Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Introduction

This document outlines the system requirements and prerequisites necessary for installing the GYTPOL dsRequester component. This component facilitates the retrieval of data from CIS/NIST and Active Directory Security and Operational sources.

Checklist

Ensure that the following GYTPOL requirements are satisfied before initiating the installation of the GYTPOL Validator software:

  • Server sizing and OSVerify compatibility with the GYTPOL dsRequester server.

  • Users and GroupsValidate configurations in Active Directory and the GYTPOL dsRequester server for seamless integration.

  • PortsConfirm that the required ports are open on both the server and client sides to facilitate proper communication.

  • AntivirusTake precautions to prevent any interference from antivirus software that could impede the GYTPOL Validator's correct execution.

Server Sizing

A dedicated server is not mandatory; any existing domain-joined server can be utilized (and an installation on a Domain Controller isn’t necessary).

However, ensure that the selected server possesses a minimum of 4 cores and 8GB RAM for optimal performance.

dsRequester is installed once per domain. A single domain-joined server will run the dsRequester tasks in each domain you wish to monitor.

OS

The GYTPOL Validator software is compatible with Windows Server 2016 Standard and later versions.

  • Windows Server language settings:

    • The Windows Server operating system must be set to use the English (United States) language.

    • The Windows Server language for non-Unicode programs must be set to use the English (United States) language.

Users and Groups

Create a domain user within your Active Directory and allocate the specified permissions as outlined in the table. Feel free to adopt your preferred naming convention; the names in the table are merely suggestions.

Ensure that the passwords for GYTPOL users exclude the characters ‘ “ ~ ; or spaces.

Permissions

Refer to the table to configure the permissions for both the user and the group (consult the hyperlinks for detailed instructions):

Type

Name

Permission set

AD User

GytpolSvc

Domain level:

Member of Domain Group: “Performance Log Users”

GYTPOL Server local settings:

  1. Local admin on GYTPOL dsRequester server

  2. Logon as a batch job

Ports

From

To

Port number

Purpose

GYTPOL dsRequester server

DC’s

389, 9389, 636, 135, 138-139, 445, 464, 53, 3268, 3269 +

Dynamic ports (49152-65535)

Group Policy PowerShell queries +

Group Policy modeling queries

GYTPOL dsRequester server

GYTPOL AWS Cloud

During the onboarding process, GYTPOL team will supply the URLs for reference.

443

Group Policy PowerShell reporting +

Group Policy modeling reporting

Antivirus

If whitelisting is required, ensure that the following paths and their subfolders and files are included:

  1. C:\Program Files\Gytpol (subfolders and files)

  2. C:\Program Files\WindowsPowershell\modules\gytpolServer (subfolders and files)

Detailed Configuration Instructions

How to Verify PowerShell Version and Review Restriction Mode

Navigate to the GYTPOL dsRequester server, select the "Start" menu, and enter "PowerShell" in the search bar. Subsequently, click on "Windows PowerShell" from the search results.

Within the Windows PowerShell window, input the following command: $PSVersionTable.PSVersion

  1. Ensure that the Major version is set to 5 or above, and the Minor version is set to 1 or above by checking the output of the $PSVersionTable.PSVersion command.

  1. In the same PowerShell window, enter the following command: Get-ExecutionPolicy -List. Confirm that the PowerShell scripts are not set to "Restricted" in any of its categories. The desired results include "RemoteSigned", "AllSigned", or "Undefined" for the execution policies.

Include the GYTPOL user in the Domain group "Performance Log Users"

  1. On a computer with RSAT (Remote Server Administration Tools), open a command prompt (cmd).

  2. Launch Active Directory Users and Computers by entering dsa.msc and pressing ENTER.

  3. Search for the "Performance Log Users" group within Active Directory.

  4. Double-click on the group, navigate to Members, click on Add, input the name of the GYTPOL user created earlier, and press OK.

  5. Confirm the changes by clicking OK in the group properties window.

Adding a local admin

  1. Open the command prompt on the GYTPOL dsRequester server.

  2. Type lusrmgr.msc and press ENTER.

  3. In the left pane, select "Groups."

  4. In the right pane, double-click on "Administrators."

  1. Click “Add...”

  1. Ensure that "From this location" is configured to the domain name rather than the GYTPOL dsRequester server.

  2. Confirm that "From this location" is set to the domain name.

  3. In the "Enter the object names to select" field, type gytpoSvc.

  4. Click on "Check Names" and wait until you see the name underlined and associated with the domain name.

  5. Press OK to complete the addition of the specified user (gytpoSvc) to the local Administrators group.

Logon as a batch job

If there are no Group Policies imposing "logon as a batch job" restrictions, you can leave the configuration unchanged. Follow these steps:

  1. Visit a server where GYTPOL is installed.

  2. Open the command prompt as an administrator and enter gpedit.msc.

  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment.

  4. Double-click on "Log on as a batch."

  5. Click on "Add User or Group."

  6. Choose your domain from "Locations."

  7. Type GytpolSvc and click on "Check Names."

  8. Confirm that this is the correct user and click OK.

If there is a Group Policy with "logon as a batch job" restrictions, follow these modified steps:

  1. Go to a computer with the Group Policy Management Console (GPMC) installed (typically available on all Domain Controllers).

  2. Open the command prompt as an administrator and enter gpmc.msc.

  3. Navigate to the policy containing the restriction and right-click to edit.

  4. Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Right Assignment.

  5. Double-click on "Log on as a batch job."

  6. Click on "Add User or Group."

  7. Type GytpolSvc and click on "Check Names."

  8. Confirm that this is the correct user and click OK.

Network access: Do not allow storage of passwords and credentials for network authentication

If there are no Group Policies imposing "Network access: Do not allow storage of passwords and credentials for network authentication" restrictions, you can leave the configuration unchanged.

  1. Go to a server where GYTPOL dsRequester will be installed.

  2. Open the command prompt as an administrator and enter gpedit.msc.

  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

  4. Double-click on "Network access: Do not allow storage of passwords and credentials for network authentication."

  5. Ensure the setting is set to Disabled and click OK.

If there is a Group Policy with the specified restriction, exclude the GYTPOL server from this setting:

  1. Identify the Group Policy containing the "Network access: Do not allow storage of passwords and credentials for network authentication" restriction.

  2. Exclude the GYTPOL dsRequester server from this restriction within the Group Policy settings.

To verify the setting, execute the following command in PowerShell as an Administrator. The expected output should be 0:

(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name disabledomaincreds -ErrorAction Stop).disabledomaincreds

This PowerShell command retrieves and displays the value of the "disableDomainCreds" registry key under the specified path. If the output is 0, it confirms that the setting is disabled.

Windows Features installation

Launch Server Manager on the GYTPOL server and follow these steps:

  1. Navigate to "Add Roles and Features."

  2. Click "Next" until you reach the "Features" tab.

  3. Check the following Features:

    • Group Policy Management

    • Remote Server Administration Tools

      • Role Administration Tools

        • Active Directory module for PowerShell

        • AD DS Tools

        • AD LDS Snap-Ins and Command-Line Tools

Ensure that the specified features are selected for installation.

Proceed by clicking "Next" and then "Install." Wait patiently until the installation process concludes.

Automatic pre-checker tool

Download the automatic pre-checker tool from the https://gytpol.com/dschecker and transfer it to the GYTPOL dsRequester server.

Next, right-click on the downloaded tool and choose "Run as Administrator" to launch the DS Checker tool.

Enter the GYTPOL user, i.e., DOMAIN\gytpolSvc, and click "Check" to initiate the validation process.

Allow the checks to run for approximately 1 minute. The checklist encompasses internal ports, DC communication ports, user permissions, and other essential features to ensure correct configurations.

Wait patiently for the results to be displayed.

Pay attention to the results:

  • Red X sign (error): Indicates a critical error that requires resolution before proceeding with the installation. Hover over the question mark (?) for guidance on the necessary actions.

  • Yellow Exclamation mark (warning): Represents a failed check that is not critical for immediate resolution. However, consider addressing warnings for optimal performance.

  • Defender icon: Denotes a successful check, confirming that the specific aspect has passed verification.

Review the results carefully, addressing any red X errors promptly, and considering improvements for yellow exclamation warnings. The presence of the Defender icon signifies successful checks.

Once all issues are addressed and resolved, click on "Export results" within the DS Checker tool. Proceed to email the generated log to the assigned GYTPOL engineer for further review and confirmation.

Click Exit once done.

Please restart the server before the installation.

dsRequester installation / update

  1. You can obtain the dsRequester MSI file directly from the GYTPOL console. Navigate to Settings in the left pane, then select System Health (only UI2 Customers). Alternatively, feel free to contact the GYTPOL team for a direct download link.

  2. Place the downloaded MSI file on the server.

  3. Open an elevated Command Prompt:

    • Right-click on CMD.

    • Select "Run as Administrator."

Once the elevated Command Prompt is open:

  1. Navigate to the location of the MSI file you want to install.

  2. Hold down the left Shift key.

  3. Right-click on the MSI file.

  4. Click on "Copy as Path."

This action copies the full path of the MSI file to the clipboard, making it easier to reference in the command line.

In the elevated Command Prompt window:

  1. Right-click to paste the path of the MSI file that you copied as instructed.

  2. Press Enter.

This command executes the installation or update process for the dsRequester using the provided MSI file.

Throughout the installation process, you will be prompted to input the credentials for the GYTPOL account established during the setup process, as explained earlier.

Upon completion, the progress window will close automatically.

To confirm a successful installation, follow these steps:

  1. Open Task Scheduler.

  2. Navigate to the Task Scheduler Library.

  3. Look for tasks related to gytpolServer in the Task Scheduler Library.

The presence of gytpolServer tasks in the Task Scheduler Library indicates a successful installation.

  • No labels