PowerBroker for Windows User Guide · AboutUpgrade 30 UpgradeProcess 30 RevertingaVersion6.5Upgrade 30 PreparingforUpgrade 30 ExportExistingRuleXMLFiles 31 DocumentV5.xAdministrativeTemplateSettings

PowerBroker for Windows

Installation Guide

Revision/Update Information: November 10 2016Software Version: PowerBroker for Windows 7.2Revision Number: 0

CORPORATE HEADQUARTERS

5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000

COPYRIGHT NOTICECopyright © 2016 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.

No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.

BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.

All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.

Contents

Introduction 1

Conventions Used in This Guide 1Before Contacting Technical Support 2

BeyondTrust Product Name Conventions 3

3Contacting Support 3

Telephone 3Online 3

Policy Deployment Options 4

Installing for GPMC Deployment 5

Installing PowerBroker for Windows Components 5Installation MSI Packages 5Software Requirements 6

Policy Editor Requirements 6Installation Overview 6Installing the Policy Editor 7

Verifying Policy Editor Installation 8Installing Policy Editor via Executable 8Configuring the Passcode Generator 8

Installing PowerBroker for Windows Client Software 10

Deploying Client MSI Packages 10Verifying the Client Software Installation 12Command Line Installation for GPO Mode 13Installing Client via Executable 13

Installing for BeyondInsight Deployment 15

Configuring PowerBroker with BeyondInsight Management Console 15Generating a Certificate 15Creating an MSI File 15Deploying Certificate MSI Packages using GPO 15

Configuring PowerBroker for Windows 17Command Line Installation for BeyondInsight Mode 20

Certificate Management 22

BeyondInsight Reporting 27

Understanding How Reporting Works with BeyondInsight 27BeyondInsight Requirements 28

Stop—Before You Upgrade, Read This! 29

Contents

PowerBroker for Windows 3 © 2016. BeyondTrust Software, Inc.

About Upgrade 30

Upgrade Process 30Reverting a Version 6.5 Upgrade 30Preparing for Upgrade 30Export Existing Rule XML Files 31Document V5.x Administrative Template Settings 31

Upgrading PowerBroker for Windows Client Software 32

Client Software Requirements for V7.0 32Running Client Installer Files 32

State Model Data Reset 32Deploying the PowerBroker for Windows V7.0 Client 33

Verifying Client Installation 34

Upgrading the PowerBroker for Windows Snap-in 36

Snap-in Software Requirements for V7.0 36Running Snap-in Installer Files 36

Installing Auditing and Reporting Components 37

Licensing and Operating Modes 38

Obtaining a License 38Creating a License File Request 38Importing a License File 40

Deploying a License to Existing GPOs 42Frequently Asked Licensing Questions 42

Contents


IntroductionThis guide provides the installation instructions and software requirements for PowerBroker for Windows. Forinformation about its features, benefits, functionality, and basic procedures, see the PowerBroker for WindowsUser Guide.

If you are upgrading from an earlier version of PowerBroker for Windows, follow the instructions in thePowerBroker for Windows User Guide section on the Upgrade.

The following sections include the document conventions, list of documentation for the product, and where to getadditional product information and technical assistance.

Conventions Used in This GuideSpecific font and linespacing conventions are used in this book to ensure readability and to highlight importantinformation such as commands, syntax, and examples.

Font ConventionsThe font conventions used for this document are:

• Courier New Font is used for program names, commands, command arguments, directory paths, variablenames, text input, text output, configuration file listings, and source code. For example: C:\Documentsand Settings\All Users

• Courier New Bold Font is used for information that should be entered into the system exactly as shown. Forexample: pbdeploy.exe

• Courier New Italics Font is used for input variables that need to be replaced by actual values. In the followingexample, the variable MyServer, must be replaced by an actual environment server name and the variableMyFolder must be replaced by an actual folder name: \\MyServer\MyFolder\pbwcl32.msi

• Bold is used for Windows buttons. For example: Click OK.

Linespacing ConventionsThe linespacing of commands, syntax, examples, and computer code in this manual may vary from actual Windowsand Unix/Linux usage because of space limitations. For example, if the number of characters required for a singleline does not fit within the text margins for this book, the text is displayed on two lines with the second lineindented as shown in the following sample:C:\Windows\SYSVOL\domain\Policies\<GUID>\<MACHINE or USER>\PBWindows

Where to Go Next?For licensing information and installation instructions for PowerBroker for Windows, see the PowerBroker forWindows Installation Guide.

For information about what you can do with PowerBroker for Windows and how to get started using PowerBrokerfor Windows, see the PowerBroker for Windows User Guide.

Documentation Set for PowerBroker for WindowsThe complete PowerBroker for Windows documentation set includes the following:

• PowerBroker for Windows Installation Guide

Introduction


• PowerBroker for Windows User Guide

• PowerBroker for Windows online help

Obtaining SupportBeyondTrust provides an online knowledge base, as well as telephone and web-based support. In addition, whenworking with any PowerBroker for Windows item, you can click the Help button to view detailed information aboutavailable options.

Available ResourcesThe PowerBroker for Windows Knowledge Base provides information and solutions to many known problems andissues. Registered users can access the Knowledge Base by logging onto the BeyondTrust Partner Portal on theBeyondTrust website.

With the Policy Editor installer, there is now an option to add the Rule Library. This is a comprehensive set of pre-configured rules. You can find the Rule Library under the following path: C:\ProgramFiles\BeyondTrust\RulesLibrary

Before Contacting Technical SupportBe sure to read this section before contacting technical support.

Tip: Is the PowerBroker for Windows client software running?

A computer must have the PowerBroker for Windows client software installed and running torecognize rules.

If a computer does not respond to a rule or a policy setting, make sure that the client software isinstalled and activated on the computer. Run the Policy Monitor (polmon.exe) utility on thecomputer to check for client software activation and functionality.

Obtain as much information about the problem as possible using troubleshooting tools such as Policy Monitor, tracelogging, event logging, and Resultant Set of Policy (RSoP) logging. For more information, see “TroubleshootingMechanisms” in the PowerBroker for Windows User Guide.

To expedite support, collect the following information:

• Image or the full text of any error messages

• Context of the problem, including affected platforms

• How to reproduce the problem

• For client problems: A copy of the XML configuration data that produces the problem, trace output, event logmessages, and RSoP reporting data if available.

Introduction


BeyondTrust Product Name ConventionsThis User Guide uses the following naming conventions for BeyondTrust products:

PowerBroker for Windows PowerBroker for WindowsPowerBroker Policy Editor Policy EditorBeyondInsight BeyondInsight

Contacting Support

For support, go to our Customer Portal then follow the link to the product you need assistance with.

The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.

