File System Permissions Stealthaudit®

Home , Open (system call)

2021 StealthAUDIT® File System Permissions StealthAUDIT®

TOC

File System Permissions & Configuration Overview 5

Supported File System Platforms 5

Supported Windows Platforms 5 Supported Network Attached Storage Devices 6 Supported Unix Platforms 6

StealthAUDIT Console Server Permissions 8

File System Applet Deployment Permissions 9

File System Proxy Service Permissions 10

StealthAUDIT File System Scan Options 11

StealthAUDIT File Activity Auditing 14

Local Mode Scans 14

Firewall Rules for Local Mode Scans 15 Additional Firewall Rules for NetApp Data ONTAP Devices 15 Additional Firewall Rules for Windows File Servers 16

Applet Mode Scans 16

Firewall Rules for Applet Mode Scans 17

Proxy Mode with Applet Scans 18

Firewall Rules for Proxy Mode with Applet Scans 19 Additional Firewall Rules for NetApp Data ONTAP Devices 20 Additional Firewall Rules for Windows File Servers 21

Proxy Mode as a Service Scans: with RPC or Secure RPC 21

Firewall Rules for Proxy Mode as a Service Scans 23 Additional Firewall Rules for NetApp Data ONTAP Devices 24 Additional Consideration for Windows File Servers 25

Activity Monitor Configuration 26

Firewall Rules for Activity Monitoring 26

Doc_ID 354 2

Additional Firewall Rules for Dell EMC Unity, EMC Celerra, & EMC VNX Devices 26 Additional Firewall Rules for EMC Isilon Devices 27 Additional Firewall Rules for Nasuni Edge Appliances 27 Additional Firewall Rules for NetApp Data ONTAP 7-Mode Devices 27 Additional Firewall Rules for NetApp Data ONTAP Cluster-Mode Devices 28 Additional Firewall Rules for Panzura Devices 29

Dell EMC Unity Device Configuration for Access Auditing 30

Dell EMC Unity Device Configuration for Activity Monitoring 31

EMC Celerra & VNX Device Configuration for Access Auditing 32

EMC Celerra & VNX Device Configuration for Activity Monitoring 33

EMC Isilon Device Configuration for Access Auditing 34

EMC Isilon Device Configuration for Activity Monitoring 35

Hitachi Device Configuration for Access Auditing 36

Hitachi Device Configuration for Activity Monitoring 37

Nasuni Edge Appliance Configuration for Access Auditing 38

Nasuni Edge Appliance Configuration for Activity Monitoring 39

NetApp Data ONTAP 7-Mode Device Configuration for Access Auditing 40

Share Enumeration – API Calls for 7-Mode 40

Bypass NTFS Security for 7-Mode 40

NetApp Data ONTAP 7-Mode Device Configuration for Activity Monitoring 42

NetApp Data ONTAP Cluster-Mode Device Configuration for Access Auditing 44

CIFS Access Method #1 - Use FPolicy & ONTAP API 44

CIFS Access Method #2 - Use C$ Share 45

Access to NFSv3 Exports for Cluster-Mode 46

Doc_ID 354 3

NetApp Data ONTAP Cluster-Mode Device Configuration for Activity Monitoring 48

Panzura Device Configuration for Activity Monitoring 51

Unix Permissions for File System Scans 52

Windows File Servers 53

Windows File System Clusters 53

Least Privilege Permission Model for Windows Cluster 55

DFS Namespaces 55

Last Access Time (LAT) Preservation 55

Appendices 56

Appendix: Windows Permissions Explained 56

Policy Enumeration 56 Share & Share Permissions Enumerations 57 Folder Enumeration & NTFS Permissions 57

More Information 59

Doc_ID 354 4

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® File System Permissions & Configuration Overview Stealthbits products audit and monitor Microsoft® Windows® file servers and/or Network Attached Storage (NAS) devices. StealthAUDIT employs the File System Solution to execute Access Auditing (FSAA), Activity Auditing (FSAC), and/or Sensitive Data Discovery Auditing scans. The Activity Auditing (FSAC) scans also require Stealthbits Activity Monitor be deployed to monitor the target environment. Additionally, the Stealthbits Activity Monitor can be configured to provide activity data to StealthINTERCEPT, StealthDEFEND, and/or various SIEM products.

This document describes the necessary settings required to audit and monitor the target environment and to allow for successful use of:

l StealthAUDIT v11.0

l Stealthbits Activity Monitor v6.0

l StealthINTERCEPT v7.3 (Through integration with Stealthbits Activity Monitor)

l StealthDEFEND v2.7 (Through integration with Stealthbits Activity Monitor)

If running Sensitive Data Discovery (SDD) scans, it will be necessary to increase the minimum amount of RAM on the server where the Add-on is installed. By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32).

Supported File System Platforms The versions and devices listed below are supported for Access Auditing, Activity Monitoring, and Sensitive Data Discovery Auditing.

NOTE: Access Auditing and Sensitive Data Discovery Auditing support CIFS and NFSv3 (and below).

Supported Windows Platforms StealthAUDIT for File Systems is compatible with scanning the following Microsoft® Windows® operating systems as targets:

Doc_ID 354 5

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

Supported Network Attached Storage Devices StealthAUDIT for File Systems is compatible with scanning the following Network Attached Storage (NAS) devices as targets:

l Dell EMC Unity™

l EMC® Celerra® 6.0+

l EMC® Isilon® 7.0+

l EMC® VNX®:

l VNX® 7.1

l VNX® 8.1

l Hitachi® 11.2+

l Nasuni® 8.0+

l NetApp® Data ONTAP®:

l 7-Mode 7.3+

l Cluster-Mode 8.2+ NOTE: The Resiliency feature introduced in ONTAP 9.0 is not supported.

l Panzura® 8.1 (Activity Monitoring only)

Supported Unix Platforms StealthAUDIT for File Systems is compatible with scanning the following Unix operating systems as targets for Access Auditing (FSAA) and Sensitive Data Discovery Auditing only:

l AIX® 4+

l Solaris™ 8+

l Red Hat® Enterprise Linux® 4+

Doc_ID 354 6

l Red Hat® Linux® 5.2+

l HP-UX® 11+

l CentOS® 7+

l SUSE® 10+

Doc_ID 354 7

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® StealthAUDIT Console Server Permissions In most cases the StealthAUDIT user is a member of the local Administrators group on the StealthAUDIT Console server. However, if the Role Based Access model of StealthAUDIT usage is employed, then the user assigned the role of Job Initiator (for manual execution) or the credential used for the Schedule Service Account (for scheduled execution) must have the following permissions to execute File System scans in local mode, applet mode, or proxy mode with applet:

l Group membership in either of the following local groups:

l Backup Operators

l Administrators

These permissions grant the credential the ability to create a high integrity token capable of leveraging the “Back up files and directories” from where the StealthAUDIT executable is run.

