Chat now with support
Chat with Support

IT Security Search 11.3 - User Guide

Welcome to IT Security Search

Welcome to IT Security Search

Quest IT Security Search provides IT administrators, IT managers and security teams with a way to navigate the expanse of information about the enterprise network. It helps you achieve the following:

  • Examine what is going on
  • Assess the efficiency of security practices
  • Track security incidents
  • Track incidents related to operations
  • Have up-to-date information about users, computers, file server status and more at your fingertips
  • Perform recovery operations if IT Security Search is connected to Recovery Manager for Active Directory

The search engine-like interface helps you pinpoint the data you need using only a few searches and clicks.

Installing IT Security Search

Installing IT Security Search

To set up IT Security Search, run the ITSearchSuite.exe installation package. You can customize the installation path and the port that will be used for getting data.

During setup, you may also choose to participate in the Quest Software Improvement Program. For details, see Feedback on IT Security Search.

Compatibility

The following versions of data-providing systems are supported in this version of IT Security Search:

  • InTrust 11.3, 11.2
  • Change Auditor 6.9.3, 6.9.2, 6.9.1, 6.9, 6.8, 6.7, 6.6, 6.5
  • Enterprise Reporter 2.6, 2.5.1, 2.5
  • Recovery Manager for Active Directory 8.8, 8.7.1, 8.7
  • Active Roles 7.1, 7.0

Software Requirements

  • Operating system:
    • Microsoft Windows Server 2016
    • Microsoft Windows Server 2012 R2
    • Microsoft Windows Server 2012
    • Microsoft Windows Server 2008 R2
  • Additional software:
    • Microsoft .NET Framework 4.5.1 or later
    • Microsoft Windows PowerShell 3.0 or later
  • Additional requirements for the Recovery Manager for Active Directory connector:
  • Additional requirement for the Active Roles connector: ARS Management Tools

Browser Compatibility

The IT Security Search Web interface works correctly with the following browsers:

  • Microsoft Edge
  • Microsoft Internet Explorer 11 and later
  • Google Chrome 40.0 or later
  • Mozilla Firefox 35.0 or later

The minimum supported monitor resolution is 1024x768.

Hardware Requirements

  • CPU: Quad-core; recommended: Intel Xeon E5-2670 v2 (Ivy Bridge) and 8–16 logical CPU cores
  • RAM: 6GB minimum; 15GB or more recommended
  • Disk: 100GB (SSD recommended); disk space requirements are very dependent on the volume of Enterprise Reporter data being processed, because the index size varies proportionally; the indexes for Change Auditor and InTrust data do not consume any disk space on the IT Security Search computer, because they are located in the data stores used by these systems
  • If you deploy on a virtual machine, make sure the CPU and memory requirements above are met, and do not overload the virtual machine host

To find out the disk requirements for IT Security Search installation, consider the table below. It shows how much disk space is used for indexing in a sample environment with 10000 of each type of object. Scale the values according to your own circumstances.

Object type Size of an index entry Number of objects Size of the index
Users 2KB 10000 20MB
Groups 2.5KB 10000 25MB
Computers 1KB 10000 10MB
Shares 1KB 10000 10MB
Files 0.2KB 10000 2MB
Total   50000 67MB

To display events rather than objects, IT Security Search uses the built-in indexes in InTrust and Change Auditor data stores.

Where to Install

It is recommended that you install IT Security Search in the same domain as the servers of your data-providing systems: InTrust, Enterprise Reporter, Change Auditor and Recovery Manager for Active Directory. Do not install IT Security Search on any of those systems' servers.

Security Details and Configuration

By default, IT Security Search uses a self-signed SSL certificate, which will cause security warnings for IT Security Search users. You can provide a new certificate at any time. Your certificate can be either self-signed or issued by a certificate authority. Using a certificate generated by your organization and signed by a certificate authority is recommended.

Providing a CA-Signed Certificate

If your company uses a registered SSL certificate, run the New-CertificateBinding.ps1 PowerShell script described below to make IT Security Search use the certificate.