Telephone

Privileged Account Management SupportWithin Continental United States: 800.234.9072

Outside Continental United States: 818.575.4040

Vulnerability Management SupportNorth/South America: 866.529.2201 | 949.333.1997

+ enter access code

All other Regions:Standard Support: 949.333.1995

+ enter access code

Platinum Support: 949.333.1996

+ enter access code

Onlinehttp://www.beyondtrust.com/Resources/Support/

BeyondTrust Product Name Conventions


http://www.beyondtrust.com/Resources/Support/

http://www.beyondtrust.com/Resources/Support/

Policy Deployment OptionsBefore you begin installing the PowerBroker for Windows Client and Policy Editor, you must decide how you wouldlike to deploy your policies.

You can use Central Policy Integration to deploy PowerBroker for Windows policies using BeyondInsight OR you canchoose to deploy your policies using the Group Policy Management Console.

A client can only be configured for one scheme. A mixture of clients running different schemes is supported butrequired additional work as the rule sets are completely separate.

Group PolicyRules and client configuration settings are contained in Active Directory Group Policies and are processed by theclient on the defined Group Policy Interval. Benefits of using Group Policy:

• Settings replicated through multiple servers

• Multiple policy resources (Domain Controllers)

• No web server required

Central PolicyRules and client configuration settings are contained in the BeyondInsight database hosted by a web service on theBeyondInsight server and are processed by the client on an interval apart from the Group Policy interval. Benefitsof using Central Policy:

• Clients not required to be joined to a domain

• No permissions required in Active Directory

Policy Deployment Options


Installing for GPMC Deployment

Installing PowerBroker for Windows ComponentsYou must install two PowerBroker for Windows components. An optional reporting component can also beinstalled:

• Policy Editor- This component must be installed on computers, usually domain controllers, used to edit GroupPolicy Objects (GPOs). The Policy Editor provides the ability to change the permissions and privileges ofWindows applications using rules, thereby implementing a least privilege security model for Windows. You usethe PowerBroker for Windows Policy Editor installer to install this component.

• Client - This component must be installed on each computer on which PowerBroker for Windows rules areenforced. This client software enables computers to recognize PowerBroker rules in GPOs. You can deploy thiscomponent to computers by using standard Windows functionality.

For Policy Editor installation instructions, see "Installing the Policy Editor, pg 9. For client installation instructions,See "Installing PowerBroker for Windows Client Software"

Installation MSI PackagesThe following table identifies installation MSI packages and the components installed by each. Note that separateinstaller files are provided for 32-bit and for 64-bit systems.

Installer MSI File Contains and Installs

Policy Editor installers:PowerBrokerPolicy Editor (32Bit) 7.1.msi

PowerBrokerPolicy Editor (64Bit) 7.1.msi

PowerBroker for Windows Policy Editor: Extensions to the Group PolicyManagement Editor and Resultant Set of Policy (RSoP) snap-ins. These extensionsprovide the ability to change permissions and privileges of Windows applicationsusing rules. This component must be installed on computers used to edit GPOs.

GPMC Integration: Group Policy client-side extensions for planning and processingpolicy, including support for GPMC operations and Password Generator. Theseextensions are recommended for computers used to edit GPOs. They are notrequired for basic GPMC support.

Client installers:

PowerBroker forWindows Client(32 Bit) 7.1.msi

PowerBroker forWindows (64 Bit)7.1.msi

PowerBroker for Windows Client: The client software contains a security driver thatmonitors process launch, checks for applicable rules, and modifies security tokenwhen a rule exists. In addition, the client software provides File Integrity, SessionMonitoring and IE components. The client software also provides client-sideextensions used for creating and processing policy, enabling computers to recognizePowerBroker for Windows items in GPOs. The client software is normally distributedto computers using a distribution tool, such as Group Policy.

Table 1. PowerBroker for Windows Installation Components



Software RequirementsPowerBroker for Windows can be used with a variety of Windows and Windows Server operating systems. Thefollowing sections detail the operating systems supported by each PowerBroker for Windows component.

Policy Editor RequirementsThe Policy Editor can be installed on computers running any of the following operating systems:

• Windows Server 2008 R2

• Windows Server 2008


• Windows 7

• Windows 8

• Windows 10 Pro, Enterprise and Enterprise LTSB

Note: The .NET Framework V4.0 and .NET Framework V3.5 Features must be installed prior to installingPowerBroker for Windows. If .NET Framework V4.0 Features are installed, they may be listed underFeatures or Windows features rather than in the list of installed programs.

Client Software RequirementsPowerBroker for Windows client software can be installed on computers running any of the following operatingsystems:



• Windows Server 2003 SP1 or later


• Windows 7

• Windows 8

• Windows 10 Pro, Enterprise and Enterprise LTSB

Note: The .NET Framework V3.5, v4.0 or v4.5 Features must be installed prior to installing PowerBroker forWindows on a client.

Installation OverviewDuring the installation with the Setup Wizard, you will be prompted to choose from the following Custom Setupfeatures:

• Internet Explorer Integration -Enables elevation of Internet Explorer and installation of ActiveX controls.

• File Integrity - This feature provides you with the ability to protect specific files.

• Session Monitoring - This feature provides you with the ability to monitor specific applications and files withrecorded screen captures, keyboard entries and mouse controls for elevated applications.



• Central Policy Integration - This feature enables BeyondInsight to be used for PoweBroker for Windows policydistribution.

Note: The Central Policy Integration feature must be installed in order for PowerBroker for Windows tointeract with BeyondInsight.

You can decline installation of any of the features by clicking on the box in front of the option.

Installing the Policy EditorYou will initially be asked if you plan to use BeyondInsight. If you do not use BeyondInsight selecting "No" willensure you only view options available in GPMC mode.

The Policy Editor must be installed on a computer used to manage Group Policy Objects (GPOs) and domains. Thistype of computer is usually a domain controller. PowerBroker for Windows rules are distributed from the domaincontroller’s SYSVOL folder. However, this location might not be where they were created or edited.

Tip: Where to find the Policy Editor Installer

You must download the PowerBroker for Windows Policy Editor Installer file from the BeyondTrustwebsite. You can then install it on any computer from which you can edit domain policy.

Access the Policy Editor Installer from the BeyondTrust Evaluations and Download webpage. After youlog into the website, choose one of the following versions of the Policy Editor installer to download:

PowerBroker Policy Editor (32 Bit) 7.1.msi for the 32-bit Policy Editor installerPowerBroker Policy Editor (64 Bit) 7.1.msi for the 64-bit Policy Editor installer

To install the Policy Editor, do the following:

1. Download an installer .msi file from the BeyondTrust website.2. Double-click on the PowerBroker Policy Editor (32 Bit) 7.1.msi or PowerBroker

Policy Editor (64 Bit) 7.1.msi file name.For 32-bit computers, use PowerBroker Policy Editor (32 Bit) 7.1msi.

For 64-bit computers, use PowerBroker Policy Editor (64 Bit) 7.1.msi.

3. In the Welcome dialog of the Setup Wizard, click Next.4. In the License Agreement dialog, accept the license terms and click Next.5. In the Custom Setup dialog, choose an installation location. Either accept the default root installation folder, or

click Change and select a different location. Click Next.



Note: If you are installing in an environment that includes the Microsoft Group Policy Management Console(GPMC), the installation wizard displays a GPMC Integration feature. Installing this feature is required forfull GPMC functionality.

6. Click Install to continue the installation using the path you specified.7. When prompted, click Finish to complete the installation.

Verifying Policy Editor InstallationTo verify that the Policy Editor was successfully installed, do the following:

1. Start the Group Policy Management Console (GPMC) by clicking Start, Run and entering gpmc.msc.2. Right-click a GPO and select Edit.

Note that the items are added to the Group Policy Management Editor and are displayedunder the following nodes:– Computer Configuration, Policies, BeyondTrust PowerBroker for Windows.

– User Configuration, Policies, BeyondTrust PowerBroker for Windows.

Installing Policy Editor via ExecutableThe PowerBroker Policy Editor is also packaged in an Executable that includes both the 32-bit and 64-bit versions ofthe Policy Editor. The Executable determines the architecture of Operating System that it is run on and will installthe appropriate version for the Operation System’s architecture.

To install the PowerBroker Policy Editor using the Client Executable simply run the PowerBroker PolicyEditor Combined Installer 7.1.exe which will then execute the MSI file for the appropriatearchitecture.

The Executable Installer must be run with Administrator privileges.

Note that if the Policy Editor is installed via the Executable then to modify the installation the Executable installermust be re-run.

Configuring the Passcode GeneratorA default key pair that includes a public key and a private key is installed along with the PowerBroker for Windowsclient software and Policy Editor software. It is required that you generate a new key pair before deploying to aproduction environment. For more information about the Passcode Generator, see the PowerBroker for WindowsUser Guide.

Note: The private pass is based off of a certificate and registration key. Both are generated and exported whenthe key is created. In order to use the passcode generator on a different machine to generate keys, boththe registry key and certificate must be imported onto the new machine.

To replace the key pair used to generate Passcodes, do the following:

1. Edit a Group Policy Object (GPO). For detailed instructions, See "Verifying Policy Editor Installation" Page 10.2. Open the Passcode Generator by using one of the following methods:

– On the management dashboard, click Generate a Passcode.



– In the console tree of the Group Policy Management Editor, right-click a PowerBroker for Windows nodeand select Passcode Generator.

– Go to the Start menu, Programs, Passcode Generator.

3. Click the Settings tab in the PowerBroker for Windows Passcode Generator dialog.4. To change the path to where the Passcode Generator creates keys and to where it stores the private key, in

the Keys path box click Select Directory and navigate to a folder. If more than one computer is used togenerate Passcodes, you must make this change on each of these computers, and it is recommended that youuse a shared folder that is accessible only to administrators. Changing the keys path does not change thelocation for the public key on client computers.

5. To generate a new public and private key pair:a. Click Generate New Key Pair.b. Deploy the new public key to the following folder on each client computer:

%WINDIR%\BeyondTrust\PBD\configc. If more than one computer is used by administrators to generate Passcodes and you are not using a

shared folder for the keys path, you must copy the new key pair to the keys path for each computer usedto generate Passcodes.



Installing PowerBroker for Windows Client SoftwareThe client software must be installed on all computers that are to be managed by PowerBroker rules.

The client installer (whether 64-bit or 32-bit) can be deployed to either servers or desktops.

Note: Rules embedded in GPOs have no effect on computers that do not have the client software installed andrunning.

Tip: Where to find the client software installer

You must download the PowerBroker for Windows client software installer file from theBeyondTrust website. You can then deploy the .msi file to the organization’s desktops.

Access the client software installer from the BeyondTrust Evaluations and Download webpage. Afteryou log into the site, choose one of the following versions of the client software installer todownload:

PowerBroker for Windows Client (32 Bit) 7.1.msi for the 32-bit client installer

PowerBroker for Windows Clinet (64 Bit) 7.1.msi for the 64-bit client installer

The client installer can be deployed to servers and desktops. The platform can be determinedduring the install.

Deploying Client MSI PackagesThe recommended installation method for client computers is to use the Group Policy Management Editor in theMicrosoft Group Policy Management Console (GPMC) to deploy the client software installation MSI package to allclient computers in a domain.

To deploy the client software:

1. Download the client installer package (MSI file) from the BeyondTrust website.2. Save the installer package.

Tip: Save the installer package in an accessible location

The installer package must be hosted in a location (such as a network share) that isaccessible to the SYSTEM account of each computer where the software should beinstalled. The path provided must use the following format:\\MyServer\MyFolder\PowerBroker for Windows Client

(32 Bit)7.1.msi

3. Click Start, Control Panel, Administrative Tools, Group Policy Management to open the Group PolicyManagement Console (GPMC). If the GPMC is not already installed, it can be downloaded fromhttp://microsoft.com/downloads. In older versions of Windows Server or Windows, you can open the GroupPolicy Object Editor from Active Directory Users and Computers or from a custom Microsoft ManagementConsole.

4. In the GPMC, click Forest, Domains, <MyDomain>, Group Policy Objects.

Installing PowerBroker for Windows Client Software


5. To create a new GPO, right-click Group Policy Objects and click New. Enter a name for the GPO and click OK.Alternatively, you can add configurations to an existing GPO.

6. Right-click the GPO and click Edit to launch the Group Policy Management Editor so that you can configuresettings for the GPO.

– In the Group Policy Management Editor, click Computer Configuration, Policies, Software Settings. Right-click Software Installation and click New, Package.

7. Select the client installer package and click Open.8. Select Assigned and click OK.



9. After a brief delay, the name of the software to be installed is displayed in the details pane of the Group PolicyManagement Editor as shown in the following figure:

If the name does not appear, right-click Software Installation and select Refresh until it does. To modify installationsettings, double-click the item name in the display pane. To remove an item, right-click the item name and selectAll Tasks, Remove.

10. Restart each client computer to initiate client installation. This can be done manually or by using Group Policymechanisms.

After the client is installed, the computer can recognize and enforce PowerBroker for Windows V7.1 rules.

