User Guide for On-Prem installation
Introduction
Product
About GYTPOL
GYTPOL stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, GYTPOL seamlessly integrates to provide protection.
This solution automates a range of critical cybersecurity use cases:
Continuous Detection of Misconfigurations: GYTPOL's automated system consistently identifies security misconfigurations stemming from operating systems, human errors, and third-party applications. It facilitates auto-remediation while ensuring zero adverse effects on your environment.
Revert Remediation Actions: When necessary, GYTPOL can reverse previously executed remediation actions.
Harden Devices: The product provides recommendations for enhancing device security configurations, helping you to further harden your systems.
Policy Validation: GYTPOL validates that computer and user Group Policies are accurately applied to all endpoints. (Intune policy support is forthcoming.)
Configuration Benchmarking: The solution benchmarks your configurations against recognized industry security standards such as CIS and NIST.
Enhanced Active Directory and Group Policy Security: GYTPOL enhances the security of your Active Directory and Group Policy configurations.
Optimized Group Policy Definitions: GYTPOL aids in optimizing Group Policy definitions, flagging issues like duplicated or conflicting GPOs.
Startup and Login Time Optimization: GYTPOL identifies Group Policies that may contribute to sluggish computer startup and user login times.
In summary, GYTPOL streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.
Audience
This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.
How to Use This User Guide
To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of GYTPOL. Each section provides step-by-step instructions, best practices, and tips to maximize GYTPOLs potential.
Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official website and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.
Contact Information
Should you have any questions, encounter difficulties, or require further assistance while using GYTPOL, please contact support@gytpol.com . Our dedicated support team is available to help you with any queries or concerns you may have.
We hope this User Guide serves as a valuable resource in understanding and leveraging GYTPOL to enhance your organization's security defenses.
Thank you for choosing GYTPOL, and we look forward to your success in safeguarding your digital assets.
How GYTPOL Validator works
The primary data flow process within GYTPOL Validator unfolds through the following sequential stages:
Installation and License Activation:
Install the GYTPOL Server and activate the associated license to set up the core infrastructure.
Client Deployment and Execution:
Deploy the GYTPOL Client on each endpoint device.
The GYTPOL Client executes once daily, at randomly chosen times, following a predefined sequence of actions.
The scanning process typically completes within 5-7 minutes.
Data Collection during Scan:
The GYTPOL Client collects data on misconfigurations and unpatched zero-day vulnerabilities during its scanning routine.
For Microsoft devices, it also gathers Group Policy data (Resultant Set of Policy - RSOP).
(Note: Support for Intune configurations for all devices is slated to be added in the near future.)
Data Compression and Encryption:
Subsequent to data collection, the GYTPOL Client compresses the gathered data.
It then encrypts the compressed data using a public key.
Data Transmission Attempt:
The GYTPOL Client endeavors to establish a connection with the GYTPOL Server to transmit the encrypted and compressed data.
The initial data transmission attempt is conducted using the local network or a VPN connection, utilizing port 9093 for communication. This approach ensures that the encrypted and compressed data collected by the GYTPOL Client is securely transferred to the GYTPOL Server within the local network or through a VPN connection, enhancing data privacy and protection during transit.
If the device encounters difficulties like DNS resolution problems, network issues, or connectivity issues that prevent it from reaching the GYTPOL Server, and if the relevant feature is activated, it will transmit the data to GYTPOL's Cloud-based Remote-Employee component located in the agreed-upon region for the organization. Subsequently, the GYTPOL Server retrieves the data from this location. It's possible to choose whether to enable this feature, and you can find more comprehensive information in our High-Level Design (HLD) document.
Once data is received from a GYTPOL Client, the GYTPOL Server undertakes an analysis using our exclusive GYTPOL Analyzer. This Analyzer not only examines the data thoroughly but also stores the results in a designated database. This proactive approach ensures that you are promptly informed about any possible security threats, helping to keep you well-informed about potential risks.
After the GYTPOL Client completes its scan and data is transmitted to the GYTPOL Server, the IT and Security teams access the findings through the Web User Interface (UI). This interface is compatible with Chromium-based web browsers such as Google Chrome or the new Microsoft Edge.
The GYTPOL Server is equipped with several integrations to enhance its functionality and facilitate seamless operations:
It interfaces with various public APIs to support data exchange and integration with external systems.
Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on GYTPOL's findings.
Notably, the GYTPOL Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from GYTPOL to SIEM platforms, such as MicroFocus ArcSight, IBM QRadar, Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating GYTPOL's insights into the broader context of security events and monitoring.
Client Server Communication
The interaction between the client and the server operates in a one-way manner: the client initiates its scheduled task either on a daily or hourly basis (the client's tasks are elaborated upon in the client section). Following the task execution, the gathered data is transmitted to the GYTPOL server, where it undergoes analysis and subsequently appears in the user interface for review.
Should a GYTPOL operator execute a remediation action or any other task from the console, the client conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the client provides feedback to the server regarding the outcome, indicating either success or failure.
Client
GYTPOL provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the client installation guide available at this link: GYTPOL Client Installation Guide
The GYTPOL Client operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.
GYTPOL Client for Windows
Language-Code: GYTPOL is developed using a combination of C# and signed PowerShell.
Post-Install: Following installation, GYTPOL uses the Task Scheduler functionality for its scheduled tasks.
Permissions: The scheduled tasks within GYTPOL are configured to run under the SYSTEM account. This account type doesn't require a username and password for execution.
Size: The GYTPOL installation size is less than 5MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day. The data is transmitted in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks on a daily basis with a duration of 5-7 minutes.
The timing of the daily task varies based on the type of device:
End-User Devices: Random execution time between 10 am and 5 pm.
Servers: Random execution time between 10 pm and 4 am.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continued connectivity. This message also serves to retrieve new tasks for maintaining security posture, including tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.
GYTPOL Client for Linux/macOS
Language-Code: GYTPOL is implemented using the Go programming language (Go-lang).
Post-Install:
On Linux, GYTPOL utilizes systemd for post-installation task management.
On macOS, GYTPOL employs launchd for post-installation tasks.
Permissions: GYTPOL runs with root user permissions, which provide the necessary access for its functionalities.
Size: The installation size of GYTPOL is less than 3MB.
Network Traffic: GYTPOL generates network traffic of up to 30KB per day, with data transmission in compressed (gzip format) form.
Scheduled Runs:
GYTPOL executes its tasks once a day, with a random start time and a duration of up to 5 minutes.
Additionally, GYTPOL sends a "keep-alive" message every hour to ensure continuous connectivity. This message also prompts the retrieval of new tasks to ensure up-to-date security measures, encompassing tasks related to remediation, reversion, updates, and upgrades.
Communication Protocol: GYTPOL employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.
Product overview
This section provides a quick overview of the GYTPOL Validator key capabilities and provides references to sections covering these capabilities in detail.
User Interface
From an end user's viewpoint, GYTPOL Validator is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section:
Navigation:
Users access GYTPOL through a role-based web interface tailored to their responsibilities.
The UI seamlessly guides users to different sections, tools, and insights.
Visual Notations:
Export: Look for options to export data, facilitating data sharing and analysis.
Refresh: A common icon to refresh or update displayed information in real time.
Know How: This symbol typically offers contextual help, guiding users on specific actions.
User Roles:
GYTPOL's UI adapts to user roles, displaying relevant features and data.
Different users interact with tools suited to their tasks, ensuring focused functionality.
Comprehensive Views:
The UI presents various dashboards and sections tailored for specific needs like policy validation, maintenance, and benchmarking.
Effortless Navigation:
GYTPOL's user-friendly design ensures intuitive navigation across functionalities.
Users can swiftly move between sections for effective management.
Consistent Experience:
Visual elements like buttons, icons, and labels maintain a consistent design, enhancing user familiarity.
Helpful Guidance:
In-app assistance guides users on performing specific tasks, maximizing usability.
By offering a role-based interface with intuitive navigation and helpful notations, GYTPOL empowers users to efficiently manage their cybersecurity tasks. This groundwork prepares users for a deeper exploration of specific functional use cases within the application.
Misconfigurations
Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.
Misconfigurations can manifest across various domains, including network devices, web applications, cloud services, servers and operating systems, encryption and key management, security tools, and access controls. To mitigate misconfigurations, it's essential to adhere to industry best practices. This entails conducting regular audits, implementing secure configuration settings, rigorously managing changes, and offering training and awareness initiatives.
GYTPOL provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.
Group Policy Validation
The Policy Validation module within GYTPOL focuses on identifying and resolving gaps and issues associated with the implementation of Group Policy Objects (GPOs). This encompasses a range of concerns, such as failures in applying Group Policy Preferences (GPPs), disparities in settings, occurrences of local GPOs, orphaned GPO instances, and settings that don't match as intended.
The user interface offers a structured view that presents these errors and discrepancies in a clear manner. The screen's layout is organized, with computers listed on the left side and users displayed on the right. This layout facilitates efficient navigation and understanding.
Key features of the Policy Validation UI:
Error Display: The interface presents errors and issues in a way that is easy to comprehend and navigate.
Categorization: Errors are categorized based on different criteria like devices, users, specific GPOs, organizational units (OUs), or operating systems (OS). This categorization streamlines the identification and resolution process.
Visual Representation: The UI's intuitive design visually represents GPO-related issues, making it easier to spot discrepancies and errors.
By structuring the information in this manner, GYTPOL enables users to swiftly grasp and address GPO-related problems. For a more comprehensive understanding of utilizing the Policy Validation module, refer to the detailed instructions provided in the corresponding documentation section.
Login Profiler
The module serves to identify potential causes of slow startup or login times resulting from applied policies across the domain. This assessment can be performed according to various parameters, including device or user, specific policy extension, or organizational unit (OU). This module equips you with the capability to delve deeper into the analysis, pinpointing both the problematic policy and the specific settings or set of settings responsible for the observed latency.
Much like the Policy Validation screen, the graphical layout mirrors that of the computer on the left-hand side and the corresponding user on the right-hand side. This design facilitates a clear view of the relationships between policies and their effects on startup and login times.
For a comprehensive guide on utilizing the Login Profiler module effectively, refer to the the corresponding documentation section.
CIS/NIST Benchmarks
The CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) Benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.
CIS 8 refers to the latest version of the CIS Controls, a prioritized list of actionable security measures designed by the Center for Internet Security. These controls encompass a diverse range of cybersecurity aspects, offering organizations a clear roadmap to enhance their cybersecurity practices. The CIS Controls are updated regularly to address emerging threats and incorporate industry best practices. By adhering to these controls, organizations can establish a robust cybersecurity foundation and mitigate various cyber risks.
NIST 800-53, on the other hand, is a comprehensive collection of security controls and guidelines tailored for U.S. federal information systems. This publication furnishes organizations with a framework to evaluate and enhance the security of their systems, safeguarding sensitive information. Covering multiple security domains, NIST 800-53 holds widespread recognition as a cybersecurity standard. Its adoption extends beyond the U.S. federal government, gaining prominence in various sectors and organizations worldwide. Abiding by NIST 800-53 assists organizations in elevating their security posture and aligning their practices with established industry standards.
For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.
Active Directory / Group Policy Enhanced Security
The Active Directory / Group Policy Enhanced Security module provides visibility into public data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.
The objective of presenting this data is to underscore the information that can be gathered using plain domain user access rights. By highlighting these findings, the module aims to demonstrate what an attacker could potentially access before progressing to lateral movement or elevating their permissions within the network.
For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Enhanced Security module, refer to the corresponding documentation section.
Maintenance
The Maintenance section of GYTPOL offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. GYTPOL aids in identifying various issues for more effective administration:
Unlinked GPOs: GYTPOL helps locate GPOs that are not linked to any organizational unit, enabling you to streamline your GPO structure.
Duplicated GPO Settings: The platform identifies duplicated settings within GPOs, allowing you to eliminate redundancy and ensure consistency.
AD Accounts Cleanup: GYTPOL assists in identifying and managing obsolete or unused Active Directory accounts, enhancing overall security.
Legacy OS: The system flags legacy operating systems that might pose security risks due to outdated support.
Multiple Loopbacks: GYTPOL highlights instances of multiple loopbacks processing settings, aiding in maintaining an organized and predictable GPO environment.
These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.
Administration
The Settings menu within GYTPOL offers a hub for various administrative tasks that you can perform to manage and customize your GYTPOL environment. This includes activities like group management, API access configuration, filters setup, and managing muted alerts.
Group Management: The Settings menu allows you to manage user groups, enabling efficient collaboration and access control within your organization.
API Access: You can configure API access settings, granting authorized applications or services the ability to interact with GYTPOL's functionalities.
Filters and Mutes Management: GYTPOL facilitates the customization of filters and mutes, helping you tailor your experience by controlling the alerts and data you receive.
For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your GYTPOL configuration.
UI Navigation
The GYTPOL Validator Homepage offers a user-friendly gateway to different perspectives tailored for Windows, Linux, and macOS environments. Each perspective presents the top five alerts pertinent to its corresponding scope, providing a rapid overview of critical issues.
This homepage boasts a user-centric feature – the UI filtering option. By leveraging computer groups established by GYTPOL operators, you can effectively categorize devices based on specific attributes like operating systems, naming patterns, and organizational units (OUs). Detailed guidelines for creating and utilizing these groups are available in the Customization and Settings > Computer Groups section.
The homepage's top menus are designed for intuitive navigation across various sections, including:
Active Directory Security Page: This section addresses Active Directory security concerns.
AD and GPO Maintenance Page: Here, you can manage and optimize your Active Directory and Group Policy Objects.
CIS/NIST Benchmark Dashboards: Access detailed benchmark insights to enhance security posture.
Upon selecting the Windows dashboard, the top bar presents key information such as the number of reporting servers, endpoints, Domain Controllers, and Virtual Desktop Infrastructures (VDIs) – indicating the distribution of monitored assets. Additionally, the top bar showcases metrics regarding users validated through GYTPOL's Policy Validation module and the count of missing devices. Further explanation about these metrics can be found in the Customization and Settings > Health Screen section.