You can obtain a CA-signed certificate using Windows native tools and then bind it, as follows:

  1. Log on to the IT Security Search server using an IT Security Search administrator account.
  2. Run Microsoft Management Console (mmc.exe) and add the Certificates snap-in.
  3. Select Computer Account and click Next.
  4. Select Local Computer, and then Finish.
  5. Click OK in the Add or Remove Snap-ins dialog box.
  6. In the console, right-click Certificates (Local Computer)| Personal | Certificates and select Request New Certificate to start the Certificate Enrollment wizard.
  7. Click Next and Next again to use the Active Directory Enrollment Policy.

  8. Locate the Web Server certificate template and clear its check box. If you cannot see this template, make the check box to show all templates is selected. If you can see the template but don't have permission to enroll, contact your Certicate Authority administrator to be granted the Enroll permission for the accout of the computer where IT Security Search is installed.

  9. Click the More information is required to enroll for this certificate link.

  10. On the Subject tab, from the drop-down menu under Subject name select Common Name and enter the NETBIOS name of the IT Security Search server. Click Add.

  11. From the drop-down menu under Alternative name, select DNS and enter the NETBIOS name of the IT Security Search server. Click Add.

  12. Add the FQDN of the IT Security Search Server and enter localhost as the DNS type entry.

  13. Change the drop-down menu to IP address (v4) and the IP address will be automatically supplied. Click Add.

  14. Change the drop-down menu to IP address (v6). If IPv6 is enabled, the IP address will also be automatically supplied. Click Add. If nothing is supplied, you can safely skip this step.

  15. In the same section, if necessary, enter any predefined names that DNS records have been created for, such as "IT Security Search Console", so the certificate matches the name of the URL used for access to the page.

  16. Go to the General tab and enter a Friendly name, for example IT Security Search Certificate. Optionally, add a description.

  17. Go to the Extensions tab, expand Extended Key Usage and confirm that Server Authentication is available appears under Selected options.

  18. Click Apply, then click OK, then click Enroll.

  19. The new certificate should now appear in the Certificates folder, under Personal.

  20. Export the certificate by right clicking it and selecting All Tasks | Export.

  21. In the Certificate Export wizard, click Next.

  22. On the next step, make sure the No, do not export the private key radio button is selected. Click Next.

  23. Select the DER encoded binary X.509 (.CER) radio button and then click Next.

  24. Click Browse to select where to save the certificate. For example, save it in %ProgramFiles%\Quest\IT Security Search and give the file a descriptive name.

  25. Click Next and then click Finish. The certificate is saved at the specified location.

  26. To make IT Security Search use this new certificate, run the New-CertificateBinding.ps1 script as described below, supplying the file you saved on the previous step.

  27. Restart the Quest IT Security Search service.

Providing a Self-Signed Certificate

To create a new self-signed certificate, use the New-SslCertificate.ps1 PowerShell cmdlet located in the Scripts subfolder of your IT Security Search installation folder. By default, the certificate is set to be in effect from the current date until December 31, 2039.

The cmdlet has the following parameters:

Parameter Type Description

-FilePath

string

The path to your certificate file.

-Subject

string

The subject of the certificate.

-SubjectDnsAltNames

string

Optional: a list of alternative names for the IT Security Search server (IP addresses, NetBIOS name and so on). If this parameter is omitted, the certificate will be generated for all possible alternative names of the specified host (localhost, IPv4 address, IPv6 address, FQDN, 127.0.0.1, NetBIOS).

-Begin

datetime

Optional: the date from which the certificate is in effect; by default, from the current day.

-End

datetime

Optional: the date until which the certificate is in effect; by default, until December 31, 2039.

-KeepExisting

switch

Whether any existing file with the specified name should be kept instead of overwritten.

Example:

powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-SslCertificate.ps1" -filepath "c:\temp\ITSearch.cer"

After you have generated the certificate (and ideally, had it signed by a CA), perform the procedure described in Binding Your Certificate.

