Snare for Windows Custom MSI V2.0

Snare for Windows Custom MSI v2.0

© Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance Pty Ltd shall not be liable for errors contained herein or for direct, or indirect damages in connection with the use of this material. No part of this work may be reproduced or transmitted in any form or by any means except as expressly permitted by Intersect Alliance International Pty Ltd. This does not include those documents and software developed under the terms of the open source General Public Licence, which covers the Snare agents and some other software. The Intersect Alliance logo and Snare logo are registered trademarks of Intersect Alliance International Pty Ltd. Other trademarks and trade names are marks' and names of their owners as may or may not be indicated. All trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications and content are subject to change without notice.

Page 1 of 17 Table of Contents 1. Guide Overview ...... 3 2. Introduction to MSI ...... 3 3. Requirements ...... 4 4. Installing WIX ...... 5 5. Creating the MSI package ...... 6 6. Installing the MSI package using Group Policy ...... 9 7. About InterSect Alliance ...... 16

Page 2 of 17 1. Guide Overview

About this Guide This guide provides administrators with the instructions to create a Windows MSI file, based on the required organizational security settings, using the freely available Windows Installer XML (WiX) toolset. This will allow you to remotely deploy Snare Enterprise Agents for Windows with a customized configuration, using the Microsoft Installer (MSI). Other guides that may be useful to read include: User Guide to Snare Enterprise Agents for Windows.

This product uses the RSA Data Security, Inc. MD5 Message-Digest Algorithm. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)

Â© Intersect Alliance International Pty Ltd Page 3 of 17 2. Introduction to MSI

The Windows Installer utility (MSI, formerly known as Microsoft Installer) is an application that allows MSI compliant applications to be remotely deployed to workstations and servers that run the MSI service, without significant administrator intervention. Snare agents do not come packaged as a MSI file by default, as the standard 'setup' executable offers significantly more flexibility at this stage. However, organizations that wish to remotely deploy pre-configured Snare agents to workstations and servers, without physically moving from system to system, appreciate the functionality provided by MSI.

Note The MSI functionality is currently only available with the Snare Enterprise Agent for Windows.

Â© Intersect Alliance International Pty Ltd Page 4 of 17 3. Requirements

What you Need The latest Snare Enterprise Agent for Windows executable file available from the Snare Secure Area at https://w ww.intersectalliance.com The MSI pack, MSI-2.0.zip, available from the Snare Secure Area at https://www.intersectalliance.com The Windows Installer XML (WiX Toolset version 3.10) binaries, wix310-binaries.zip, available from http://wix.codep lex.com/releases/view/619491

Minimum Requirements Administrator-level access to the system. Windows 2003 (or later) system. At least 8 Megabytes of disk space on your system.

Note Version 2.0 of the MSI accepts the selection of Version 4 and Version 5 Snare Enterprise Agents for Windows. The creation of the MSI will not work with OpenSource Agents.

Â© Intersect Alliance International Pty Ltd Page 5 of 17 4. Installing WIX

Perform the following to install WIX: 1. As Administrator, unzip the wix310-binaries.zip file to C:\Program Files\wix. 2. Start the Control Panel, then navigate to System. For Windows 2008 and above, click on Advanced System Settings . 3. Under the Advanced tab, click Environment Variables. 4. Under System variables, edit the Path variable and add C:\Program Files\wix . Use a semicolon as the separator.

5. Click OK until you are back to the Control Panel. On some later versions of Windows, you may have to log out and log back in again for the PATH environment variables to take effect. 6. To check that the above procedures have worked, start a command prompt window and type: >candle Its usage will be displayed. If there are any errors then either the software has not been installed or the environment variables have not been set.

Troubleshooting

If your error dialog states "...application failed to initialize properly..." then this indicates that the .NET framework has not been installed. This will need to be installed for WIX to work.

Â© Intersect Alliance International Pty Ltd Page 6 of 17 5. Creating the MSI package

Perform the following to build the MSI. 1. Download, install and configure the latest agent on the machine you are building the MSI. 2. Place a copy of the Snare .exe installer (e.g. SnareEnterpriseAgent-Windows-v4.3.6-SUPP-MultiArch.exe, SnareEnterpriseAgent-Windows-v5.x.x-multiArch.exe) into the location of the installed Snare directory, e.g. C:\Program Files\Snare\. 3. Unzip MSI-2.0.zip into the C:\Program Files\Snare\ (or wherever your Snare installation is located) directory. 4. Open a command prompt as administrator and from the location of the Snare installation type: > MakeSnareMSI.bat

You will be prompted with following: a. Select Windows agent configuration method. Select from: Use configuration of local agent By default, the build process will export and use the settings of the locally installed agent. Use configuration from an existing file Edit the template.inf in directory b. Upgrade or Reinstall the target machine's agent? Select either Update or Reinstall, then click Enter: Upgrade This produces an MSI which installs a new agent, but leaves existing settings/objectives unchanged. Reinstall This produces an MSI which installs a new agent, and resets settings/objectives to settings on the MSI build machine.

c. Select installer exe to be added to the MSI. Any Snare executable files found will be listed. Select the .exe file to add to the MSI represented by numerals. If only one file is found in the Snare installation folder then that file will be listed. Click Enter. d. On completion, the message will print MSI build of Snare.msi completed successfully. e. The customized MSI is now available at C:\Program Files\Snare\SnareEnterpriseWindowsAgentsv. msi.

Â© Intersect Alliance International Pty Ltd Page 7 of 17 4.

If the version of the Snare.msi detects an newer version of the agent it will not upgrade the software. A reinstall will always replace with the version that is being installed.

5. Test the MSI.

For systems running User Account Control (UAC), you will need to test the MSI from within a "Run as Administrator" Command Prompt.

To install the MSI, type the following from the command line: >msiexec /i SnareEnterpriseWindowsAgentsv5.0.0.msi

Upon execution you will see the following dialog box:

Â© Intersect Alliance International Pty Ltd Page 8 of 17 5.

To include logging, on a deployment, (recommended for acceptance testing) type the following from the command line: >msiexec /l*v [logname].log /i [msiname].msi

To uninstall the MSI, type the following from the command line: >msiexec /x SnareEnterpriseWindowsAgentsv5.0.0.msi

6. To ensure the agent is working correctly, check the Latest Events page in the web UI of the Snare agent. If no events appear in this window in a timely manner, check the agent configuration or run the agent in Debug Mode (instructions below).

Ensure the MSI is tested before use in production networks.

Debug Mode

To use the Debug Mode, from the command line of an administrative prompt execute the following commands > net stop snare > snarecore -c -d9

this command will send log to the console. Enter CTRL-C to end the debug log. > net start snare

Â© Intersect Alliance International Pty Ltd Page 9 of 17 6. Installing the MSI package using Group Policy

To install the MSI package over the network group policy may be used.

Add the Snare .msi package in your Domain

The instructions should be executed on the network domain controller. Snare{version number}.msi package must be placed in a network share folder with read access.

Â© Intersect Alliance International Pty Ltd Page 10 of 17 1. Start 'Group Policy Management' snapshot of MMC. a. Go to Start | Run window or shortcut 'Windows Key + R'. b. Type 'mmc' in run window and click Enter. c. Following screen will appear. This is from Windows 2008 R2 (other windows will have similar window).

d. Go to File | Add/Remove Snap-in. Select Group Policy Management snap-in and select Add and click OK.

e. In Group Policy Management snap-in window, navigate to the Group Policy Objects folder.

f. Right click on Group Policy Objects and select New. The New GPO window will appear. Enter the name of your MSI install, for example Snare Agent 4.2.3 (match the version of the agent you are using). Click OK.

g. Right click the newly created GPO (Snare Agent 4.2.3) and select Edit. Group Policy Management Editor screen will appear. Navigate to the Software Installation option.

h. Right click on Software Installation and select New | Package....

i. From the file open window select your Snare{version number}.msi package from the network shared folder. j. After selecting the Snare .msi package, the following Deploy Software pop-up will appear.

k. Select the Assigned option and click OK. It will add the .msi package for Software Installation. Close the Grou p Policy Management Editor window. l. In Group Policy Management snap-in window, right click on your domain name (under Domains) and select item Link an Existing GPO....

m. The Select GPO window will appear. Select the recently created Snare Agent GPO and press OK.

n. The snare{version number}.msi package is now added as software installation GPO in your domain.

Install the Snare Agent on Domain Computers

1. The next step is to run the group policy objects so that the .msi package can install the Snare agent on domain computers. Start the Command Prompt with administrative privileges and run the command gpupdate /force.

2. If you want to install the .msi package on the domain controller too then type Y to restart. 3. For all domain computers, the Snare agent .msi GPO is active now and the Snare agent will be installed to each computer on next system restart or log-in. It will show a screen similar to the following:

4. Once complete the agent will be installed and the user login prompt will appear.

Intersect Alliance, part of the Prophecy International Holdings Group, is a team of leading information technology security specialists. In particular, Intersect Alliance are noted leaders in key aspects of IT Security, including host intrusion detection. Our solutions have and continue to be used in the most sensitive areas of Government and business sectors. Intersect Alliance intend to continue releasing tools that enable users, administrators and clients worldwide to achieve a greater level of productivity and effectiveness in the area of IT Security, by simplifying, abstracting and/or solving complex security problems. Intersect Alliance welcomes and values your support, comments, and contributions. For more information on the Enterprise Agents, Snare Server and other Snare products and licensing options, please contact us as follows: The Americas +1 (800) 834 1060 Toll Free | +1 (303) 771 2666 Denver Asia Pacific +61 8 8213 1200 Adelaide Australia Europe and the UK +44 (797) 090 5011 Email [email protected] Visit www.intersectalliance.com