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

Doc_ID 354 8

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® File System Applet Deployment Permissions If executing the File System scans in either applet mode or proxy mode with applet, then the credential must have permissions to deploy and start the applet. Remember, the applet can only be deployed to a Windows server.

Configure the credential(s) with the following rights on the proxy server(s):

l Group membership in the local Administrators group

l Granted the “Backup files and directories” local policy privilege

l Granted the “Log on as a batch” privilege

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

Doc_ID 354 9

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® File System Proxy Service Permissions If executing the File System scans in proxy mode as a service with RPC or secure RPC, then the File System Proxy Service should be installed on the Windows proxy server(s) prior to executing the scans. The version of the proxy service must match the major version of StealthAUDIT.

The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server:

l Membership in the local Administrators group

l Granted the “Log on as a service” privilege (Local Security Policies > Local Policies > User Rights Assignment > Log on as a service)

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory.

NOTE: The File System Proxy Service can be installed ad hoc through a data collector configuration option. In that case, the credential in the assigned Connection Profile must have permissions to install and run the service. Remember, it is not possible to enable secure RPC while using this option.

For secure RPC, a credential is supplied during installation to provide secured communications between the StealthAUDIT server and the proxy server. This credential must be a domain account, but no additional permissions are required. However, this account must be included as a StealthAUDIT Task (Domain) type credential in the Connection Profile to be used by the File System Solution. It is recommended to use the same domain account configured to run the proxy service for the secure RPC account.

If secure RPC will be enabled and the service configured to run as LocalSystem, then the installer automatically adds the necessary service principal names (SPNs) to the computer object in Active Directory.

If secure RPC will be enabled and the service configured to run as a supplied domain account, then it is necessary to manually configure the SPNs on the user object in Active Directory prior to installing the File System Proxy.

See the StealthAUDIT File System Proxy Service Installation Guide for additional information.

If installing the File System Proxy Service on multiple servers, then a custom host list of proxy servers should also be created. See the FSAA: Scan Server Selection section of the StealthAUDIT User Guides v11.0 for additional information.

Doc_ID 354 10

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® StealthAUDIT File System Scan Options Required permissions on the targeted file system are dependent upon not only the type of environment targeted but also the mode in which the data collection scan is executed. There are three primary types of scan modes: local, applet, or proxy. The proxy mode can be conducted via applet deployment, via running as a service with RPC (installed in advance), as well as through running as a service with a secure RPC option.

For the purpose of this document, “applet” refers to the runtime deployment of the StealthAUDITRPC.exe to either the target host (applet mode scans) or the proxy host (proxy mode with applet scans) via Microsoft Task Scheduler. A “proxy” host is any host which can be leveraged for running File System scans against target hosts.

Local Mode

When File System scans are run in local mode, it means all of the data collection processing is conducted by the StealthAUDIT Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the StealthAUDIT Console server, and then imported into the StealthAUDIT database, or Tier 1 database, on the SQL Server.

The diagram illustrates the StealthAUDIT server running the scan against a file server.

Applet Mode

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

When File System scans are run in applet mode, it means the File System applet is deployed to the target host when the job is executed to conduct data collection. However, the applet can only be deployed to a server with a Windows operating system. The data is collected on the Windows target host where the applet is deployed. The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server. If the target host is a NAS device, the File System scans will default to local mode for that host.

Doc_ID 354 11

The diagram illustrates the StealthAUDITserver sending an FSAA applet to a targeted Windows file server, which runs the scan against locally, and then returns data to the StealthAUDITserver.

Proxy Mode with Applet

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

The diagram illustrates the StealthAUDIT server sending an FSAA applet to a proxy server, which runs the scan against a file server, and then returns data to the StealthAUDIT server.

Proxy Mode as a Service with RPC

When File System scans are run in proxy mode as a service with remote procedure call (RPC), there are two methods available for deploying the service:

Doc_ID 354 12

l Pre-Installed File System Proxy Service – File System Proxy Service installation package must be installed on the Windows proxy server(s) prior to executing the scans. This is the recommended method and provides the option for enabling secure RPC.

l Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed

The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target hosts. The final step in data collection is to compress and transfer the data collected in the SQLite databases, or Tier 2 databases, back to the StealthAUDIT Console server.

The diagram illustrates the StealthAUDIT server communicating with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally. Then the proxy service returns data to the StealthAUDIT server.

It is recommended to install the File System Proxy Service to the desired Windows proxy servers prior to job execution. However, it can be installed ad hoc through a data collector configuration option, but it is not possible to enable secure RPC while using this option.

Proxy Mode as a Service with Secure RPC

When File System scans are run in proxy mode as a service with secure RPC, the File System Proxy Service must be installed on the Windows proxy server(s) prior to executing the scans. The data collection processing is conducted by the proxy server where the service is running and leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

The secure RPC is configured during the installation of the service on the proxy server. The credential provided for the secure communications in the installation wizard is also added to the StealthAUDIT Connection Profile assigned to the File System Solution.

Doc_ID 354 13

The diagram illustrates the StealthAUDIT server communicating securely with the proxy service on a proxy server, which runs the scan against a file server, collecting the data locally and securely. Then the proxy service returns data securely to the StealthAUDIT server.

StealthAUDIT File Activity Auditing Specific permissions are necessary for Activity Auditing (FSAC) scans, which employ the Activity Monitor. See the Activity Monitor Configuration section for information.

Local Mode Scans When File System scans are run in local mode, it means all of the data collection processing is conducted by the StealthAUDIT Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the StealthAUDIT Console server, and then imported into the StealthAUDIT database, or Tier 1 database, on the SQL Server.

The account used to run either a manual execution or a scheduled execution of the File System scans, must have the following permissions on the StealthAUDIT Console server:

l Group membership in either of the following local groups:

l Backup Operators

l Administrators

Configure the credential(s) with the following rights on the Windows host(s):

l Group membership in both of the following local groups:

l Power Users

l Backup Operators

l Granted the “Backup files and directories” local policy privilege

Doc_ID 354 14

For Windows Server target hosts, the credential also requires:

l Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege

In order to collect data on administrative shares and local policies (logon policies) for a Windows target, the credential must have group membership in the local Administrators group.

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory on the StealthAUDIT Console server. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

The Sensitive Data Discovery Add-on must be installed on the StealthAUDIT Console server. By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32).