Binding Your Certificate

To begin using your self-signed or CA-signed certificate, use the New-CertificateBinding.ps1 cmdlet, which is located in the Scripts subfolder of your IT Security Search installation folder. The cmdlet has the following parameters:

Parameter Type Description
-FilePath string The path to your certificate file.
-Port int The port that IT Security Search uses. It is specified during setup, the default port is 443.
-Force switch If this switch is set, then any existing certificate will be unbound from the specified port. If the switch is not set, then the existing certificate will be kept instead of the specified one.

-FilePassword

SecureString

If your certificate is a password protected .PFX certificate, you need to provide this parameter.

Example:

powershell -file "C:\Program Files\Quest\IT Security Search\Scripts\New-CertificateBinding.ps1" -filepath "c:\temp\ITSearch.cer" -port 443 –Force

Revoking a Certificate

To revoke a certificate that is currently in use by IT Security Search, run the Delete-CertificateBinding.ps1 cmdlet located in the Scripts subfolder of your IT Security Search installation folder.

Example:

powershell.exe -file "C:\Program Files\Quest\IT Security Search\Scripts\Delete-CertificateBinding.ps1" -Port 443

The -Port parameter specifies the port that the certificate is bound to.

Caution: After you perform this operation, the IT Security Search service becomes unavailable until a new certificate is bound. Prepare the next certificate in advance to avoid downtime.

How IT Security Search Security Features Are Implemented

IT Security Search security is based on the Windows Data Protection API (DPAPI). For details about its security features, see the corresponding MSDN article; at the time of this writing it is located at https://msdn.microsoft.com/en-us/library/ms995355.aspx.

Who Can Do What in IT Security Search

Who Can Do What in IT Security Search

There are two roles that IT Security Search associates with users that access it: operator and administrator. Unless your user account is one of these, you do not have access to IT Security Search.

An operator can use the search features of the application; if the Recovery Manager data link is enabled, an operator can also perform recovery. To make an account an operator, include it in the IT Security Search access control list. This list is available on the IT Security Search Settings page, on the Security tab. You can supply individual users in domain\user format or security groups in domain\group format.

An administrator can use the same features as an operator and also configure the connectors to the data-providing systems, as described in Where the Data Comes From, and assign operator roles. To give a user account administrator privileges, make the account a member of the IT Security Search Administrators local group on the computer where IT Security Search is installed. You can assign the administrator role by specifying Active Directory groups or individual users. If an account is an administrator, all objects are visible to that account, no matter what scope is set for it on the Security tab of the Settings page.

The user account that performs IT Security Search installation automatically becomes an administrator.

Setting the Scope of Responsibility for an Operator

For each operator you add, specify the scope of objects visible to the operator by supplying a list of organizational units. If you want to make everything visible to an operator, specify the asterisk wildcard * for the scope. If you want to limit an operator's scope, follow the instructions below.

Caution: For InTrust events, the scope delegation settings will have an effect only if the Enterprise Reporter connector is enabled and configured. Otherwise, all operators can see all InTrust events.

To make the right decisions when specifying OUs, make sure you understand the relevance of these OUs to the results that the operator is going to get. The following table explains how the choice of OU affects the scope, depending on the type of object:

What type of object the operator looks for

The operator sees the object if...

Active Directory user, group or computer

It is in the OU (or any OU nested in it)

OU

It is the same OU or it is nested in the OU at any level

Computer that isn't in a domain

Computer local user or group

The computer is in the OU (or any OU nested in it)

File or network share

The hosting computer is in the OU (or any OU nested in it)

InTrust event

If the Enterprise Reporter connector is not enabled, scope settings are irrelevant and the operator can see all InTrust events.

If the Enterprise Reporter connector is enabled:

  • If the event has the Whom field, the operator sees it as long as the OU (or any OU nested in it) contains the object in Whom
  • Otherwise, the operator sees it as long as the OU (or any OU nested in it) contains the object in Where
Non-InTrust event
  • If the event has the Whom field, the operator sees it as long as the OU (or any OU nested in it) contains the object in Whom
  • Otherwise, the operator sees it as long as the OU (or any OU nested in it) contains the object in Where

The OUs must be listed in canonical name format, one OU per line.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents