Quest IT Security Search provides IT administrators, IT managers and security teams with a way to navigate the expanse of information about the enterprise network. It helps you achieve the following:
The search engine-like interface helps you pinpoint the data you need using only a few searches and clicks.
To set up IT Security Search, run the ITSearchSuite.exe installation package. You can customize the installation path and the port that will be used for getting data.
The following versions of data-providing systems are supported in this version of IT Security Search:
The IT Security Search Web interface works correctly with the following browsers:
The minimum supported monitor resolution is 1024x768.
To find out the disk requirements for IT Security Search installation, consider the table below. It shows how much disk space is used for indexing in a sample environment with 10000 of each type of object. Scale the values according to your own circumstances.
Object type | Size of an index entry | Number of objects | Size of the index |
---|---|---|---|
Users | 2KB | 10000 | 20MB |
Groups | 2.5KB | 10000 | 25MB |
Computers | 1KB | 10000 | 10MB |
Shares | 1KB | 10000 | 10MB |
Files | 0.2KB | 10000 | 2MB |
Total | 50000 | 67MB |
To display events rather than objects, IT Security Search uses the built-in indexes in InTrust and Change Auditor data stores.
It is recommended that you install IT Security Search in the same domain as the servers of your data-providing systems: InTrust, Enterprise Reporter, Change Auditor and Recovery Manager for Active Directory. Do not install IT Security Search on any of those systems' servers.
By default, IT Security Search uses a self-signed SSL certificate, which will cause security errors for IT Security Search users. You can provide a new certificate at any time. Your certificate can be either self-signed or issued by a certificate authority. Using a certificate generated by your organization and signed by a certificate authority is recommended.
If your company uses a registered SSL certificate, run the New-CertificateBinding.ps1 PowerShell script described below to make IT Security Search use the certificate.
You can obtain a CA-signed certificate using Windows native tools and then bind it, as follows:
Click Next and Next again to use the Active Directory Enrollment Policy.
Locate the Web Server certificate template and clear its check box. If you cannot see this template, make the check box to show all templates is selected. If you can see the template but don't have permission to enroll, contact your Certicate Authority administrator to be granted the Enroll permission for the accout of the computer where IT Security Search is installed.
Click the More information is required to enroll for this certificate link.
On the Subject tab, from the drop-down menu under Subject name select Common Name and enter the NETBIOS name of the IT Security Search server. Click Add.
From the drop-down menu under Alternative name, select DNS and enter the NETBIOS name of the IT Security Search server. Click Add.
Add the FQDN of the IT Security Search Server and enter localhost as the DNS type entry.
Change the drop-down menu to IP address (v4) and the IP address will be automatically supplied. Click Add.
Change the drop-down menu to IP address (v6). If IPv6 is enabled, the IP address will also be automatically supplied. Click Add. If nothing is supplied, you can safely skip this step.
In the same section, if necessary, enter any predefined names that DNS records have been created for, such as "IT Security Search Console", so the certificate matches the name of the URL used for access to the page.
Go to the General tab and enter a Friendly name, for example IT Security Search Certificate. Optionally, add a description.
Go to the Extensions tab, expand Extended Key Usage and confirm that Server Authentication is available appears under Selected options.
Click Apply, then click OK, then click Enroll.
The new certificate should now appear in the Certificates folder, under Personal.
Export the certificate by right clicking it and selecting All Tasks | Export.
In the Certificate Export wizard, click Next.
On the next step, make sure the No, do not export the private key radio button is selected. Click Next.
Select the DER encoded binary X.509 (.CER) radio button and then click Next.
Click Browse to select where to save the certificate. For example, save it in %ProgramFiles%\Quest\IT Security Search and give the file a descriptive name.
Click Next and then click Finish. The certificate is saved at the specified location.
To make IT Security Search use this new certificate, run the New-CertificateBinding.ps1 script as described below, supplying the file you saved on the previous step.
To create a new self-signed certificate, use the New-SslCertificate.ps1 PowerShell cmdlet located in the Scripts subfolder of your IT Security Search installation folder. By default, the certificate is set to be in effect from the current date until December 31, 2039.
