Professional Documents
Culture Documents
1. Verificar requisitos:
Requisitos servidor e instalar roles y características
Requisitos Clientes
Requisitos Base de datos:
service.
l Set the SQL Server Agent start mode as Automatic (the default is Manual).
You can select Mixed mode authentication, if desired, and provide the sa account password.
permisos
SQL Authentication (SQL Local or SQL Remote) Assign the SQL Server account the role of sysadmin.
Windows Authentication (SQL Local) Assign NT AUTHORITY\SYSTEM the role of sysadmin, if not
previously assigned.
Add NT AUTHORITY\NETWORK SERVICE as a Login
account
in SQL Server, if not previously added.
On the BeyondInsight database, assign NT
AUTHORITY\NETWORK SERVICE the roles of db_owner and
REM3Admins.
Port Requirements
BeyondInsight
UVM Appliance
Install BI
4.The Web Site Information page informs you that the console will
be implemented as the default IIS web site.
5. On the Agent Password page, create a password that will be
used to configure the connection between the scanner and the
console. This password is required to retrieve Central Policy information and to import certificates using the Events Client
Configuration tool. The created password must match the machine's password requirements.
6. On the Event Server Information page, you may configure SNMP.
7. On the Email Information page, you may provide a default SMTP mail server and account. This may be used, for example, to
automatically email a report after a vulnerability scan completes.
8.On the Administrator Password page, create an initial login account to the console. This account will have full rights to the
console. The created password must match the machine's password requirements.
9. The database is now created. Please plan for this process to take about ten minutes.
10. Once complete, click Finish.
11. The management console now starts in your default browser. You can log in with the administrator credentials created during
this process.
Install Retina
The Events Client enables the BeyondTrust Network Security Scanner to securely send completed scan
data to BeyondInsight, where it will be extracted to populate the database.
7. In the BeyondTrust Network Security Scanner Configuration window, click the Configure
Event Client… link.
8. An Events Client Configuration wizard will appear. Click Next.
9. Enter the Host (this is the hostname or FQDN of BeyondInsight) and leave the default port of 21690. Click Next.
10. On the Workgroup information page, use the default values. Click Next.
11. On the Select a Client Certificate page, no action is needed. The wizard has automatically detected the certificate.
Click Next.
12. On the Event Aware Products page, enable all options and click Next.
13. At the Test Connection page, click Next.
14. After a few seconds, a Test Passed page should appear. Click Next then Finish.
15. Exit the Security Scanner Configuration application. When asked to start the scanner, click No.
Integration w/ AD or LDAP
1. In the BeyondInsight Console, navigate to Configuration > Privileged Access Management >
Functional Accounts.
2. To add a new functional account, click the Create Functional Account + button at the top-left of
the screen.
3. In the Create Functional Account pane, configure the new functional account as follows:
l Type: Directory
l Username: PSFunctional
l Domain: nvgad.local
l Password: Soporte123$
Click the Test Domain & Load Controllers button. You should see a message next to the button
confirming success.
5. Continue the remainder of the configuration as follows:
l Alias: PSFunctional
11. Navigate to Configuration > Privileged Access Management > Password Policies.
12. To create a new password policy, select the Create Password Policy + button at the top-left of the
screen.
13. In the Create Password Policy pane, configure the new rule as follows.
14. Scroll to the bottom of the menu and select Create Password Policy.
15. Add an additional new password policy for Linux as follows.
16. Scroll to the bottom of the menu and select Create Password Policy.
17. Add an additional new password policy for MS SQL as follows.
18. Scroll to the bottom of the menu and select Create Password Policy.
l Domain: bt.lab
l IP Address: 172.16.0.20
17. Back on the Assets page, locate the newly added app01 system, then click on the ellipsis menu
and select Go to advanced details.... Note that there is no SCAN DATA section, since a scan has
not been performed.
l Username: btadmin
l Password: BTlab1234!