When running Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credentials within the Connection Profile assigned to the File System scans must be properly configured as explained above. Also the firewall rules must be configured to allow for communication between the applicable servers.

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Firewall Rules for Local Mode Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in local mode for communication between StealthAUDIT and the target host:

Communication Direction Protocol Ports Description

StealthAUDIT Console to File Server/Device TCP 445 SMB

Additional Firewall Rules for NetApp Data ONTAP Devices

Doc_ID 354 15

The NetApp communication security is configured on the Scan Settings page of the File System Access Auditor Data Collector Wizard. One additional firewall setting is required when targeting either a NetApp Data ONTAP 7-Mode device or a NetApp Data ONTAP Cluster-mode device. The required setting is dependent upon how the NetApp communication security option is configured:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 80 HTTP NetApp communication NetApp Device security

StealthAUDIT Console to TCP 443 HTTPS NetApp NetApp Device communication security

Additional Firewall Rules for Windows File Servers The following firewall setting is also required when targeting a Windows file server:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 and dynamically for pre-scan Windows Server assigned RPC access checks

RECOMMENDED: Configure target hosts to respond to ping requests.

Applet Mode Scans When File System scans are run in local mode, it means all of the data collection processing is conducted by the StealthAUDIT Console server across the network. The data is collected in the SQLite database(s), or Tier 2 database(s), on the StealthAUDIT Console server, and then imported into the StealthAUDIT database, or Tier 1 database, on the SQL Server.

Configure the credential(s) with the following rights on the Windows target host(s):

l Group membership in the local Administrators group

l Granted the “Backup files and directories” local policy privilege

l Granted the “Log on as a batch” privilege

Doc_ID 354 16

l Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory on the target host/proxy server as well as on the StealthAUDIT Console server. This is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

Remember, Remote Registry Service must be enabled on the host where the applet is deployed (for Applet Mode or Proxy Mode with Applet scans) to determine the system platform and where to deploy the applet.

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

Sensitive Data Discovery Auditing scans also require .NET Framework 4.0+ to be installed on the server where the applet is to be deployed in order for Sensitive Data Discovery collections to successfully occur. The Sensitive Data Discovery Add-on must be installed on the StealthAUDIT Console server.

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Firewall Rules for Applet Mode Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in applet mode for communication between StealthAUDIT and the host:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 RPC endpoint mapper Windows Server for FSAA Applet Deployment

Doc_ID 354 17

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP Randomly RPC for FSAA Applet Windows Server allocated high Deployment TCP ports

StealthAUDIT Console to TCP 445 SMB Windows Server

Between StealthAUDIT TCP 8766 FSAA Applet Settings Console and Windows Configuration Server

NOTE: The FSAA applet settings configuration port 8766 can be customized on the Applet Settings page of the File System Access Auditor Data Collector Wizard.

RECOMMENDED: Configure target hosts to respond to ping requests.

Proxy Mode with Applet Scans When File System scans are run in proxy mode with applet, it means the File System applet is deployed to the Windows proxy server when the job is executed to conduct data collection. The data collection processing is initiated by the proxy server where the applet is deployed and leverages a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

Configure the credential(s) with the following rights on the proxy server(s):

l Group membership in the local Administrators group

l Granted the “Backup files and directories” local policy privilege

l Granted the “Log on as a batch” privilege

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory on the proxy server as well as on the StealthAUDIT Console server. This

Doc_ID 354 18

is required by either the user account running the StealthAUDIT application, when manually executing jobs within the console, or the Schedule Service Account assigned within StealthAUDIT, when running jobs as a scheduled tasks.

CAUTION: The local policy, “Network access: Do not allow storage of passwords and credentials for network authentication” must be disabled in order for the applet to start.

Configure the credential(s) with the following rights on the Windows host(s):

l Group membership in both of the following local groups:

l Power Users

l Backup Operators

l Granted the “Backup files and directories” local policy privilege

For Windows Server target hosts, the credential also requires:

l Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege

See the Activity Monitor Configuration section for information on additional requirements for Activity Auditing (FSAC) scans.

Firewall Rules for Proxy Mode with Applet Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode with applet for communication between StealthAUDIT and the proxy server:

Doc_ID 354 19

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 RPC endpoint mapper Windows Proxy Server for FSAA Applet Deployment

StealthAUDIT Console to TCP Randomly RPC for FSAA Applet Windows Proxy Server allocated high Deployment TCP ports

StealthAUDIT Console to TCP 445 SMB Windows Proxy Server

Between StealthAUDIT TCP 8766 FSAA Applet Settings Console and Windows Proxy Configuration Server

NOTE: The FSAA applet settings configuration port 8766 can be customized on the Applet Settings page of the File System Access Auditor Data Collector Wizard.

The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode with applet for communication between the proxy server and the target host:

Communication Direction Protocol Ports Description

Windows Proxy Server to File Server/Device TCP 445 SMB

Additional Firewall Rules for NetApp Data ONTAP Devices

Remember, NetApp communication security is configured on the Scan Settings page of the File System Access Auditor Data Collector Wizard. One additional firewall setting is required when targeting either a NetApp Data ONTAP 7-Mode device or a NetApp Data ONTAP Cluster-Mode device. The required setting is dependent upon how the NetApp communication security option is configured:

Doc_ID 354 20

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 80 HTTP NetApp communication NetApp Device security

StealthAUDIT Console to TCP 443 HTTPS NetApp NetApp Device communication security

Additional Firewall Rules for Windows File Servers The following firewall setting is also required when targeting a Windows file server:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 and dynamically for pre-scan Windows Server assigned RPC access checks

RECOMMENDED: Configure target hosts to respond to ping requests.

Proxy Mode as a Service Scans: with RPC or Secure RPC When File System scans are run in proxy mode as a service with remote procedure call (RPC), there are two methods available for deploying the service:

l Ad Hoc File System Proxy Service Deployment – File System Proxy Service is installed on the Windows proxy server when the job is executed

Doc_ID 354 21

a local mode-type scan to each of the target host(s). The final step in data collection is to compress and transfer the data collected in the SQLite database(s), or Tier 2 database(s), back to the StealthAUDIT Console server.

File System Proxy Service Credentials

The service can be run either as LocalSystem or with a domain account supplied during the installation of the File System Proxy Service with the following permission on the proxy server:

l Membership in the local Administrators group

l Granted the “Log on as a service” privilege (Local Security Policies > Local Policies > User Rights Assignment > Log on as a service)

l If running FSAC, the service account in the credential profile requires access to the admin share (e.g. C$) where the sbtfilemon.ini file exists

Additionally, the credential must have WRITE access to the …\StealthAUDIT\FSAA folder in the installation directory.

Windows File Server Target Host Credentials

Configure the credential(s) with the following rights on the Windows host(s):

l Group membership in both of the following local groups:

l Power Users

l Backup Operators

l Granted the “Backup files and directories” local policy privilege

For Windows Server target hosts, the credential also requires:

l Granted the "Network access: Restrict clients allowed to make remote calls to SAM" Local Policies > Security Options privilege

In order to collect data on administrative shares and local policies (logon policies) for a Windows target, the credential must have group membership in the local Administrators group.

Sensitive Data Discovery Auditing Consideration

Doc_ID 354 22

The Sensitive Data Discovery Add-on must be installed on the proxy server. This requirement is in addition to having the Sensitive Data Discovery Add-on installed on the StealthAUDIT Console server. By default, SDD scans are configured to run two concurrent threads. Each thread requires a minimum of 2 additional GB of RAM per host. For example, if the job is configured to scan 8 hosts at a time with 2 concurrent SDD threads, then an extra 32 GB of RAM are required (8x2x2=32).

Secure RPC Considerations

Secure RPC & Service Principal Names

StealthAUDIT Connection Profile

Firewall Rules for Proxy Mode as a Service Scans The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode as a service for communication between StealthAUDIT and the proxy server:

Doc_ID 354 23

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 135 RPC endpoint mapper for FSAA Windows Proxy Server Applet Deployment

Between StealthAUDIT TCP 8766 FSAA Applet Settings Console and Windows Configuration Proxy Server (Inbound on the proxy server, and outbound on the StealthAUDIT Console server.)

NOTE: The FSAA applet settings configuration port 8766 can be customized on the Applet Settings page of the File System Access Auditor Data Collector Wizard.

The following are the firewall settings are required when executing the Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in proxy mode as a service for communication between the proxy server and the target host:

Communication Direction Protocol Ports Description

Windows Proxy Server to File Server/Device TCP 445 SMB

Additional Firewall Rules for NetApp Data ONTAP Devices

Remember, NetApp communication security is configured on the Scan Settings page of the File System Access Auditor Data Collector Wizard. One additional firewall setting is required when targeting either a NetApp Data ONTAP 7-Mode device or a NetApp Data ONTAP Cluster-mode device. The required setting is dependent upon how the NetApp communication security option is configured:

Communication Direction Protocol Ports Description

StealthAUDIT Console to TCP 80 HTTP NetApp communication NetApp Device security

StealthAUDIT Console to TCP 443 HTTPS NetApp NetApp Device communication security

Doc_ID 354 24

Additional Consideration for Windows File Servers RECOMMENDED: Configure target hosts to respond to ping requests.

Doc_ID 354 25

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Activity Monitor Configuration The Activity Monitor collects activity events from file system environments. There must be a deployed activity agent on a Windows server to monitor the target environment.

Firewall Rules for Activity Monitoring Firewall settings are dependent upon the type of environment being targeted. The following firewall settings are required for communication between activity agent server and the Activity Monitor Console:

Communication Direction Protocol Ports Description

Activity Monitor to Activity Agent TCP 4498 Activity Agent Server Communication

The Windows firewall rules need to be configured on the Windows server, which require certain inbound rules be created if the scans are running in applet mode. These scans operate over a default port range, which cannot be specified via an inbound rule. For more information, see the Microsoft Connecting to WMI on a Remote Computer article.

Additional Firewall Rules for Dell EMC Unity, EMC Celerra, & EMC VNX Devices The following firewall settings are required for communication between the CEE server/ Activity Monitor activity agent server and the target Dell EMC Unity, EMC Celerra, or EMC VNX device:

Communication Direction Protocol Ports Description

EMC Device to CEE Server TCP RPC Dynamic CEE Range Communication

CEE Server to Activity Agent Server TCP RPC Dynamic CEE Event Data (when not same server) Range

Doc_ID 354 26

Additional Firewall Rules for EMC Isilon Devices The following firewall settings are required for communication between the CEE server/ Activity Monitor activity agent server and the target EMC Isilon device:

Communication Direction Protocol Ports Description

Isilon to CEE Server TCP TCP 12228 CEE Communication

CEE Server to Activity Agent Server TCP RPC Dynamic CEE Event Data (when not same server) Range

Additional Firewall Rules for Nasuni Edge Appliances The following firewall settings are required for communication between the Activity Monitor activity agent server and the target Nasuni Edge Appliance:

Communication Direction Protocol Ports Description

Agent Server to Nasuni HTTPS 8443 Nasuni API calls

Nasuni to Activity Agent Server AMQP over TCP 5671 Nasuni event reporting

Additional Firewall Rules for NetApp Data ONTAP 7-Mode Devices The following firewall settings are required for communication between the Activity Monitor activity agent server and the target NetApp Data ONTAP 7-Mode device:

Communication Direction Protocol Ports Description

Activity Agent Server to HTTP 80 ONTAPI NetApp* (optional)

Activity Agent Server to HTTPS 443 ONTAPI NetApp* (optional)

Doc_ID 354 27

Communication Direction Protocol Ports Description

Activity Agent Server to TCP 135, 139 RPC NetApp Dynamic Range (49152- 65535)

Activity Agent Server to TCP 445 SMB NetApp

Activity Agent Server to UDP 137, 138 RPC NetApp

NetApp to Activity Agent TCP 135, 139 RPC Server Dynamic Range (49152- 65535)

NetApp to Activity Agent TCP 445 SMB Server

NetApp to Activity Agent UDP 137, 138 RPC Server

*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options within the Activity Monitor.

NOTE: If either HTTP or HTTPS are not enabled, the FPolicy on the NetApp Data ONTAP 7-Mode device must be configured manually. Also, the External Engine will not reconnect automatically in the case of a server reboot or service restart.

Additional Firewall Rules for NetApp Data ONTAP Cluster-Mode Devices The following firewall settings are required for communication between the Activity Monitor activity agent server and the target NetApp Data ONTAP Cluster-Mode device:

Doc_ID 354 28

Communication Direction Protocol Ports Description

Activity Agent Server to NetApp* HTTP (optional) 80 ONTAPI

Activity Agent Server to NetApp* HTTPS (optional) 443 ONTAPI

NetApp to Activity Agent Server TCP 9999 FPolicy events

*Only required if using the FPolicy Configuration and FPolicy Enable and Connect options within the Activity Monitor.

Additional Firewall Rules for Panzura Devices The following firewall settings are required for communication between the Activity Monitor activity agent server and the target Panzura device:

Communication Direction Protocol Ports Description

Unidirectional AMQP over TCP 4497 Panzura Event Reporting

Protect the port with a username and password. The credentials will be configured in Panzura. See the Panzura Tab section of the Stealthbits Activity Monitor Installation & Console User Guide for additional information.

Doc_ID 354 29

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Dell EMC Unity Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the target host:

l Group membership in both of the following groups:

l Power Users

l Backup Operators

These permissions grant the credential the ability to enumerate shares, access the remote registry, and bypass NTFS security on folders. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the StealthAUDIT File System Scan Options section for information on firewall settings.

NOTE: These permissions are in addition to those needed to either deploy applet scans for running scans in proxy mode with applet or installing the File System Proxy Service Permissions for running scans in proxy mode as a service. For deploying applet scans, see the File System Applet Deployment Permissions section for additional information.

If there are folders to which the credential is denied access, it is likely that the Backup Operators group does not have the “Back up files and directories” right. In that case, it is necessary to assign additional the “Back up files and directories” right to those groups or to create a new local group, using Computer Management from a Windows server. Then assign rights to it using the CelerraManagementTool.msc plugin which is available to EMC customers. For further information, see the Celerra guide Using Windows Administrative Tools on VNX found on the Celerra website.

In order to successfully scan EMC devices from a StealthAUDIT Console on a Windows Server 2012 or Windows Server 2012 R2, the “Require Secure Negotiate” policy must be turned off on that server. This is due to a problem that is caused by the “Secure Negotiate” feature which was added to SMB 3.0 for Windows Server 2012 and Windows 8. This feature depends upon the correct signing of error responses by all SMBv2 servers, including servers that support only protocol versions 2.0 and 2.1. Some third-party file servers do not return a signed error response; therefore, the connection fails.

See the Dell EMC Unity Device Configuration Guide for preparation details for collecting file system data from a Dell EMC Unity target host.

Doc_ID 354 30

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Dell EMC Unity Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the E Dell EMC Unity device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the target hosts, where the activity agent is deployed. Additionally, the EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the activity agent is deployed. EMC CEE 8.4.2 through EMC CEE 8.6.1 are not supported for asynchronous bulk delivery (VCAPS) feature.

RECOMMENDED: EMC CEE 8.2.0 is the recommended version to use with the VCAPS feature.

EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start.

NOTE: If the activity log files are being archived, configurable within the Activity Monitor Console, then the credential used by StealthAUDIT to read the activity log files must also have READ and WRITE permissions on the archive location.

Doc_ID 354 31

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® EMC Celerra & VNX Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the target host:

l Group membership in both of the following groups:

l Power Users

l Backup Operators

See the EMC Celerra or VNX Device Configuration Guide for preparation details for collecting file system data from an EMC Celerra or EMC VNX target host.

Doc_ID 354 32

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® EMC Celerra & VNX Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the EMC Celerra or VNX device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the target hosts, where the activity agent is deployed. Additionally, the EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the activity agent is deployed. EMC CEE 8.4.2 through EMC CEE 8.6.1 are NOT supported for asynchronous bulk delivery (VCAPS) feature.

RECOMMENDED: EMC CEE 8.2.0 is the recommended version to use with the VCAPS feature.

EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start.

Doc_ID 354 33

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® EMC Isilon Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the target host:

l Group membership in the local Administrators group – LOCAL:System Provider

l Rights on the actual file tree or to the IFS root share

l Share Permissions:

l Read access

These permissions grant the credential the ability to audit folders and shares. The credential used within the assigned Connection Profile for these target hosts requires these permissions. See the StealthAUDIT File System Scan Options section for information on firewall settings.

In order to execute scoped Sensitive Data Discovery Auditing scans, the credential must also have the LOCAL:System provider selected in each access zone in which the shares to be scanned reside.

The credential must have an Authentication Provider configured for the Isilon device. For example, if the credential is an Active Directory account, then the domain where the account resides must be an Active Directory Authentication Provider.

See the EMC Isilon Device Configuration Guide for preparation details for collecting file system data from an EMC Isilon target host.

Doc_ID 354 34

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® EMC Isilon Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the EMC Isilon device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the host where the activity agent is deployed. Additionally, the EMC Common Event Enabler (CEE) should be installed on the Windows proxy server where the activity agent is deployed. EMC CEE 8.4.2 through EMC CEE 8.6.1 are not supported for asynchronous bulk delivery (VCAPS) feature.

RECOMMENDED: EMC CEE 8.2.0 is the recommended version to use with the VCAPS feature.

EMC CEE requires .NET Framework 3.5 to be installed on the Windows proxy server in order for the EMC CEE service to start.

Doc_ID 354 35

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Hitachi Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the target host:

l Group membership in the Backup Operators local group

This permission grants the credential read access to all target folders and files. The credential used within the assigned Connection Profile for these target hosts. See the StealthAUDIT File System Scan Options section for information on firewall settings.

See the Hitachi Device Configuration Guide for preparation details for collecting file system data from a Hitachi target host.

Doc_ID 354 36

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Hitachi Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the Hitachi device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the target hosts, where the activity agent is deployed.

A Hitachi device can host multiple Enterprise Virtual Servers (EVS). Each EVS has multiple file systems. Auditing is enabled and configured per file system. HNAS generates the audit log files in EVT format (a standard event log format in Windows XP/2003 and earlier). Hitachi stores the generated audit logs in a user specified location on the file system. The activity agent deployed on the Windows proxy server accesses this location to collect the audit log files as they are generated. The credential used to monitor activity must be provisioned with:

l Capability of enabling a File System Audit Policy on the Hitachi device

l Audit rights to the Hitachi log directory

Doc_ID 354 37

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Nasuni Edge Appliance Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the following permissions on the on-premise Nasuni Edge Appliance:

l Group membership in the local Administrators group

This is in addition to the API Key Name and Passcode which must be generated for each on- premise Nasuni Edge Appliance and cloud filer. See the Nasuni Edge Appliance Configuration Guide for preparation details for collecting file system data from a Nasuni target host.

Doc_ID 354 38

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Nasuni Edge Appliance Configuration for Activity Monitoring Generation of an API Access Key is required for Nasuni activity monitoring.

StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the Nasuni Edge Appliance. While actively monitoring, the activity agent generates activity log files stored on the target host. The credential used to deploy the activity agent must have:

l Group membership in the local Administrators group

The Remote Registry Service must be enabled on the target hosts, which is where the activity agent is deployed.

Doc_ID 354 39

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® NetApp Data ONTAP 7-Mode Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the ability to:

l Enumerate shares by executing specific API calls

l Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions

The following sections outline the required permissions granted to the credential used within the assigned Connection Profile for these target hosts. See the StealthAUDIT File System Scan Options section for information on firewall settings.

See the NetApp Data ONTAP7-Mode Device Configuration Guide for preparation details for collecting file system data from a NetApp Data ONTAP 7-Mode target host.

Share Enumeration – API Calls for 7-Mode To enumerate the shares on a NetApp Data ONTAP 7-Mode device, File System scans require a credential provisioned with access to (at minimum) the following API calls: login-http-admin api-system-api-list api-system-get-version api-cifs-share-list-iter-*

If the query configuration option to “Exclude system shares” is deselected, the credential must also have the ability to run the following command, which is also configuration-specific: api-volume-list-info-iter-*

Bypass NTFS Security for 7-Mode In order to bypass NTFS, the credential needs to at least have the following permissions on the NetApp device:

Doc_ID 354 40

l Group membership in both of the following groups:

l Power Users

l Backup Operators

If the query configuration option to “Exclude system shares” is deselected, the credential must have:

l Group membership in the local Administrators group

NOTE: All NetApp groups are assigned an RID. Built-in NetApp groups such as Power Users and Backup Operators are assigned specific RID values. On 7-Mode NetApp devices, system access checks for a group are identified by the RID assigned to the group and not by the role it has. Therefore, StealthAUDIT’s ability to bypass access checks with the Power Users and Backup Operators group has nothing to do with the power role or the backup role. Neither role is required. For example, the built-in Power User group, even when stripped of all roles, still has more file system access capabilities than any other non-built-in group.

Doc_ID 354 41

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® NetApp Data ONTAP 7-Mode Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the NetApp Data ONTAP 7-Mode device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the host where the activity agent is deployed. Additionally, “file and printer sharing” need to be turned on for the host where the activity agent is deployed.

An FPolicy must be configured on the target device for Activity Auditing (FSAC) scans. A tailored FPolicy is recommended as it decreases the impact on the NetApp device. The credential associated with the FPolicy used to monitor activity must be provisioned with access to the following API calls: login-http-admin api-system-api-list api-system-get-version api-cifs-share-list-iter-* api-volume-list-info-iter-*

If the Activity Monitor will be automatically configuring the FPolicy, then the following command is also needed: api-fpolicy*

If the Activity Monitor will be configured to use the “Enable and connect to the FPolicy” option, then the following command is also needed: cli-fpolicy*

The credential must also have the following permissions on the target device:

Doc_ID 354 42

l Group membership in both of the following groups:

l ONTAP Power Users

l ONTAP Backup Operators

Doc_ID 354 43

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® NetApp Data ONTAP Cluster-Mode Device Configuration for Access Auditing In order for StealthAUDIT to execute Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, the credential must have the ability to:

l For CIFS access:

l Method 1 - Use FPolicy & ONTAP API

l Enumerate shares by executing specific API calls

l Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions

l Method 2 - Use the C$ Share

l Enumerate shares using the special C$ share

l Bypass NTFS security to read the entire folder structure to be scanned and collect file/folder permissions

l For NFSv3 access:

l IP Address of scanning server in the export policy for each volume

See the NetApp Data ONTAP Cluster-Mode Device Configuration Guide for preparation details for collecting file system data from a NetApp Data ONTAP Cluster-Mode target host.

CIFS Access Method #1 - Use FPolicy & ONTAP API To enumerate the shares on a NetApp Data ONTAP Cluster-Mode device, File System scans require a credential that has been provisioned with at minimum the following CLI commands:

Doc_ID 354 44

CLI Command Access

version Readonly

volume Readonly

vserver Readonly

vserver fpolicy Readonly

security login role show-ontapi Readonly

For NTFS permissions, it is possible to enable a credential to bypass NTFS security on NetApp Data ONTAP Cluster-Mode devices by provisioning access to a special share: ONTAP Admin$. In order to access the ONTAP_Admin$ share, the credential must be associated with an FPolicy on the target device.

If the FPolicy is being configured only for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans, then the FPolicy does not need to be configured to collect any information, i.e. an empty FPolicy. This type of “empty” FPolicy should have minimal impact on an organization’s system. The policy name must be StealthAUDIT.

CIFS Access Method #2 - Use C$ Share Alternatively, if configuring FPolicy is not possible or desired, a least privileged access option for NetApp Data ONTAP Cluster-Mode device v9.0+ is an option. The following permissions are required:

l Group membership in the Backup Operators group on either the file system proxy server for Proxy Mode scans or the StealthAUDIT server for Local Mode scans (to get a high integrity token)

l Group membership in the NetApp SVM's Power Users group (to enumerate shares)

l Group membership in the NetApp SVM's Backup Operators group (to bypass NTFS permissions)

l NetApp SVM's SeBackupPrivilege needs to be applied to this group

l This group must have read-only access to the SVM's C$ share

Doc_ID 354 45

If an ACE does not already exist for a specific user/group on an SVM's c$ share, then it needs to be added with the desired rights (No_access, Read, Change, or Full_Control). To check the current ACE for a user or group on each SVM's c$ share, the following ONTAP CLI command should be used at the cluster management level. vserver cifs share access-control show -share c$

The output will list each SVM's ACL for its c$ share. For example:

If the desired ACE does not exist on an SVM's c$ share, then one can be created with the following command: vserver cifs share access-control create -share c$ -user-or- group -permission Read -vserver

If an existing ACE needs to be modified, the following command should be used:

CAUTION: The following command will overwrite an existing ACE. For example, it is possible to downgrade a user with Full_Control to Read, or vice versa. vserver cifs share access-control modify -share c$ -user-or- group -permission Read -vserver

NOTE: If users would prefer to avoid permissioning C$, then there is an alternative. Users can instead give the SVM's Backup Operators group read-only access to each share to be scanned.

In order to utilize StealthAUDIT’s LAT Preservation (Last Access Time) feature during sensitive data scans and metadata tag collection, applying ONTAP’s SeRestorePrivilege to the service account is also required.

As an alternative to membership in BUILTIN\Backup Operators, SeBackupPrivilege can be directly applied to a user via the NetApp command line.

Access to NFSv3 Exports for Cluster-Mode

Doc_ID 354 46

The StealthAUDIT server or proxy server IP Address needs to be in the export policy for each volume to be scanned via NFSv3. Share enumeration and bypassing NTFS permissions are not applicable to NFSv3 exports.

Doc_ID 354 47

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® NetApp Data ONTAP Cluster-Mode Device Configuration for Activity Monitoring StealthAUDIT Activity Auditing (FSAC) scans require the Activity Monitor to have a deployed activity agent on the Windows proxy server to monitor the NetApp Data ONTAP Cluster-Mode device. While actively monitoring, the activity agent generates activity log files stored on the target host from which StealthAUDIT reads the activity. Both the credential used to deploy the activity agent and the credential used by StealthAUDIT to read the activity log files must have:

l Group membership in the local Administrators group

It is also necessary to enable the Remote Registry Service on the host where the activity agent is deployed.

The FPolicy configured on the target device for Activity Auditing (FSAC) scans can also be used to collect data for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans. The credential associated with the FPolicy used to monitor activity must be provisioned with at minimum the following CLI commands, according to the level of collection desired.

Collect Activity Events

The Activity Monitor credential requires the following permissions to collect events:

CLI Command Access

version Readonly

volume Readonly

vserver Readonly

Employing the “Enable and connect FPolicy” Option

The Activity Monitor can be configured to ensure everything is actively monitoring with periodic checks on the FPolicy. If the “Enable and connect FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy, and collect events:

Doc_ID 354 48

CLI Command Access

version Readonly

volume Readonly

vserver Readonly

vserver fpolicy disable All

vserver fpolicy enable All

vserver fpolicy engine-connect All

network interface Readonly

Employing the “Configure FPolicy” Option

The Activity Monitor can be configured to automatically configure FPolicy, which is referred to as “Automatic Configuration of FPolicy” in the NetApp Data ONTAP Cluster-Mode Device Configuration Guide. If the “Configure FPolicy” option is enabled, then the credential requires the following permissions to enable the FPolicy, connect to the FPolicy, and collect events:

CLI Command Access

version Readonly

volume Readonly

vserver Readonly

vserver fpolicy All

network interface Readonly

security certificate install All

(only needed for FPolicy TLS connection)

Doc_ID 354 49

StealthAUDIT Integration

In order for the FPolicy configured for the Activity Monitor to also be used for Access Auditing (FSAA) and/or Sensitive Data Discovery Auditing scans in StealthAUDIT, the following CLI command is required in addition to those commands needed for the level of collection desired:

CLI Command Access

security login role show-ontapi Readonly

A tailored FPolicy is recommended as it decreases the impact on the NetApp device. The policy name and credentials are case sensitive when targeting a NetApp Data ONTAP Cluster-Mode device. The policy name must be StealthAUDIT. The engine name must be StealthAUDITEngine.

Doc_ID 354 50

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Panzura Device Configuration for Activity Monitoring The Panzura server can host multiple Enterprise Virtual Servers (EVS). Each EVS has multiple file systems. Auditing is enabled and configured per file system. Panzura generates the audit log files in EVT format (a standard event log format in Windows XP/2003 and earlier). Panzura stores the generated audit logs in a user specified location on the file system. The activity agent deployed on the Windows proxy server accesses this location to collect the audit log files as they are generated. The credential used to monitor activity must be provisioned with:

l Capability of enabling a File System Audit Policy on the Panzura device

l Audit rights to the Panzura log directory

See the Panzura Device Configuration Guide for preparation details for collecting file system data from a Panzura target host.

Doc_ID 354 51

The requirements for scanning file system data on UNIX servers are:

l • The IP address or hostname of the applet, proxy, or SA server performing the scan needs to be in the Unix host’s exports file for each export to be scanned.

l The no_root_squash flag needs to be enabled for each export policy to ensure all files in exports can be read

l The Unix host's firewall needs to be open for the following TCP/UDP Ports:

l Port 111 for Portmapper (a.k.a. rpcbind)

l Port 2049 for NFS

l The dynamic port for mountd

l This port can be determined using the rpcinfo -p command on the Unix Host

l This port can also be manually set to a static port for TCP/UDP NOTE: A connection profile containing Unix credentials is not required. Export access is granted through each Unix host's export file, not through credential authentication.

Doc_ID 354 52

Copyright 2021 STEALTHBITS, NOW PART OF NETWRIX, ALL RIGHTS RESERVED StealthAUDIT® Windows File Servers The permissions necessary to collect file system data from a Windows target host depend upon the type of Windows host being targeted. Supported Windows platforms include:

l Windows operating system

l See the StealthAUDIT File System Scan Options section for required permissions to audit Windows Operating systems and information on firewall settings.

l See the Activity Monitor Configuration section for required permissions to monitor Windows Operating Systems and information on firewall settings.

l Windows File System Cluster

l See the Windows File System Clusters section for required permissions to audit and monitor.

l DFS Namespace

l See the DFS Namespaces section for required permissions to audit and monitor.

The required permissions enable the credential to enumerate policies, share, and folders and to collect share and NTFS permissions. See the Appendix: Windows Permissions Explained section for additional information on why these permissions are required.

See the Windows File System Server Configuration Guide for preparation details for collecting file system data from a Windows target host.

See the Last Access Time (LAT) Preservation section for information on preserving LAT information during SDD scans and Metadata tag colleciton.

Windows File System Clusters The permissions necessary to collect file system data from a Windows File System Cluster must be set for all nodes which comprise the cluster. The permissions required for Access Auditing (FSAA) scans are dependent upon the scan mode.

NOTE: It is necessary to target the Windows File Server Cluster (name of the cluster) of interest when running a File System scan against a Windows File System Cluster.

Configure credentials on all cluster nodes according to the Windows Operating Systems required permissions for the desired scan mode:

Doc_ID 354 53

l Local Mode Scans

l Applet Mode Scans and Proxy Mode with Applet Scans

l Applet will be deployed to each node

l Credential used in the Connection Profile must have rights to deploy the applet to each node

l Proxy Mode as a Service Scans: with RPC or Secure RPC

l Proxy Service must be installed on each node

l For Sensitive Data Discovery Auditing scans, the Sensitive Data Discovery Add-on must be installed on each node

Additionally, the credential used within the Connection Profile must have rights to remotely access the registry on each individual cluster node.

Remember, Remote Registry Service must be enabled on all nodes which comprise the cluster. Configure the credential(s) with the following rights on all nodes:

l Group membership in the local Administrators group

l Granted the “Log on as a batch” privilege

Sensitive Data Discovery Scans

For Sensitive Data Discovery Auditing scans on a Windows File System Cluster it is necessary for the credential to also have Group membership in both of the following local groups for all nodes which comprise the cluster:

l Power Users

l Backup Operators

Activity Monitoring

StealthAUDIT Activity Auditing (FSAC) scans requires the Activity Monitor to have a deployed activity agent on all nodes which comprise the Windows File System Cluster. While actively monitoring, the activity agent generates activity log files stored on each node. StealthAUDIT targets the Windows File Server Cluster (name of the cluster) of interest in order to read the activity. Both the credential used to deploy the activity agent(s) and the credential(s) used by StealthAUDIT to read the activity log files must have:

Doc_ID 354 54

l Group membership in the local Administrators group It is also necessary to enable the Remote Registry Service on all nodes which comprise the cluster, where the activity agents are deployed. NOTE: If the activity log files are being archived, configurable within the Activity Monitor Console, then the credential used by StealthAUDIT to read the activity log files must also have READ and WRITE permissions on the archive location.

See the Activity Monitor Configuration section for additional information.

Least Privilege Permission Model for Windows Cluster If a least privilege model is required by the organization, then the credential must have READ access on the following registry keys:

l HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\services\SBTLogging\Parameters

l HKEY_LOCAL_MACHINE\Cluster\Nodes

Additionally, the credential must have READ access to the path where the activity log files are located.

DFS Namespaces The permissions necessary to collect file system data from a targeted DFS Namespace are the same permissions as collecting file system data from supported Windows operating system, dependent upon the StealthAUDIT File System Scan Options.

Last Access Time (LAT) Preservation In environments that support Last Access Time (LAT) Preservation, one of the following is required in order to preserve LAT during SDD scans and Metadata tag collection:

l User has been granted SeRestorePrivilege, typically via membership in Backup Operators (Least Privilege Model option)

l User has write access to all files on target host

l User had admin rights on target host

Doc_ID 354 55

Appendix: Windows Permissions Explained The permissions outlined in this document enable StealthAUDIT to execute File System scans. These scans enumerate policies, share, and folders as well as collect share and NTFS permissions, monitored activity, DFS mappings, and discover sensitive data. Information collected is used for a variety of reporting solutions, notably the calculation of Open Resources, which is defined as shared folders where High Risk Trustees have effective access, making those shared folders accessible to a significant portion of the organization.

NOTE: High Risk Trustees refers to the following groups: Everyone, Authenticated Users, Domain Users, Anonymous Logon, and any groups containing those security principals.

The following appendices provide further explanation for the required permissions.

Policy Enumeration File System scans attempt to collect the following local security policy settings and corresponding denials from targeted Windows servers:

l Log on Locally

l Log on as a Batch

l Access this Computer from the Network

l Log on as a Service

l Log on through Remote Desktop Services

In order to gather this information, the File System scans use the following functions and flags, which require local administrator group membership:

l LsaOpenPolicy – See the Microsoft LsaOpenPolicy function article for additional information

l POLICY_VIEW_LOCAL_INFORMATION

l POLICY_LOOKUP_NAMES

l LsaEnumerateAccountsWithUserRight – See the Microsoft LsaEnumerateAccountsWithUserRight function article for additional information

Doc_ID 354 56

What happens if the credential used to execute the File System scans does NOT have local Administrator access?

If the credential is not in the local Administrators group, the worst case scenario will be assumed. The File System scans will conclude that the Everyone trustee has the “Access this computer from the network” privilege. Any StealthAUDIT reports related to local or group policy information on servers will be incomplete, but Open Access reports will be successful.

Share & Share Permissions Enumerations To get a complete picture of the file share environment, the File System scans gather all shares on each server scanned, including the local path of the folder that is being shared. The local path is required to gather information about inherited permissions and nested shares. It then gathers the security descriptor for the share to understand who has access.

In order to get this information, the File System scans use the following functions and flags, which require membership in local Administrators, Power Users, Print Operators, or Server Operators groups:

l NetShareEnum – See the Microsoft NetShareEnum function article for additional information

l Level 2 – In order to gather the local path of the share, the function needs to be executed at level 2

l NetShareGetInfo – See the Microsoft NetShareGetInfo function article for additional information

l Level 2 – In order to gather the permissions of the share, the function needs to be executed at level 2

What happens if the credential used to execute the File System scans does NOT have local Administrators, Power Users, Print Operators, or Server Operators access?

If the credential used to execute the File System scans is not a member of any of the above local groups on the target Windows host, StealthAUDIT will be unable to gather any information about shares on the target server. The only information StealthAUDIT can gather as an unprivileged user is information about local users and groups, which is generally accessible to any Authenticated User.

Folder Enumeration & NTFS Permissions

Doc_ID 354 57

Once the File System scan is finished enumerating the shares, it traverses them. To do this, the credential must have the ability to traverse the folders, read the permissions, and read the attributes for each directory. Because applying these permissions is not a realistic request, the most efficient way to do this is by granting the credential the “Back up files and directories” user right in the Local Security Policy settings.

Any user having the “Back up files and directories” right is automatically granted the following permissions to each folder on the server:

l Traverse Folder/Execute File

l List Folder/Read Data

l Read Attributes

l Read Extended Attributes

l Read Permissions

In most environments, the Backup Operators group has this right by default, so adding the StealthAUDIT scanning account to the Backup Operators group will accomplish this. However, the Backup Operators group has additional rights not required for scanning, and this approach may be viewed as overprovisioning for strict environments.

l See the Microsoft Backup files and directories article for more information on the “Back up files and directories” user right

l See the Microsoft Default local groups article for more information on the Backup Operators group

The NTRights.exe command line utility, available as part of the Microsoft Windows Server 2003 Resource Kit, can be used to grant this privilege on remote hosts as follows:

l NTRights.exe –u DOMAIN\USER –m \\HOSTNAME +r SeBackupPrivilege

What happens if the credential used to execute the File System scans does NOT have the “Back up files and directories” right?

If the credential used to execute the File System scans does not have the “Back up files and directories” right, the scan will return an “access denied” message for each folder it encounters to which it has not been granted access in the ACL. This will result in an incomplete data set and missing folders in reports.

Doc_ID 354 58

Stealthbits, now part of Netwrix is a data security software company focused on protecting an organization’s credentials and data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements, and decrease operations expense.

For information on our products and solution lines, check out our website at www.stealthbits.com or send an email to our information center at [email protected].

If you would like to speak with a Stealthbits Sales Representative, please contact us at +1.201.447.9300 or via email at [email protected].

Have questions? Check out our online Documentation or our Training Videos (requires login): https://www.stealthbits.com/documentation. To speak to a Stealthbits Representative: please contact Stealthbits Support at +1.201.447.9359 or via email at [email protected].

Need formal training on how to use a product more effectively in your organization? Stealthbits is proud to offer FREE online training to all customers and prospects! For schedule information, visit: https://www.stealthbits.com/on-demand-training.

Doc_ID 354 59