DOCSLIB.ORG

Monitoring Windows Machines with WMI and Nagios XI

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Monitoring Windows Machines with WMI and Nagios XI Nagios XI – Monitoring Windows Using WMI The Industry Standard in IT Infrastructure Monitoring Purpose This document describes how to monitor Windows machines with Nagios® XI™ using WMI. WMI (Windows Management Instrumentation) allows for agentless monitoring of Windows machines. Nagios XI supports WMI monitoring, which provides admins with a simple method of monitoring their Windows servers and workstations without having to install or configure agents. Target Audience This document is intended for use by Nagios XI Administrators who want to monitor Windows servers and workstations without having to install an agent. XI Server Requirements Before you can monitor Windows machines using WMI, you must install the WMI client on the Nagios XI server. For instructions on doing this, read the following document from the Nagios Library: Installing The WMI Client For XI http://assets.nagios.com/downloads/nagiosxi/docs/Installing_The_WMI_Client_For_XI.pdf Windows Machine Requirements You will need to ensure you have the following requirements setup before you can use WMI to monitor and windows server or workstation. • WMI service is running • WMI user account set up • Firewall rules set up We will walk through each of these requirements for the window machine you wish to monitor. You will need to log in as a user with administrator privileges. WMI Service First, verify the WMI service is running on your windows machine: Click Start and choose Run. The window to the right will appear and type “services.msc” in the Open field. Note: This document was originally written for Windows XP and Windows Server 2003. If you are running a later version of Window or Windows Server, you can skip the Run step in the instructions and instead type the “services.msc” in the Search field of Start menu. This applies to all the instructions going forward in this document. Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 1 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Before you can monitor Windows machines using WMI, you must ensure that the Windows Management Instrumentation service is running. You can configure and start the service in the Computer Management console under the Services section. Verify the service Windows Management Instrument (WMI) is in a status of Started. Configure A WMI User Account On The Windows Machine: Next, configure a WMI user account on the local machine. We'll create a new user account called “wmiagent” with a password “wmiagent” as an example. From the command prompt enter: net user wmiagent wmiagent /add Setting WMI permissions WMI requires a valid username and password on the target system. The following steps outline how to add only the permissions needed to the Windows user account. However, you can add the user to be a member of the local administrators group instead. Note: If you wish to monitor multiple computers across the domain, instead add the user to be a member of the “Distributed Com Users”, “Performance Log Users” and “Performance Monitor Users” groups. Adding Remote Activation Privilege to Windows DCOM Next, we need to give our newly created user access to DCOM on the localhost. In order to do this, open Component Services. Click Start, choose Run. Enter “DCOMCnfg.exe” and click OK. Expand Component Services, and drill down to the local computer. Right click on My Computer and select Properties Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 2 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Select COM Security tab, and next choose the Edit Limits... button from the Launch Activation Permissions section. Add the user that will be used by Nagios to monitor this machine, in our case the user is wmiagent. Click Add. Enter “wmiagent” in the Enter the object name to select and click OK. You will now see wmiagent as a user. Check the Remote Launch and Remote Activation check boxes under Allow. Click OK twice. Adding Remote WMI Access In order for our user to return data remotely from WMI, access to the WMI namespace CIMV2 must be added. Click Start, choose Run, type “WMImgmt.msc” Right click on WMI Control (local) and select Properties. Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 3 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Select the Security tab of the WMI Control Properties. Expand Root, and right click on CIMV2, select Properties Note: In later version of Windows you need to select CMIV2 and click the Security button. Click Add. Enter “wmiagent” in the Enter the object name to select and click OK. You may need to use the Check Names button to find the correct object. You will now see “wmiagent” as a user. Check the Enable Account and Remote Enable check boxes under Allow. Click OK twice. Windows Firewall Settings Next, configure the firewall rules specific to the version of windows being monitored. Windows Server 2008 Windows Server 2008 should by default have the correct firewall rules set. To check firewall settings, select Start and type “firewall” in the search dialog box and hit enter. Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 4 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Verify the Inbound Rules exist and are enabled for: • DCOM • WMI If the WMI rule group does not exist as pictured above, the recommended settings are listed here as outlined by Microsoft. From the command prompt enter: netsh advfirewall firewall add rule dir=in name="DCOM" program=%systemroot %\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 netsh advfirewall firewall add rule dir=in name ="WMI" program=%systemroot %\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=%systemroot %\system32\wbem\unsecapp.exe action=allow netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=%systemroot %\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any More details about 2008 firewall settings can be found at: http://msdn.microsoft.com/en-us/library/windows/desktop/aa822854(v=vs.85).aspx Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 5 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Windows Server 2012 Create a user account on the server. Example is wmiagent as the username and wmiagent as the password. Add the user (s) in question to the Performance Monitor Users group. You can access this from Control Panel, Administrative Tools, Computer Management. Expand System Tools, Local Users and Groups, Groups. Edit the Performance Monitor Users group and add the wmiagent user. Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 6 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Enabling Remote DCOM Under Services and Applications, bring up the Properties dialog of WMI Control. You can access this from Control Panel, Administrative Tools, Computer Management. Expand Services and Applications and right click WMI Control. In the Security tab, highlight the root / CIMV2, click Security; Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 7 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Add Performance Monitor Users Group and enable the options: Enable Account and Remote Enable. Click OK Run dcomcnfg. At Component Services> Computers> My Computer, Right click My Computer and Select the COM COM Security tab of the Properties dialog box. Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 8 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Click "Edit Limits" for Both Access Permissions and Launch and Activation Permissions. Add Performance Monitor Users and allow remote access, remote launch, and remote activation Nagios Enterprises, LLC US: 1-888-NAGIOS-1 Web: www.nagios.com Page 9 P.O. Box 8154 Int'l: +1 651-204-9102 Email:[email protected] Saint Paul, MN 55108 Fax: +1 651-204-9103 USA Copyright © 2010 - 2014 Nagios Enterprises, LLC Revision 1.0 – April, 2016 Nagios XI – Monitoring Windows Using WMI Select Windows Management Instrumentation under Component Services> Computers> My Computer> DCOM Config. Right Click Windows Management Instrumentation and select the Security Tab.
Load more

Recommended publications
  • View the Slides (Smith)
    Network Shells Michael Smith Image: https://commons.wikimedia.org/wiki/File:Network-connections.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png What does a Shell give us? ● A REPL ● Repeatability ● Direct access to system operations ● User-focused design ● Hierarchical context & sense of place Image: https://upload.wikimedia.org/wikipedia/commons/8/84/Bash_demo.png Management at a distance (netsh) Netsh: Configure DHCP servers with netsh -r RemoteMachine -u domain\username [RemoteMachine] netsh>interface [RemoteMachine] netsh interface>ipv6 [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (netsh) Netsh: Configure DHCP servers with netsh Location-r RemoteMachine -u domain\username Hierarchical [RemoteMachine] netsh>interfacecontext Simpler [RemoteMachine] netsh interface>ipv6 commands [RemoteMachine] netsh interface ipv6>show interfaces Reference: https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts Management at a distance (WSMan) WSMan (in Powershell): Manage Windows remotely with Set-Location -Path WSMan:\SERVER01 Get-ChildItem -Path . Set-Item Client\TrustedHosts *.domain2.com -Concatenate Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/about/about_wsman_provider
    [Show full text]
  • Netsh Commands William John Holden 2014­04­11 (Version 2) Interface Configuration Configure an Ipv4 Address with Subnet Mask and Default Gateway
    Netsh Commands William John Holden 2014­04­11 (version 2) Interface Configuration Configure an IPv4 address with subnet mask and default gateway. Omitted netmask implies classful addressing. netsh int ipv4 set address "Local Area Connection" static 192.168.1.3 255.255.255.0 192.168.1.1 Remove an IPv4 address and default gateway from an interface. netsh int ipv4 del address "Local Area Connection" 192.168.1.3 192.168.1.1 You can add more than one IP address to an interface. Additional addresses don't show up in ipconfig without /all. netsh int ipv4 add address "Local Area Connection" 192.168.1.4 Add a global unicast IP with prefix. Prefix is optional and defaults to /64. netsh int ipv6 set address "Local Area Connection" 2001:beef::1/64 Add a link­local IP to an interface. See the similarity to above? netsh int ipv6 add address "Local Area Connection" fe80::6 Delete the IP. Remove a link­local IP the same way. netsh int ipv6 del address "Local Area Connection" 2001:beef::1 Set an IPv6 default route. netsh int ipv6 add route ::/0 "Local Area Connection" fe80::3 Delete the default route. netsh int ipv6 delete route ::/0 "Local Area Connection" fe80::3 Reset Configuration Reset interface configuration completely (requires restart): netsh int ipv6 reset all netsh int ipv4 reset all shutdown ­r ­t 0 Verification (“show commands”) netsh has several commands that are very similar to ipconfig, route print (netstat ­r), netstat ­a, and getmac. Poke around netsh int ipv4 show ? and you’ll find lots of interesting stuff.
    [Show full text]
  • How to Cheat at Windows System Administration Using Command Line Scripts
    www.dbebooks.com - Free Books & magazines 405_Script_FM.qxd 9/5/06 11:37 AM Page i How to Cheat at Windows System Administration Using Command Line Scripts Pawan K. Bhardwaj 405_Script_FM.qxd 9/5/06 11:37 AM Page ii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
    [Show full text]
  • How Will You Troubleshoot the Issue? What Are the Steps to Followed? A
    1. A user in a corporate network contacts service desk saying he/she has lost network connectivity: How will you troubleshoot the issue? What are the steps to followed? A. First I will check the network cable is plugged in or not. Then check the network connections and the ip address is assigned or not. Then check connecting to website or not. IP conflict. 2. A User calls in and complains that her computer and network is running very slow. How would go about troubleshooting it? A. 3. How would you create an email account for a user already in AD? A. Open Microsoft Outlook if you are using office 2000, and click on "Tools" tab. Go to "Email Accounts". There you can find two option like Email and Directory. Click on "Add a new Account" and click next. If you are using Exchange Server then click over there, this depends on that particular Organization. According to the their setup you have to choose. And if you are using POP3 server then next popup will come along with your name, email address POP3 and SMTP IP address, Password etc. and after that click on Next and finish it..... 4. A PC did not receive an update from SMS. What steps would we take to resolve this? A. If SMS not updated in client system. 1. Need to check system getting IPaddress or not. 2. Need to check system in domain or not 3.Ensure that windows firewall should be off. 5. How do you set the IP address by using the command prompt A.
    [Show full text]
  • Threat Advisory: Eternalrocks
    McAfee Labs Threat Advisory EternalRocks June 6, 2017 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent A malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to n mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. d To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html. Summary EternalRocks is a network worm which uses the SMB exploits ETERNAL BLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY along with related programs DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH to spread. McAfee products detect this threat under the following detection names: • Trojan-EtrnlRock • Trojan.EternalRocks • Trojan-Bluedoom • HackTool-Shadowbrokers • RDN/Generic.grp • RDN/Generic.dx • RDN/Trojan-EtrnlRock • RDN/Generic Downloader.x Detailed information about the threat, its propagation, characteristics, and mitigation are in the following sections: • Infection and Propagation Vectors • Mitigation • Characteristics and Symptoms • Restart Mechanism • Remediation • McAfee Foundstone Services Infection and Propagation Vectors Even though this has not been confirmed, the malware’s initial vector is expected to be spam email. The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have used publicly available exploit code and embedded it as a part of their dropper. On execution, the malware connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it.
    [Show full text]
  • Command-Line IP Utilities This Document Lists Windows Command-Line Utilities That You Can Use to Obtain TCP/IP Configuration Information and Test IP Connectivity
    Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 Command-Line IP Utilities This document lists Windows command-line utilities that you can use to obtain TCP/IP configuration information and test IP connectivity. Command parameters and uses are listed for the following utilities in Tables 1 through 9: ■ Arp ■ Ipconfig ■ Netsh ■ Netstat ■ Pathping ■ Ping ■ Route ■ Tracert ARP The Arp utility reads and manipulates local ARP tables (data link address-to-IP address tables). Syntax arp -s inet_addr eth_addr [if_addr] arp -d inet_addr [if_addr] arp -a [inet_address] [-N if_addr] [-v] Table 1 ARP command parameters and uses Parameter Description -a or -g Displays current entries in the ARP cache. If inet_addr is specified, the IP and data link address of the specified computer appear. If more than one network interface uses ARP, entries for each ARP table appear. inet_addr Specifies an Internet address. -N if_addr Displays the ARP entries for the network interface specified by if_addr. -v Displays the ARP entries in verbose mode. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the data link address eth_addr. The physical address is given as six hexadecimal bytes separated by hyphens. The entry is permanent. eth_addr Specifies physical address. if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Pyles, Carrell, and Tittel 1 Guide to TCP/IP: IPv6 and IPv4, 5th Edition, ISBN 978-13059-4695-8 IPCONFIG The Ipconfig utility displays and modifies IP address configuration information.
    [Show full text]
  • 10 Windows Server 2008 Netsh Commands You Should Know Page 1 of 7
    10 Windows Server 2008 Netsh commands you should know Page 1 of 7 Are you monitoring your network 24/7? Automated server and network monitoring. Monitors all aspects of your Windows and Linux servers, workstations and devices. Download a free 30-day trial! - www.gfi.com/nsm/ 10 Windows Server 2008 Netsh commands you should know Taking a look at ten Netsh commands that every Windows administrator should know. z Published: Aug 26, 2008 z Updated: Aug 26, 2008 z Section: Articles & Tutorials :: Windows Server 2008 z Author: David Davis z Rating: 4.1/5 - 8 Votes Introduction I have written a number of different Netsh articles and other authors have published their own Netsh articles. This just shows how important and innovative Netsh really is. In this article, I will cover 10 Netsh commands that every Windows admin should know. In my opinion. Netsh is so powerful and flexible; I cannot choose the “most important” Netsh commands as the importance of a command will vary from admin to admin. What I can do is to choose the 10 commands that I feel will either show you valuable information or will help you out when you are in trouble. Keep in mind that these commands can be scripted (as they are all command line tools) so whatever you can do with just an individual command on a single machine, you could write a script to perform that command on all machines in your network. What is Netsh? Microsoft Windows Netsh is a command line scripting utility. With Netsh, you can view or change the network configuration of your local computer or a remote computer.
    [Show full text]
  • Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs
    Facing the challenge(s) of Windows logs collection to leverage valuable IOCs . Michel de Crevoisier Security Analyst, Radar Cyber Security 15.10.2019, Berne © RadarServices // Classification: Public The five challenges © RadarServices // Classification: Public #1 High diversity of log sources Server Microsoft 3rd party Built-in roles software software Advanced Threat ADFS Application Analytics (ATA) Ivanti software Certification authority Exchange PowerShell Kaspersky DHCP server Skype Security DNS server SQL Server Veeam Backup System IIS web server SYSMON […] […] NPS Radius Defender © RadarServices // Classification: Public 3 #2 Different log extensions EVTX ETL TXT (standard Windows logs (analytical logs, like DNS (IIS, NPS, DHCP, in XML format) Server or PowerShell) PowerShell Transcript, former DNS logs) © RadarServices // Classification: Public 4 #3 Multiple architectural approaches Access method / Protocol (MS-EVEN6, RPC, WMI,…) Push vs Pull Agent vs Agentless Intermediate collector VS Direct sending to receiver Central file store vs Shared folder Managed agent VS Unmanaged agent © RadarServices // Classification: Public 5 #4 Disabled and restrictive event logs • Protected users (if configured, on DCs only) Valuable event • LSA (Local Security Authority) logs disabled • IIS web server • DNS client Event logs with • SMB server restrictive • SMB client access • IIS web server © RadarServices // Classification: Public 6 6 #5 Operational constraints Security Data exchange Performance Configuration Environment • Avoid usage of • Data
    [Show full text]
  • To Contact Your Nearest Click&Decide Partner, Click Here
    Click&DECiDE NSI & BAI | KBA Knowledge Base Article: Article 216 How to use fixed ports for WMI through firewalls for NSI WMI Centralized Server v10 Date: November 5th, 2010 Problem: The WMI Centralized Server in NSI needs to connect to the Microsoft WMI agent of a machine to get WMI information. By default, the first call is done in DCOM through the TCP port 315; then DCOM allocate dynamic ports to continue the communication. When this flow has to cross firewall, dynamic port is not acceptable, fixed ports must be used. So, remote server that will spied by the NSI WMI Centralized Server should be configured as below. 1. Solution for Remote Windows 2003 Servers DCOM Settings Start Component services management from Administration tools: Contact us: E-mail: [email protected] Tel: +33 (0)4 67 84 48 00 Headquarters: Click&DECiDE 130, rue du Baptistou - 34980 St Gély du Fesc, France. www.clickndecide.com To contact your nearest Click&DECiDE partner, click here. Business Application Intelligence | FAQ Right click my computer, then click properties and select default protocol as below: Then, click on properties and create a range of ports for intranet network: 5001 to 5010 per example. 2 Contact us: E-mail: [email protected] Tel: +33 (0)4 67 84 48 00 Headquarters: Click&DECiDE 130, rue du Baptistou - 34980 St Gély du Fesc, France. www.clickndecide.com To contact your nearest Click&DECiDE partner, click here. Business Application Intelligence | FAQ FIREWALL Settings Open TCP ports you just have set in DCOM Settings plus TCP 135 for initial DCOM communication.
    [Show full text]
  • Monitoring Malicious Powershell Usage Through Log Analysis
    Monitoring malicious PowerShell usage through log analysis Jesper Magnusson Computer Science and Engineering, master's level 2019 Luleå University of Technology Department of Computer Science, Electrical and Space Engineering (This page is intentionally left almost blank) Abstract Security has become a hot topic around the world but focuses more on the perime- ter than inside networks which opens up vulnerabilities. Directed cyber-attacks towards the energy sector which leverages this fact has increased and can have dis- astrous effect, even on national level. To counter this, a solution to monitor the usage of the most powerful and popular built-in tool among attackers - PowerShell - was implemented. A test-bed was set up reflecting a corporate network with two separate active directory domains, one for office clients and one for critical infrastructure. It was shown that attackers only needed to overtake the office active directory domain in order for gain easy access to the critical active directory domain. To simulate attacks of this type, a collection of malicious scripts was gathered from which a number of possible scenarios for taking over the office active directory domain via PowerShell was created. Windows has several options for logging executions of PowerShell commands on machines. The one used and deemed most beneficiary was "Module logging" with the addition of a filtered result of process creation logs. To monitor the logs created on the office client from PowerShell executions, a system based on the "ELK stack" was set up. This system gathered, processed, stored and visualized logs along with the result of their analysis. The system analyzed logs with the aid of a custom software called "ESPSA" which based on different parameters and contexts assigned every execution with a risk value indicating the level of maliciousness.
    [Show full text]
  • Windows Server 2008 Essentials Installation, Deployment and Management
    Windows Server 2008 Essentials Installation, Deployment and Management Windows Server 2008 Essentials Windows Server 2008 Essentials – First Edition © 2009 Techotopia.com. This eBook is provided for personal use only. Unauthorized use, reproduction and/or distribution strictly prohibited. All rights reserved. 2 © 2009 Techotopia.com Windows Server 2008 Essentials Table of Contents Chapter 1. About Windows Server 2008 Essentials ................................................................. 11 Chapter 2. Windows Server 2008 Editions and System Requirements .................................... 12 2.1 Windows Server 2008 Standard Edition ........................................................................ 12 2.2 Windows Server 2008 Enterprise Edition ...................................................................... 12 2.3 Windows Server 2008 Datacenter Edition ..................................................................... 12 2.4 Windows Web Server 2008 ............................................................................................ 13 2.5 Windows Server 2008 Features Matrix .......................................................................... 13 2.6 Windows Server 2008 Hardware Requirements............................................................ 15 Chapter 3. Performing a Clean Windows Server 2008 Installation .......................................... 17 3.1 Obtaining Windows Server 2008 ................................................................................... 17 3.2 Starting the Installation
    [Show full text]
  • Secrmmcentral Administrator Guide
    Security Removable Media Manager secRMMCentral for AD domain environments Version 9.9.24.0 (March 2020) Protect your valuable data secRMMCentral Administrator Guide © 2011 Squadra Technologies, LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Squadra Technologies, LLC. If you have any questions regarding your potential use of this material, contact: Squadra Technologies, LLC 7575 West Washington Ave Suite 127-252 Las Vegas, NV 89128 USA www.squadratechnologies.com email: [email protected] Refer to our Web site for regional and international office information. TRADEMARKS Squadra Technologies, secRMM are trademarks and registered trademarks of Squadra Technologies, LLC. Other trademarks and registered trademarks used in this guide are property of their respective owners. Disclaimer The information in this document is provided in connection with Squadra Technologies products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Squadra Technologies products. EXCEPT AS SET FORTH IN Squadra Technologies's TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, Squadra Technologies ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
    [Show full text]