23. To create the Directory Query, click on Configuration and navigate to ROLE BASED ACCESS >
Directory Queries.
24. Click Create Directory Query + at the top-left of the screen.
25. Configure the query with the following details:
l Directory Type: Active Directory
l Credential: btadmin
26. Next, for the Query Target > Path section, click the BROWSE button at the right. A SELECT
DIRECTORY PATH pane appears at the right. Configure as follows:
l Forest or Domain Controller: bt.lab
27. Continue configuration of the Query Target section by entering the following details.
l Scope: This Object And All Child Objects
28. In the bottom section, ensure BASIC FILTER is selected. In the Name box, enter exch* to filter for
accounts whose usernames begin with exch.
29. Click the TEST button at the bottom to display the query results.
30. Locate the Query Test Results section and confirm that a list of “Exchange Admin xx” named
accounts appears, then click SAVE to save the query.
Next you will create a Directory Query that uses an LDAP query to identify computers.
32. Using a process similar to the previous steps, create a Directory Query that targets Computer
Objects and uses the ADVANCED FILTER, i.e, an LDAP query. Be sure to SAVE when complete.
l Directory Type: Active Directory
l Credential: btadmin
l Path: bt.lab/BT Machines (be sure to use the BROWSE button so that the path syntax is
correct)
l Scope: This Object and All Child Objects
Finally, make an additional computer query for BT Windows Servers. Be sure to SAVE when
complete.
l Directory Type: Active Directory
l Credential: btadmin
l Path: bt.lab/BT Machines (be sure to use the BROWSE button so that the path syntax is
correct)
l Scope: This Object and All Child Objects
34. The resulting set of queries are used for subsequent labs. Confirm the following appear:
l BT Windows Desktops
l BT Windows Servers
Onboarding of Assets
Click the Scan icon from the side-menu or select the scan card from the home page.
Your first scan will be against the LAB01 machine. In the SELECT SCAN TARGETS pane, enter Lab01 (not case
sensitive) for the Target Entry and then select NEXT.
At the CHOOSE SCAN AGENT pane, select BTLab Scanner and then select NEXT.
For windows:
6. At the ENTER CREDENTIALS pane, Custom Credential section, enter the credentials shown below.
l Username: btadmin
l Password: BTlab1234!
l Domain: bt.lab
7. Verify that your credentials are valid by selecting the TEST CREDENTIAL button. Credentials are
validated against AD, not the target machine.
8. When the credentials have been verified, click NEXT.
9. At the NAME THE SCAN pane, select Immediate from the Schedule Type drop-down menu and
then select FINISH.
10. Selecting FINISH will take you to the SCANS page where you can track the scan status by
selecting the Refresh icon until it completes. It should take five to seven minutes to complete in our
lab environment. Note that even though the status says Completed, scan data is still being written
to the BeyondInsight database and won't be available to view in BeyondInsight until that process
For Linux
Perform another Advanced Discovery Scan, this time against the LX01 machine. Configure the scan
for a single hostname, LX01, and use the following credentials:
l Username: root
l Password: BTlab1234!
12. Once both discovery scans are complete and processed into the database, select the Assets page
icon.
l Credentials
l Functional Account: sa
Onboarding of Accounts
Knows where the password policies are and able to create 2 or more different password policies
l Minimum Length: 25
l Maximum Length: 50
15. Scroll to the bottom of the menu and select CREATE PASSWORD POLICY.
16. Add an additional new password policy for Linux as follows.
l Password Policy Name: Linux Password Policy
l Minimum Length: 30
l Maximum Length: 70
17. Scroll to the bottom of the menu and select CREATE PASSWORD POLICY.
18. Add an additional new password policy for MS SQL as follows.
l Name: MS SQL Password Policy
l Minimum Length: 20
l Maximum Length: 35
19. Scroll to the bottom of the menu and select CREATE PASSWORD POLICY.
Able to manage the target assets and successfully put the accounts under management
Select Assets from the side-menu. Locate the LX01 asset, then click ellipsis at the right and
select Add to Password Safe....
3. From the CREATE NEW MANAGED SYSTEM pane, configure the following:
l Platform: Linux
l Credentials
category)
l Name: New Windows Desktops
l Value: 14
11. Click Add another condition, then configure the new condition with the following values:
l Criteria: Operating System
l Match: contains
l Platform: Windows
l Connection Timeout: 30
13. Finally, click Add another action and set the second action as follows:
l Action: Show asset as Smart Group
Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
the Smart Rules list.
From the Managed Systems page, select the ellipsis icon for LAB01, then select Go to
advanced details....
6. Under ADVANCED DETAILS select Managed Accounts. From here you will add Managed
Accounts. These are existing accounts on the Managed System for which Password Safe manages
the password. Select Create New Account + and configure the following:
l Identification
l Name: mdavis_local
l Credentials
l Password: BTlab1234!
7. Review the remaining settings, but make no further changes. Scroll to the bottom and select
CREATE ACCOUNT.
8. Select the ellipsis icon for the mdavis_local account, then select Test Password. This will
validate that the password stored in Password Safe matches that stored on the Managed System
(LAB01).
9. Select Change Password. This will cause Password Safe to connect to the Mananaged System
(LAB01) using the Functional Account and change the password for mdavis_local to one matching
the password policy (Windows Password Policy) associated with the Managed Account (mdavis_
local). Password Safe maintains a copy of the new password in its database.
l Encryption: enabled
l Name: mdavis_ssh
l Credentials
l Upload SSH Key File: click in the box and select the key file
C:\Users\btadmin.BT\Documents\SSH Keys\mdavis_OpenSSH
l Passphrase: BTlab1234!
l Auto-Manage DSS Key: enabled (you will need to scroll down to see this setting)
47. You do not need to enter the password for mdavis_ssh since she will be authenticated via SSH.
However, if for some reason, SSH authentication fails, or you want to utilize Password Safe’s
password authentication as a backup, you can select the Allow Fallback to Password option
found in the Credentials section. Leave that option disabled for this lab.
48. Click CREATE ACCOUNT.
Able to show understanding of the difference between Asset and Account smart rule
Create and use an account based smart rule to automatically onboard the local administrator account
l Match: contains
l Value: Lab
6. Under the Actions heading, set an action of Show asset as Smart Group. While here, look at some
of the other actions available in the dropdown.
7. Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
the Smart Rules list.
category)
l Name: New Windows Desktops
l Value: 14
11. Click Add another condition, then configure the new condition with the following values:
l Criteria: Operating System
l Match: contains
l Platform: Windows
l Connection Timeout: 30
13. Finally, click Add another action and set the second action as follows:
l Action: Show asset as Smart Group
Click CREATE SMART RULE and then click the > expand panel icon in the top-left corner to show
the Smart Rules list.
15. Select Assets from the side-menu.
16. Verify that the new New Windows Desktops group appears in the Smart Group filter drop-down
menu. After selecting the group, the LAB01 machine should display.
l Identification
l Domain: bt.lab
l Credentials
l Name: DirectoryBrowser
l sAMAccountName: DirectoryBrowser
l Credentials
l Password: BTlab1234!
In this section, you will enable the DirectoryBrowser Managed Account you just onboarded to be used
for directory queries.
41. Navigate to the Managed Accounts page and find the DirectoryBrowser account.
42. Click on the ellipsis at the far right and select Edit Account....
43. Scroll down and expand Account Settings. Locate the Directory Query Enabled setting and enable
it.
45. Navigate to Configuration > ROLE BASED ACCESS > Directory Queries. Click Create
Directory Query +.
46. Using the same process you followed in the previous labs, create a new directory query. This time
you will use the DirectoryBrowser managed account as your AD credentials.
47. Continue creating the rest of the query:
l Directory Type: Active Directory
l Path: bt.lab/BT Users/IT (be sure to use the BROWSE button so that the path syntax is
correct)
l Scope: This Object And All Child Objects
48. Click TEST to ensure the query shows 10 accounts. If successful, click SAVE.
49. Select Smart Rules from the side-menu, then from the Smart Rule type filter drop-down menu
select Managed Account.
50. Click Create Smart Rule + at the top-left of the window.
51. Define the Smart Rule as follows:
l Category: Automation
l Re-run the query every X hours: 0 (this executes the query once initially, then on-demand
only)
l Discover accounts for Password Safe Management: enabled
l Domain: bt.lab
53. Set three actions.
l Action 1: Manage Account Settings
l Asset or Managed System Smart Group: New Windows Desktops - (Asset group)
Click CREATE SMART RULE and then > expand panel in the top-left to return to the smart rule
list.
l Path: bt.lab/BT Users/IT/Dedicated Admins (be sure to use the BROWSE button so that the
Click the TEST button at the bottom to display the query results.
14. Review the Query Test Results and confirm that a list of “xx xx (Admin)” named accounts appears,
then click SAVE.
22. Select Smart Rules from the side-menu and then, from the Smart Rule type filter drop-down
menu, select Managed Account.
23. Click Create Smart Rule + at the top-left of the window.
24. Define the Smart Rule as follows:
l Category: Dedicated Admin Accounts (Note: Type this in and click Add as New Option to
l Re-run the query every X hours: 0 (this executes the query once initially, then on-demand
only)
l Discover accounts for Password Safe Management: enabled
l Domain: bt.lab
27. Click Add another action and add the second action Show managed account as Smart Group.
Click CREATE SMART RULE and then click > in the top-left to return to the smart rules list.
29. Now,
l Description: Map managed dedicated admin accounts to PS Dedicated Admin Requesters group
l Value: -adm
41. Click Add another condition and set the new criteria with the following values:
l Criteria: Dedicated Account
l Value: bt.lab
Click Add another action and add the second action Show managed account as Smart Group.
Click CREATE SMART RULE and then click > in the top-left to return to the smart rules list.
2. In the BeyondInsight console, click on Configuration > ROLE BASED ACCESS > User Management.
3. At the top of the screen, click Create New Group + then select Add an Active Directory Group....
In the dialog that appears, fill in the details below.
l Credential: DirectoryBrowser: Managed account for directory queries (bt.lab)
l Domain: bt.lab
Configure the roles of requester and approver in the correct smart group
PS Requesters Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign
Permissions Read Only.
Locate the All Managed Accounts smart group again, then click the ellipsis button and select Edit Password Safe
Roles.
Check Requestor, and set the Access Policy for Requestor to 24x7 Auto-approve. Click SAVE
ROLES when done.
PS Approvers Locate the All Managed Accounts smart group, then click the ellipsis button and select + Assign
Permissions Read Only.
Locate the All Managed Accounts smart group again, then click the ellipsis button and select Edit Password Safe
Roles.
Check Approver. Click SAVE ROLES when done.
44. Navigate to Configuration > ROLE BASED ACCESS > User Management.
45. At the top of the screen, click the Users tab.
46. Click Create New User + then select Create a New User... to create a user account that is
managed locally.
47. In the CREATE NEW USER pane, populate the following information:
l First Name: Linux
l Email: linuxadmin@bt.lab
l Password: BTlab1234!
After creating the user, the Groups screen appears. Select the Linux PS Admins group then click Assign Group +.
Test login of both Active Directory and local accounts for requester
Access policy
From the BeyondInsight console navigate to Configuration > PRIVILEGED ACCESS MANAGEMENT
POLICIES > Access Policies.
Policy Types:
o View Password: (enable)
n Approvers: Auto Approve (checked)
Split policy – Auto approve for RDP/SSH and one approval on password
Policy Types:
o View Password: (enable)
n Approvers: Auto Approve (checked)
List methods: