing data provided by specific connectors.
These are the average index entry sizes for each type of Enterprise Reporter object. Use them in calculating the required disk space for your particular on-premises or hybrid environment.
Note that there are generally multiple index entries per object, depending on how often objects are changed.
Object type |
Average size of an index entry, in kilobytes |
---|---|
AD Permissions |
2.1 |
AD Contacts |
3.3 |
Computers |
1.6 |
Groups |
1.5 |
Files |
1.5 |
OUs |
2.3 |
Shares |
2.1 |
Users |
1.6 |
Azure Applications |
1.6 |
Azure Contacts |
1.6 |
Azure Devices |
5 |
Azure Groups |
1.4 |
Azure Network Security Groups |
2.2 |
Azure Resource Groups |
1.5 |
Azure Resource Subscriptions |
5 |
Azure Resources |
1.6 |
Azure Roles |
1.4 |
Azure Service Principals |
1.5 |
Azure Tenants |
2.8 |
Azure Users |
3.4 |
Azure Virtual Machines |
2.5 |
An index entry for a single Active Roles event in IT Security Search Warehouse takes 0.5KB on average. Estimate the event rate in your environment to calculate the required disk space.
To display InTrust and Change Auditor events, IT Security Search uses the built-in indexes in InTrust and Change Auditor data stores, so no additional disk space is required.
Install SQL Server Express SQLEXPR_x64_ENU (present inside Redist folder of IT Security Search Setup) as a configuration store for the IT Security Search Warehouse server, which is an integrated component for audit data archival.
It is recommended that you install IT Security Search in the same domain as the servers of your data-providing systems: InTrust, Enterprise Reporter, Change Auditor, Active Roles and Recovery Manager for Active Directory. Do not install IT Security Search on any of those systems' servers.
Caution:
|
In the course of IT Security Search setup, you create the Warehouse configuration database. Make sure you run setup under an account that has sufficient privileges to create databases on your SQL server.
Setup also prompts you to specify the accounts to use for the following:
For smooth IT Security Search operation, it is recommended that you specify a single account that is configured as follows:
You should create or appoint this account in advance. After IT Security Search installation, ensure that the account has the privileges listed above.
IMPORTANT: If you use SQL Server authentication for access to the Warehouse configuration database, the SQL Server account's password should be set to never expire. |
By default, IT Security Search uses a self-signed SSL certificate, which will cause security errors for IT Security Search users. You can provide a new certificate at any time. Your certificate can be either self-signed or issued by a certificate authority. Using a certificate generated by your organization and signed by a certificate authority is recommended.
If your company uses a registered SSL certificate, run the New-CertificateBinding.ps1 PowerShell script described below to make IT Security Search use the certificate.
You can obtain a CA-signed certificate using Windows native tools and then bind it, as follows:
To create a new self-signed certificate, use the New-SslCertificate.ps1 PowerShell cmdlet located in the Scripts subfolder of your IT Security Search installation folder. By default, the certificate is set to be in effect from the current date until December 31, 2039.
The cmdlet has the following parameters:
Parameter | Type | Description |
---|---|---|
-FilePath |
string |
The path to your certificate file. |
-Subject |
string |
The subject of the certificate. |
|
string |
Optional: a list of alternative names for the IT Security Search server (IP addresses, NetBIOS name and so on). If this parameter is omitted, the certificate will be generated for all possible alternative names of the specified host (IPv4 address, IPv6 address, FQDN, NetBIOS, but not for localhost or 127.0.0.1). |
-Begin |
datetime |
Optional: the date from which the certificate is in effect; by default, from the current day. |
-End |
datetime |
Optional: the date until which the certificate is in effect; by default, until December 31, 2039. |
-KeepExisting |
switch |
Whether any existing file with the specified name should be kept instead of overwritten. |
Example:
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-SslCertificate.ps1" -filepath "c:\temp\ITSearch.cer"
After you have generated the certificate (and ideally, had it signed by a CA), perform the procedure described in Binding Your Certificate.
To begin using your self-signed or CA-signed certificate, use the New-CertificateBinding.ps1 cmdlet, which is located in the Scripts subfolder of your IT Security Search installation folder. The cmdlet has the following parameters:
Parameter | Type | Description |
---|---|---|
-FilePath |
string |
The path to your certificate file. |
-Port |
int |
The port that IT Security Search uses. It is specified during setup, the default port is 443. |
-Force |
switch |
If this switch is set, then any existing certificate will be unbound from the specified port. If the switch is not set, then the existing certificate will be kept instead of the specified one. |
-FilePassword |
SecureString |
If your certificate is a password protected .PFX certificate, you need to provide this parameter. |
-Thumbprint |
string |
The thumbprint of your certificate stored in Windows certificate store. |
Examples:
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-CertificateBinding.ps1" -filepath "c:\temp\ITSearch.cer" -port 443 –Force
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-CertificateBinding.ps1" -thumbprint 'AAFBE587E91F0C81F6ED2FDD45F911AFF35C8E2D' -port 443 –Force
To revoke a certificate that is currently in use by IT Security Search, run the Delete-CertificateBinding.ps1 cmdlet located in the Scripts subfolder of your IT Security Search installation folder.
Example:
powershell.exe -file "C:\Program Files\Quest\IT Security Search\Scripts\Delete-CertificateBinding.ps1" -Port 443
The -Port parameter specifies the port that the certificate is bound to.
|
Caution: After you perform this operation, the IT Security Search service becomes unavailable until a new certificate is bound. Prepare the next certificate in advance to avoid downtime. |
IT Security Search security is based on the Windows Data Protection API (DPAPI). For details about its security features, see the "Windows Data Protection" MSDN article; at the time of this writing it is located at https://msdn.microsoft.com/en-us/library/ms995355.aspx.
By default, IT Security Search Warehouse uses the insecure HTTP protocol. The steps below describe how to enable HTTPS for the Warehouse.
Caution: Before you begin, consider the following:
|
To switch IT Security Search Warehouse to using HTTPS
After you have completed these steps:
To set up a gMSA to run IT Security Search services, you need to perform a few configuration procedures, as explained below.
Your gMSA must have local administrative rights on the computer where IT Security Search is installed. Make sure the gMSA is in the local Administrators group on the computer.
You need to use PowerShell to allow your gMSA to retrieve the managed password from the domain controller.
In the PowerShell prompt, run the following commands (assuming that the name of your gMSA is my_gmsa):
Add-WindowsFeature RSAT-AD-PowerShell
Install-ADServiceAccount -Identity my_gmsa
The following steps need to be taken for each of the following services:
To set the gMSA for a service
NOTE: When the service is configured, you may get a message that the account has been granted the “Log On As a Service” right. |
Finally, configure the InTrust Server service (adcrpcs) to use this gMSA, as described in Minimal Rights and Permissions Required for InTrust Operations.
There are two roles that IT Security Search associates with users that access it: operator and administrator. Unless your user account is one of these, you do not have access to IT Security Search.
Each operator has a scope of responsibility, which defines which features the operator can use. To make an account an operator, include it in the IT Security Search access control list. This list is available on the IT Security Search Settings page, on the Security tab. You can supply individual users in domain\user format or security groups in domain\group format.
An administrator can do the following:
To give a user account administrator privileges, make the account a member of the IT Security Search Administrators local group on the computer where IT Security Search is installed. You can assign the administrator role by specifying Active Directory groups or individual users. If an account is an administrator and an operator at once, the administrative privileges take precedence and the account's operator scope has no meaning.
The user account that performs IT Security Search installation automatically becomes an administrator.
For each operator you add, specify the scope of objects visible to the operator by supplying a list of organizational units. In addition, you can further tweak the scope by specifying a search query. The resulting scope is the OR-based union of the results of the list and the query.
If you want to make everything visible to an operator, leave the list and query empty (for the OU list, specifying the asterisk wildcard * also has the same effect). If you want to limit an operator's scope, follow the instructions below.
|
Caution: If you use an asterisk for the OU list or leave it empty, InTrust events will not be affected by the scope delegation settings. All operators can see all InTrust events in this case. If the OU list specifies OUs, InTrust events will be returned only if the Enterprise Reporter connector is enabled and configured. |
To make the right decisions when specifying OUs, make sure you understand the relevance of these OUs to the results that the operator is going to get. The following table explains how the choice of OU affects the scope, depending on the type of object:
What type of object the operator looks for |
The operator sees the object if... |
---|---|
Active Directory user, group or computer |
It is in the OU (or any OU nested in it) |
OU |
It is the same OU or it is nested in the OU at any level |
Computer that isn't in a domain |
— |
Computer local user or group |
The computer is in the OU (or any OU nested in it) |
File or network share |
The hosting computer is in the OU (or any OU nested in it) |
InTrust event |
If the OU list is empty or an asterisk, scope settings are irrelevant and the operator can see all InTrust events. If the Enterprise Reporter connector is enabled and the OU list specifies OUs:
|
Non-InTrust event |
|
The OUs must be listed in canonical name format, one OU per line.
The queries you specify return not just OUs but any objects with the specified field values. You can supply any query that follows IT Security Search syntax conventions. For details, see Search Term Syntax.
IMPORTANT:
|
Filtering by OU is not applicable to data from Azure, because Azure objects aren't organized into OUs. If you are interested in Azure objects, a good way to get them is to use a query that contains the Tenant field.
Use the Test query action link to make sure your query is valid and returns what you need. Note that the OU list doesn't affect the results of Test query.
To quickly supply the identifying details of an operator without looking them up in Active Directory, you can use the {Context.CurrentUser} variable as a field value. Alternatively, you can access specific identifying fields for the operator's account using syntax such as {Context.CurrentUser.FullAccountName} or {Context.CurrentUser.AccountSid}. For details about this technique, see the Auto-Resolution of the Current User section of the Search Term Syntax topic.
If you specify a group (instead of a user) as an operator, then the resolution works for all members of the group (direct or indirect) when they use IT Security Search.
Queries containing the variable are stored as supplied, and the variables are resolved only when the queries are applied. Therefore, the resulting identifying data is always up to date.
OU list |
Query |
Details |
---|---|---|
|
FacilityName:AD AND What="user changed" |
Searches by an operator with this scope will return all events of the "user changed" type from Active Directory. |
OU1 OU2 |
"Tenant=T1 OR Tenant:T2" |
Searches by an operator with this scope will return all objects related to OU1, all objects related to OU2, all objects where the Tenant field equals "T1" and all objects whose Tenant field contains "T2". |
OU3 |
"Tenant=T3" |
Searches by this operator will return all objects related to OU3 and all objects whose Tenant field equals "T3". If the scope is defined for a group and the operator from the previous example is a member of that group, then that operator's scope is extended and becomes: all objects related to OU1, OU2 or OU3, all objects where the Tenant field equals "T1" or "T3" and all objects whose Tenant field contains "T2". |
OU4 |
Eventid=4740 |
Searches by this operator will return all objects related to OU4 and all events (no matter if related to the listed OUs) with event ID 4740. |
In addition to visibility scope, you can configure which operators can restore Active Directory objects. For that, use the Restore backups option in the Allowed Operations column of the table. The actual recovery functionality is provided by the Recovery Manager for Active Directory connector. For details, see Recovery Manager for Active Directory Server.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center