The cmdlet has the following parameters:
Parameter | Type | Description |
---|---|---|
-FilePath |
string |
The path to your certificate file. |
-Subject |
string |
The subject of the certificate. |
|
string |
Optional: a list of alternative names for the IT Security Search server (IP addresses, NetBIOS name and so on). If this parameter is omitted, the certificate will be generated for all possible alternative names of the specified host (localhost, IPv4 address, IPv6 address, FQDN, 127.0.0.1, NetBIOS). |
-Begin |
datetime |
Optional: the date from which the certificate is in effect; by default, from the current day. |
-End |
datetime |
Optional: the date until which the certificate is in effect; by default, until December 31, 2039. |
-KeepExisting |
switch |
Whether any existing file with the specified name should be kept instead of overwritten. |
Example:
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-SslCertificate.ps1" -filepath "c:\temp\ITSearch.cer"
After you have generated the certificate (and ideally, had it signed by a CA), perform the procedure described in Binding Your Certificate.
To begin using your self-signed or CA-signed certificate, use the New-CertificateBinding.ps1 cmdlet, which is located in the Scripts subfolder of your IT Security Search installation folder. The cmdlet has the following parameters:
Parameter | Type | Description |
---|---|---|
-FilePath |
string |
The path to your certificate file. |
-Port |
int |
The port that IT Security Search uses. It is specified during setup, the default port is 443. |
-Force |
switch |
If this switch is set, then any existing certificate will be unbound from the specified port. If the switch is not set, then the existing certificate will be kept instead of the specified one. |
-FilePassword |
SecureString |
If your certificate is a password protected .PFX certificate, you need to provide this parameter. |
-Thumbprint |
string |
The thumbprint of your certificate stored in Windows certificate store. |
Examples:
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-CertificateBinding.ps1" -filepath "c:\temp\ITSearch.cer" -port 443 –Force
powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-CertificateBinding.ps1" -thumbprint 'AAFBE587E91F0C81F6ED2FDD45F911AFF35C8E2D' -port 443 –Force
To revoke a certificate that is currently in use by IT Security Search, run the Delete-CertificateBinding.ps1 cmdlet located in the Scripts subfolder of your IT Security Search installation folder.
Example:
powershell.exe -file "C:\Program Files\Quest\IT Security Search\Scripts\Delete-CertificateBinding.ps1" -Port 443
The -Port parameter specifies the port that the certificate is bound to.
|
Caution: After you perform this operation, the IT Security Search service becomes unavailable until a new certificate is bound. Prepare the next certificate in advance to avoid downtime. |
IT Security Search security is based on the Windows Data Protection API (DPAPI). For details about its security features, see the corresponding MSDN article; at the time of this writing it is located at https://msdn.microsoft.com/en-us/library/ms995355.aspx.
There are two roles that IT Security Search associates with users that access it: operator and administrator. Unless your user account is one of these, you do not have access to IT Security Search.
Each operator has a scope of responsibility, which defines which features the operator can use. To make an account an operator, include it in the IT Security Search access control list. This list is available on the IT Security Search Settings page, on the Security tab. You can supply individual users in domain\user format or security groups in domain\group format.
An administrator can do the following:
To give a user account administrator privileges, make the account a member of the IT Security Search Administrators local group on the computer where IT Security Search is installed. You can assign the administrator role by specifying Active Directory groups or individual users. If an account is an administrator and an operator at once, the administrative privileges take precedence and the account's operator scope has no meaning.
The user account that performs IT Security Search installation automatically becomes an administrator.
For each operator you add, specify the scope of objects visible to the operator by supplying a list of organizational units. If you want to make everything visible to an operator, specify the asterisk wildcard * for the scope. If you want to limit an operator's scope, follow the instructions below.
|
Caution: For InTrust events, the scope delegation settings will have an effect only if the Enterprise Reporter connector is enabled and configured. Otherwise, all operators can see all InTrust events. |
To make the right decisions when specifying OUs, make sure you understand the relevance of these OUs to the results that the operator is going to get. The following table explains how the choice of OU affects the scope, depending on the type of object:
What type of object the operator looks for |
The operator sees the object if... |
---|---|
Active Directory user, group or computer |
It is in the OU (or any OU nested in it) |
OU |
It is the same OU or it is nested in the OU at any level |
Computer that isn't in a domain |
— |
Computer local user or group |
The computer is in the OU (or any OU nested in it) |
File or network share |
The hosting computer is in the OU (or any OU nested in it) |
InTrust event |
If the Enterprise Reporter connector is not enabled, scope settings are irrelevant and the operator can see all InTrust events. If the Enterprise Reporter connector is enabled:
|
Non-InTrust event |
|
The OUs must be listed in canonical name format, one OU per line.
In addition to visibility scope, you can configure which operators can restore Active Directory objects. For that, use the Restore backups option in the Allowed Operations column of the table. The actual recovery functionality is provided by the Recovery Manager for Active Directory connector. For details, see Recovery Manager for Active Directory Server.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center