Verifying the Client Software InstallationUse the policy monitor program to verify the client has been successfully installed on a computer. To verify clientsoftware installation, make sure the computer has been restarted and then do the following:

1. On a computer on which the client was installed, start Policy Monitor by selecting Start, Run and entering:polmon.exe

2. In the resulting Policy Monitor window, ensure that no connection errors are reported and that computer anduser rules have been successfully loaded. A sample Policy Monitor output is shown in the following figure:



Command Line Installation for GPOModeFirst enter the command line installer:PowerBroker for Windows Client (64 Bit) 7.1.msi /qn ADDLOCAL=[FEATURELIST]

Replace [FEATURELIST] with comma-delimited list of features. PBWClient,Client_XX, Runtime_XX are required.

FEATURELIST for x64 Installer:

Note: The following are required fields: PBWClient,Client_x64,Runtime_x64,

EVENT MONITORING:

EventMonitor_x64

FILE INTEGRITY:

FileIntegrity_x64

ACTIVE X\IE Rules:

IEIntegration_x64

SESSION MONITORING:

SessionMonitor_x64


The following are required fields: PBWClient,Client_x86,Runtime_x86

EVENT MONITORING:

EventMonitor_x86

FILE INTEGRITY:

FileIntegrity_x86

ACTIVE X\IE Rules:

IEIntegration_x86

SESSION MONITORING:

SessionMonitor_x86

For example, to install all components except session monitoring:

PowerBroker for Windows Client (32 Bit) 7.1.msi /qn ADDLOCAL=PBWClient,Client_x86,Runtime_x86,EventMonitor_x86,FileIntegrity_x86,IEIntegration_x86

PowerBroker for Windows Client (64 Bit) 7.1.msi /qn ADDLOCAL=PBWClient,Client_x64,Runtime_x64,EventMonitor_x64,FileIntegrity_x64,IEIntegration_x64

Installing Client via ExecutableThe PowerBroker for Windows Client is also packaged in an Executable that includes both the 32-bit and 64-bitversions of the Client. The Executable determines the architecture of Operating System that it is run on and willinstall the appropriate version for the Operation System’s architecture.

The PowerBroker for Windows Client Executable installer also accepts the same command line options that can beused for the Client MSI installers.

To install the PowerBroker for Windows Client using the Client Executable simply run the PowerBroker PolicyEditor Combined Installer 7.1.exe which will then execute the MSI file for the appropriate architecture.

The Executable Installer must be run with Administrator privileges.



Note that if the Client is installed via the Executable then to modify the installation the Executable installer must bere-run.



Installing for BeyondInsight Deployment

Configuring PowerBroker with BeyondInsight Management ConsoleTo configure PowerBroker for Windows to forward events to BeyondInsight you must follow the procedures in thissection:

• Generating a Certificate

• Configuring PowerBroker for Windows

BeyondInsight Community does not support PowerBroker for Windows.

Ensure that you have the appropriate license key for BeyondInight.

Before proceeding, ensure all PowerBroker for Windows components and BeyondInsight are installed.

Generating a CertificateGenerate a client certificate using the BeyondInsight Configuration tool. Certificates must be deployed to any assetwhere you are capturing events with PowerBroker for Windows.

You can then set up a GPO with the MSI and deploy the certificate to your PowerBroker assets.

Note: Do not generate a client certificate if there is one created for either PowerBroker Endpoint ProtectionPlatform or for BeyondInsight Network Security Scanner. You can use the existing client certificate foryour PowerBroker for Windows assets.

Creating an MSI FileTo create an MSI file.

1. Run the BeyondInsight Configuration tool and then click Generate Certificate.msi.2. When completed an explorer window will open containing the msi file you will need to deploy the certificate

using GPO software deploymenta. The default location to the msi file is C:\Program Files (x86)\eEye Digital Security\Retina CS\Utilities\msib. See for instructions on how to deploy software via GPO using the generated msi as the package.

Deploying Certificate MSI Packages using GPOUse GPMC to deploy the certificate package to your client computers.

To deploy the certificate MSI package:

1. Copy the certificate MSI package to an accessible location.

Tip: Save the installer package in an accessible location

The installer package must be hosted in a location (such as a network share) that is accessible tothe SYSTEM account of each computer where the software should be installed. The pathprovided must use the following format:\\MyServer\MyFolder\certinstaller.msi



2. Click Start, Control Panel, Administrative Tools, Group Policy Management to open the Group PolicyManagement Console (GPMC). If the GPMC is not already installed, it can be downloaded fromhttp://microsoft.com/downloads. In older versions of Windows Server or Windows, you can open the GroupPolicy Object Editor from Active Directory Users and Computers or from a custom Microsoft ManagementConsole.

3. In the GPMC, click Forest, Domains, <MyDomain>, Group Policy Objects.4. To create a new GPO, right-click Group Policy Objects and click New. Enter a name for the GPO and click OK.

Alternatively, you can add configurations to an existing GPO.

5. Right-click the GPO and click Edit to launch the Group Policy Management Editor so that you can configuresettings for the GPO.

6. In the Group Policy Management Editor, click Computer Configuration, Policies, Software Settings. Right-clickSoftware Installation and click New, Package.

7. Select the certificate MSI installer package and click Open.8. Select Assigned and click OK.9. After a brief delay, the name of the software to be installed is displayed in the details pane of the Group Policy

Management Editor.

If the name does not appear, right-click Software Installation and select Refresh until it does. To modify installationsettings, double-click the item name in the display pane. To remove an item, right-click the item name and selectAll Tasks, Remove.

10. Restart each client computer to initiate the installation. This can be done manually or by using Group Policymechanisms.



http://microsoft.com/downloads

Configuring PowerBroker for WindowsInstall the PowerBroker for Windows components by walking through the Install Wizard. Be sure to install theCentral Policy Integration. During the installation process you will be prompted for the BeyondInsight Server name.

Once you have installed the client and Policy Editor to configure PowerBroker:

1. From the Start menu, open PowerBroker for Windows. Please note that it may make take several minutes toopen.

2. The following dialog box will open and you will be asked to enter your BeyondInsight Credentials.

3. Before you can configure your policies, you must add a policy. To do this simply select the Add button andenter the name of a policy.

4. After entering the name of your policy, selectModify and the Policy Management Dashboard will open.5. From the Dashboard select the Settings button under the section labeled Configuration.6. You will need to update all the settings to enable the sending of events to BeyondInsight. Set the options under

the Setting Category Menu.

Settings Description

Enable AsynchronousBeyondInsight EventLogging

Sends event logs to the System event log when BeyondInsight cannot process theevents.

Configure theBeyondInsight CertificateName

Sets the BeyondInsight certificate name, eEyeEmsClient.

Configure theBeyondInsight heartbeatinterval

Enter the interval in minutes. The default interval is every 360 minutes (6 hours).Configure a regular interval to send heartbeat events to ensure there is a connectionbetween PowerBroker and BeyondInsight. In addition to the usual events, whenconfigured to send events to BeyondInsight, a heartbeat event will also be sent(event ID 28701).

Configure BeyondInsightto Store XML Events onFailure

Create a path for the event data XML file when the file cannot be sent toBeyondInsight.

Configure theBeyondInsightWebService URL

Enter the URL for the BeyondInsight web service. Follow the format:https://myserver/EventService/Service.svc

Table 1. Management Settings for BeyondInsight Configuration



Configure thePowerBroker workgroupname for BeyondInsight

Enter a workgroup name. A workgroup name is needed for asset matching inBeyondInsight.

Enable BeyondInsightTrace Logging

Enable to create a trace log if events are not flowing into BeyondInsight.

Security Driver SettingsThe Security Driver collection includes settings related to logging and other operating features.


Log ActiveX install withrule applied

Logs ActiveX control installation requiring a privilege modification.

Log ActiveX install failuredue to insufficientprivileges

Logs failed ActiveX control install due to insufficient privileges.

Log application launchrequiring elevatedprivileges

Logs every application launch requiring privileges greater than standard user.

Log application launchwith Action: DenyExecution

Logs each time an application launch is denied execution by PowerBroker forWindows.

Log application launchwith modified token

Log each application launch for which the token has been modified by PowerBrokerfor Windows.

Log application launchwith Action: No Change(passive)

Logs each time a whitelisted application launches with no changes to permission,privileges, process security, or integrity level.

Log application launchelevated by Shell rule

Logs each launch performed by a Shell rule.

Block ActiveX install basedon CLSID

Blocks the installation of an ActiveX control based on the control’s COM ClassIdentifier (CLSID).

Log application state data Activates logging on clients to support the Automatic Rule Generator and SCCMreporting.

Customize IE downloaddialog

Allows customization of download progress dialog that appears when an end-userattempts to download. Available options include:Time after which to show progressdialog if less than a selected percentage complete, Cancel button text

Log Security Driver events Security Driver logging and tracing options. Available options include: Configureevent logging, Turn tracing on or off, Specify trace file location and maximum size

Log UAC prompts Logs each UAC prompt presented to user.

Enable Gray Scale Images Enable this setting to update all screen captures to be saved as gray scale images.

Encoder Quality Change this setting to modify the quality of the screen capture JPG images on a scaleof 1-100 (100 is the highest quality but also the largest file size).



Idle Timeout Change this setting to alter the amount of time, in seconds, that session monitoringwill wait before it stops capturing after no user input is detected.

Note: After you have updated all your settings for each Category, a dialog box will be displayed stating that thePolicies have updated successfully.


Log all applicationlaunches

Enable this setting to log each time an application launches. IMPORTANT: Should bedisabled in production environments. Enabling this setting will generate a largevolume of data and should only be used for setup and troubleshooting.


Sends event logs to the System event log when BeyondInsight cannot process theevents.

Prevent applications fromhaving rules applied

Set the value to the path of the executable you wish to exclude from havingPowerBroker for Windows rules applied. To exclude multiple applications, separatethe paths with a semicolon. Environment variables (e.g. %SystemRoot% or%ProgramFiles%) are allowed. Wildcards and UNC paths are supported. Childprocesses of any excluded application will also be excluded. Application Profiling willstill be enabled for any application specified in this key. For more information seethe PowerBroker for Windows documentation. Values are written to registry key:BTSuppressHook

Prevent Profiler frombeing loaded into specifiedprocesses

Used for troubleshooting purposes. Set the value to the path of the executable youwish to exclude. To exclude multiple applications, separate the paths with asemicolon. Environment variables (e.g. %SystemRoot% or %ProgramFiles%) areallowed. Wildcards are supported. Child processes of any excluded application willalso be excluded. For more information see the PowerBroker for Windowsdocumentation. Values are written to registry key: ExcludedProfilerApps

Prevent Privman frombeing loaded into specifiedprocesses

Used for troubleshooting purposes. Set the value to the path of the executable youwish to exclude. To exclude multiple applications, separate the paths with asemicolon. Environment variables (e.g. %SystemRoot% or %ProgramFiles%) areallowed. Wildcards are supported. For more information see the PowerBroker forWindows documentation. Values are written to registry key: ExcludedApps. NOTE:Privman will still remain loaded in excluded processes but will not have any effect.

Prevent Btpload frombeing loaded into specifiedprocesses

Used for troubleshooting purposes. Prevents btpload.dll from being loaded if theprocess name and path is found. Wildcards are not supported. Any applicationspecified in this key will not have the following dlls loaded: btpload32.dll,btprof32.dll. For more information see the PowerBroker for Windowsdocumentation. Values are written to registry key: UnloadBtploadLoadedForApps.

Log BeyondInsight Eventsto a File

Enable this setting to write events sent to BeyondInsight by the PowerBroker forWindows Client to a set of files the specified path. This setting is for troubleshootingpurposes only. Do not enable this setting in a production environment.




Enable this setting to log events to the system event log when events cannot beprocessed by BeyondInsight

Enable BeyondInsightTrace Logging

Enable this setting to turn on trace logging for events processed by BeyondInsight

Configure BeyondInsightEvents Log File Path

Configure this setting to set the path where the BeyondInsight Events log file islocated.

Command Line Installation for BeyondInsight ModeFirst enter the command line installer:

PowerBroker for Windows Client (64 Bit) 7.1.msi /qn ADDLOCAL=[FEATURELIST] SERVER=[SERVERNAME] CERTIFICATE=eEyeEmsClient WORKGROUP="BeyondTrust Workgroup"

Replace [FEATURELIST] with comma-delimited list of features. PBWClient,Client_XX, Runtime_XX are required.


Note: The following are required fields: PBWClient,Client_x64,Runtime_x64,

CENTRAL POLICY INTEGRATION

CPIntegration

EVENT MONITORING

EventMonitor_x64

FILE INTEGRITY

FileIntegrity_x64

ACTIVE X\IE Rules

IEIntegration_x64

SESSION MONITORING

SessionMonitor_x64


The following are required fields: PBWClient,Client_x86,Runtime_x86PBW

CENTRAL POLICY INTEGRATION

CPIntegration

EVENT MONITORING

EventMonitor_x86

FILE INTEGRITY

FileIntegrity_x86

ACTIVE X\IE Rules

IEIntegration_x86

SESSION MONITORING

SessionMonitor_x86

Note: ServerName, Certificate and Workgroup are mandatory for BeyondInsight Mode.

To install all components except file integrity and event monitoring:



PowerBroker for Windows Client (32 Bit) 7.1.msi /qn ADDLOCAL=PBWClient,Client_x86,Runtime_x86,SessionMonitor_x86,IEIntegration_x86,CPIntegration SERVER=[SERVERNAME]CERTIFICATE=eEyeEmsClient WORKGROUP="BeyondTrust Workgroup"

PowerBroker for Windows Client (32 Bit) 7.1.msi /qn ADDLOCAL=PBWClient,Client_x64,Runtime_x64,SessionMonitor_x64,IEIntegration_x64,CPIntegration SERVER=[SERVERNAME]CERTIFICATE=eEyeEmsClient WORKGROUP="BeyondTrust Workgroup"



Certificate Management

Verify you have a valid certificate on the BeyondInsight server1. Start ->Run ->mmc.exe ->OK2. When the mmc window opens, go to File ->Add/Remove Snap-in...3. Select Certificates, click the Add button in the middle of the screen, select the Computer Account option, click

Next.a. If you are not given an option for My User Account, Service Account, and Computer Account mmc was not

launched with administrative privileges. Please start step 1 using an account with administrative privilegeson the machine.

4. Leave the Local Computer radio button selected, click Finish.5. Click OK in the Add or Remove Snap-ins window.6. Expand Certificates (Local Computer) ->Personal ->Certificates7. In the middle pane double click the eEyeEmsClient certificate. If the window matches the screen shot below,

you have a valid certificate and may continue to the section Creating a certificate deploymentMSI file.Note: Certificates from a domain PKI are also compatible. Please contact support for assistance.

Using a Domain PKI for BeyondInsight CommunicationPrerequisites:

1. Domain member server with the Active Directory Certificate Services installed and configureda. Certificate Authority Web Enrollment role service installed.

http://technet.microsoft.com/en-us/library/cc731183.aspxCertificate Requirements:



http://technet.microsoft.com/en-us/library/cc731183.aspx

1. Intended Purposesa. “Client Authentication” is required for the client certificateb. “Server Authentication” is required for the server certificate

2. There must be a Subject Key which contains common text to all client certificatesNote: In the example below “BTTest” would be common to all client certificates, “CN” or “=” are not taken

into consideration when looking for the client certificate.

The default certificate template “Computer” is recommended to be used as it meets both requirements thePowerBroker services will need and workstations have the permissions to be auto-enrolled.



Assigning the Server Certificate to BeyondInsight Services:1. Launch the BeyondInsight Configuration tool found in Start -> All Programs -> eEye Digital Security -> Retina

CS -> BeyondInsight Configuration.2. Scroll down the left pane until you reach the section “Web Service”/ Select the domain PKI certificate from

the SSL Certificate drop down menu and click Apply.

Configuring PowerBroker for Windows Client Certificate1. Edit the GPO you wish to use to push out PowerBroker for Windows configurations.2. Go to Computer Configuration ->Policies -> Administrative Templates ->BeyondTrust -> PowerBroker for

Windows -> System -> Management3. Edit the “Configure the BeyondInsight Certificate Name” setting with the common text within your client

certificate Subject



Creating Custom Domain Certificate TemplatesModifying certificate templates can be done through the Certificate Templates Console (certtmpl.msc). Within theconsole you can modify the settings of most default templates. Others, such as the default Computer templatecannot be modified and must be duplicated to make modifications.

Advertising and Autoenrolling Custom Domain Certificate TemplatesAlthough the Computer template meets all of the requirements for communication with the BeyondInsight server,other subject identifiers or certificate purposes may be needed for other functionality within the environment. It isrecommended you duplicate the Computer template, make the additional configurations changes, and set the newtemplate to be advertised.

To advertise the new template launch certsrv.msc, select Certificate Templates in the left pane, right click in anempty space in the right pane, and selectNew ->Certificate Template to Issue. Select the new template to beadvertised and click OK.

Configuring Certificate Auto-EnrollmentUsing the default Computer template:

Within a GPO which will apply to your PowerBroker for Windows client computers drilldown to Computer Configuration ->Windows Settings ->Public Key Policies -> AutomaticCertificate Request Settings, right click the right pane and select New -> Automatic Cer-tificate Requests. Click Next through the wizard until you reach the Certificate Templatescreen, select your desired certificate template, and Click Next/Finish until the wizardcloses.

Using a customized template:

On the security tab of the customized template, one of the security groups must have Auto-enroll set to Allow. The computer objects that will be generating the certificate must be inthat security group. The Domain Computers group is a common group to be used as com-puters are in this group by default. The Authenticated Users group must also have Read andEnroll set to Allow.Once the security privileges are set the GPO applying to your workstations and servers mustbe configured to allow auto-enrollment. To do so edit the GPO and drill down to ComputerConfiguration ->Windows Settings ->Security Settings -> Public key Policies and openthe “Certificate Services Client - Auto-Enrollment” setting. Set the Configuration Model toEnabled and check the “Update certificates that use certificate templates”







BeyondInsight ReportingIn PowerBroker for Windows V7.1, reporting is available using the BeyondInsight management console.

You can use PowerBroker for Windows without installing BeyondInsight.

BeyondInsight Community does not support PowerBroker for Windows.

Understanding How Reporting Works with BeyondInsightReview the following section to learn how information flows between PowerBroker for Windows andBeyondInsight.

Some important considerations for deployment in your environment are:

• Event communications for a PowerBroker for Windows agent to BeyondInsight is web services based using SSLover port 443. Internal firewalls and remote clients will need access to the Retina Event Server to forwardapplication and identity events.

• The BeyondInsight Event Server can be detached and deployed separately in a DMZ or in remote locationsfrom the database for scalability, security best practices, and architectural requirements.

• Retina CS is available as software or an appliance and can operate on physical or virtual hosts.

• PowerBroker for Windows Policy Editor's require workstations on the domain and must be permitted tomodify and create AD domain policy for BeyondTrust agents. Tools that strictly manage AD change controlneed to allow this functionality to occur.

• Events received by BeyondInsight can be turned into rules within the PowerBroker for Windows Policy Editor.They appear as XML in the browser and can be copied to the local clipboard for pasting directly into the PolicyEditor.

BeyondInsight Reporting


• The Retina Network Security Scanner (RNSS) provides asset discovery of all devices in the environment. Itcommunicates back to BeyondInsight over ports 21690 TCP for events and either 443 or 10001 TCP fordiscovery engine control.

BeyondInsight Requirements

Operating Systems Windows Server 2008 (32-bit and 64-bit

Windows Server 2008 R2 (64-bit)

Database Microsoft SQL Server 2008

Microsoft SQL Server 2012

Server Microsoft .NET Framework 3.5 & 4.0 SP1 (Application Server Role, Windows ProcessActivation Service Support/HTTP Activation) Microsoft Internet Information Server(IIS) 6.0 or later with ASP.Net support (Web Server (IIS) role)

Client Adobe Flash Player 10.0 or later

Oracle Sun Java 6.0 SE Update 21 or later for client side (for Network Map to workcorrectly)

Processor (CPU) Intel Pentium IV 2.0 Ghz or equivalent

Memory (RAM) 4 GB minimum, 8 GB recommended

Hard Drive 300 MB required for software installation 20 GB (database minimum)

Network Network Interface Card (NIC) with TCP/IP enabled

Screen resolution 1024 x 768

Table 1. BeyondInsight Requirements

BeyondInsight Reporting


Stop—Before You Upgrade, Read This!Upgrading from an earlier version of PowerBroker for WindowsV5.x to V6.0 results in several changes to yourexisting PowerBroker for Windows configuration. These changes are caused by V7.0 architecture modificationsthat enhance performance and usability.

To ensure a successful upgrade and preserve existing version 5.x rules and settings, do the following:

1. Preserve Version 5.x Rules - Make a copy of all V5.x rule XML files prior to upgrading.2. Preserve Administrative Template Settings - Make a note of all Administrative Template settings you

established in V5.x. Most Administrative Template settings that configure custom end-user messages will notbe carried forward during an upgrade from V5.1 or earlier. You must manually reconfigure these settings inthe Messages window. (Messages configured in the Messages window in V5.2 or later will be carried forward,but in some cases with cosmetic differences.)

Preserve State Model Data (Optional) - If for any reason you want to preserve V5.x state model data, make abackup copy of a computer’s registry prior to installing and activating the V6.0 or 6.5 client software. V5.x statemodel data is not carried forward during an upgrade.

Stop—Before You Upgrade, Read This!


About UpgradeThis guide describes the process you must follow to upgrade to V7.0 of PowerBroker for Windows fromPowerBroker for Windows V5.x.

The upgrade process is straightforward and requires the following basic steps:

1. Copy the existing V5.x XML rule files to backup files.2. Make a note of all V5.x Administrative Template settings. If you are upgrading from V5.1 or earlier versions,

some Administrative Template settings that configure custom end-user messages are not carried forwardduring the upgrade.

3. Deploy the PowerBroker for Windows V7.0 or 7.0 client software to all computers running PowerBroker forWindows V5.x.

4. Upgrade the existing snap-in with the PowerBroker for Windows V7.0 Policy Editor.5. Replace the default key pair for the Passcode Generator with a key pair that you generate.6. If you are upgrading from V5.2, custom end-user messages that you configured will be automatically carried

forward to V6.0 However, it is recommended that you review them in V7.0 due to cosmetic improvementsand enhanced functionality.

7. Review the Administrative Template settings in V7.0 and reestablish any that were not carried forward duringthe upgrade. If you are upgrading from V5.1 or earlier, use the Messages dialog to reestablish custom end-usermessages.

8. Verify that the snap-in and client software upgrades were successful.The following sections describe each of these steps in detail.

Upgrade ProcessAn upgrade is accomplished by running PowerBroker for Windows installer programs (.msi files) on computers thathost PowerBroker for Windows components.

The snap-in upgrade must be performed on computers on which the PowerBroker for Windows Policy Editor isinstalled, typically Windows domain controllers and any other computers from which Group Policy is managed. Theclient upgrade must be performed on all client computers on which the PowerBroker for Windows client softwareis installed.

The installer MSI packages recognize and remove previous versions of the PowerBroker for Windows software andinstall V7.0 components.

Reverting a Version 6.5 UpgradeIf you have upgraded to V7.0 and want to downgrade that installation to V5.x, you can do so. If downgrading, youshould replace XML rule files generated using V7.0 with backups of XML rule files generated using the version towhich you are downgrading. For more information, see “Export Existing Rule XML Files".

For assistance with removing V7.0 and reinstalling V5.x., contact BeyondTrust Technical support at 1-800-234-9072.

Preparing for UpgradeBefore you run the V7.0 installer packages, you should perform two tasks:

• Back up V5.x rule XML files.

• Document the V5.x administrative template settings.

About Upgrade


Export Existing Rule XML FilesWhen upgrading from V5.x, you are not required to make backup copies of the existing rule XML files, but doing sois recommended. If a problem occurs, you can import these files into the V7.0 snap-in.

To export the existing rules, do the following:

1. On the computer with the snap-in installed, open a GPO for editing.2. In the Group Policy Object Editor, open the PowerBroker for Windows node under Computer Configuration.3. Multi-select all the rules listed in the right pane and select Copy.4. Paste the copied rules on the desktop or in a file folder. This creates a file called:

ApplicationSecuritySettings.xml.

5. Rename this file: MyGPOName_ComputerSettings.xml.6. Click on the PowerBroker for Windows node under User Configuration.7. Multi-select all the rules listed in the right pane and select Copy.8. Paste the copied rules on the desktop or in a file folder. This creates a file called:

ApplicationSecuritySettings.xml.9. Rename this file: MyGPOName_UserSettings.xml.10. Repeat this process for any other GPOs that have Application Security settings.

Document V5.x Administrative Template SettingsThe upgrade program does not carry forward any custom end-user messages you have configured by using theAdministrative Template in V5.1 or earlier versions. Therefore, you must document these settings and manually re-establish them by using the Messages dialog after you have installed the V7.0 policy editor.

Use a program such as Notepad to document each enabled setting and any values it uses. After the upgrade, youwill use this information to configure the Messages.

Note: This includes any customized text you have specified within these settings, (for example, OnDemandContext Menu Text).

For V5.x prior to V5.3, the settings are located in the two areas in the Group Policy Management Editor:

• Computer Configuration, Administrative Templates, BeyondTrust, PowerBroker for Windows, System

• User Configuration, Administrative Templates, BeyondTrust, PowerBroker for Windows, WindowsComponents, Microsoft Management Console, Restricted/Permitted Snap-ins, Group Policy

Make a note of any V5.x Administrative Template settings that are enabled, as well as any parameters associatedwith the setting. You will use this information to re-establish the settings in V6.0.

About Upgrade


Upgrading PowerBroker for Windows Client SoftwareUpgrading PowerBroker for Windows clients is a two-part process that requires the following basic steps:

1. Deploying V6.5 client software to all existing PowerBroker for Windows clients.2. Restarting each client computer to install the V6.5 client.

Client Software Requirements for V7.0PowerBroker for Windows client software can be installed on computers running any of the following operatingsystems:




• Windows 7

• Windows 8

Note: The .NET Framework V3.5 Features must be installed prior to installing PowerBroker for Windows on aclient.

Running Client Installer FilesThe table identifies V7.0 client installer programs and the components installed by each. Note that separate .msifiles exist for the 32-bit and 64-bit computers. The file you run depends on the architecture of the computer onwhich the client is installed.

Installer.MSI Files Contains and InstallsClient installers:PowerBrokerfor WindowsClient (32Bit)7.0.2.msi

PowerBrokerfor WindowsClient (64Bit)7.0.2.msi

PowerBroker for Windows Client: The client contains a security driver that monitors processlaunch, checks for applicable rules, and modifies security token when a rule exists. The clientalso provides client-side extensions used for creating and processing policy, and therebyenables computers to recognize PowerBroker for Windows items in GPOs. The client isnormally distributed to desktops using a distribution tool, such as Windows Group Policy.

State Model Data ResetIn the course of the client upgrade, existing V5.x state model data stored on a client computer is deleted.

If you want to preserve V5.x state model data for future reference, back up the client’s registry prior to installingthe V6.0 client. The following registry key holds the state model data:HKEY_LOCAL_MACHINE\Software\BeyondTrust\State\

Upgrading PowerBroker for Windows Client Software


Deploying the PowerBroker for Windows V7.0 ClientThe best way to install and deploy the client is to use Windows Group Policy using the following procedure.

To deploy the PowerBroker for Windows client, do the following:

1. Download the client installer from the BeyondTrust website.2. Save the client installer .msi file to an accessible location, such as the Desktop.3. Click Start, Control Panel, System and Security, Administrative Tools, Group Policy Management to open the

Group Policy Management Console (GPMC).If you have not installed the GPMC, this free tool is available at http://microsoft.com/downloads. You can openthe Group Policy Management Editor from Active Directory Users and Computers or from a custom MicrosoftManagement Console.

4. In the GPMC, click Forest, Domains, [MyDomain], Group Policy Objects.5. To create a new GPO, right-click Group Policy Objects and selectNew. Enter a name for the GPO and click OK.

If you prefer, you can add configurations to an existing GPO instead.

6. Right-click the GPO and click Edit to launch the Group Policy Management Editor so that you can configure thesettings for the GPO.

7. In the Group Policy Management Editor, click Computer Configuration, Policies, Software Settings.8. Right-click Software Installation and selectNew, Package.




9. Select the V7.0 client installer .msi file and click Open.

Tip: Save installer file in an accessible location

The installer .msi file must be hosted in a location (such as a network share)accessible to the SYSTEM account of each computer where the software is to beinstalled. The path provided must use the following format:\\MyServer\MyFolder\PowerBroker for Windows Client (64Bit) 7.0.2.msi

10. In the Deploy Software dialog, select Assigned and click OK.

After a brief delay, the details pane of the Group Policy Management Editor displays the name of the software to

be installed as shown in the following figure:

If the name does not appear, right-click Software Installation and select Refresh until you see it. To modifyinstallation settings, double-click the item name in the display pane. To remove the item, right-click it and select AllTasks, Remove.

At the next restart of each computer to which the GPO applies, the PowerBroker for Windows client is installed.After the client is installed, the computer will recognize and enforce PowerBroker for Windows V7.0 rules andpolicies.

Verifying Client InstallationTo verify that the client is successfully installed and is running on a computer, do the following:

1. Start aWindows command session on the computer on which you want to verify client installation.2. In the Windows command session type the following: polmon.exe.



3. The PowerBroker for Windows Policy Monitor programs starts and displays the version number of the client atthe top of the page.If the Policy Monitor displays an error, ensure that the computer was restarted after the client was deployedto it.

The following screen illustrates a typical Policy Monitor session. Note items 1 through 3 at the top of thescreen. These items indicate that V6.0 of the client is installed and that the polices have been successfullyloaded for computers and users. This also indicates that the client is running and functional.



Upgrading the PowerBroker for Windows Snap-inThe following sections provide the software requirements and instructions for running the snap-in installer files.

Snap-in Software Requirements for V7.0The PowerBroker for Windows snap-in must be installed on computers that are used to edit GPOs. The snap-in canbe installed on computers running any of the following operating systems:




• Windows 7

• Windows 8

Note: The .NET Framework V3.5 Features must be installed prior to installing PowerBroker for Windows. If .NETFramework V3.5 Features are installed, they may be listed under Features or Windows features ratherthan in the list of installed programs.

Running Snap-in Installer FilesThe following table identifies the V7.0 snap-in installer packages and the components installed by each. Note thatseparate .msi packages exist for 32-bit and 64-bit computers. The package you use depends on the architecture ofthe computer hosting the snap-in.

Upgrading the PowerBroker for Windows Snap-in


Installing Auditing and Reporting ComponentsDownload the installer for Auditing and Reporting, and install the console and database.

1. Download the Auditing and Reporting installer file. Browse to http://www.beyondtrust.com.2. Install and configure BeyondInsight. For more information, refer to the BeyondInsight Installation Guide.

Installing Auditing and Reporting Components


http://www.beyondtrust.com/

Licensing and Operating ModesThere are two types of PowerBroker for Windows licenses:

• Registered Product - You have purchased software licenses or obtained free evaluation licenses fromBeyondTrust or an authorized reseller and have imported a registered license. The product is fully functionaland can be used across multiple domains.

• Evaluation Product - You have installed PowerBroker for Windows with a temporary license. The product isfully functional, can be used in multiple domains but has an expiration date encoded in the license.

A 14-day grace period is implemented for license expiration. If the term of the license is exceeded, CSEs willreport a warning to the event log while operating within 14 days of the last successful license check. If the graceperiod is exceeded, the CSEs will not process policy for the GPO and an error will be written to the event log.

Obtaining a LicenseTo request a free temporary license or to purchase a registered license, do one of the following:

• Contact BeyondTrust Sales at http://pm.beyondtrust.com/sales or +1-800-234-9072.

• Contact a BeyondTrust sales representative.

A sales representative will guide you through the submission of a license request file.

Creating a License File RequestTo create a license file request, do the following:

1. Click Start, Control Panel, Administrative Tools, Group Policy Management to open the Group PolicyManagement Console (GPMC).

Tip: If GPMC is not installed

If you have not installed the GPMC (a free tool available athttp://microsoft.com/downloads), you can open the Group Policy ManagementEditor from the Active Directory Users and Computers dialog or from a customMicrosoft Management Console.

2. In the GPMC, click Forest, Domains, <MyDomain>, Group Policy Objects.3. To create a new GPO, right-click Group Policy Objects and click New. Enter a name for the GPO and click OK.

Alternatively, you can add configurations to an existing GPO instead.

Licensing and Operating Modes



4. Right-click the GPO and click Edit to open the Group Policy Management Editor to use for configuring settingsfor the GPO.

5. In the Group Policy Management Editor, click User Configuration, Policies, BeyondTrust and select thePowerBroker for Windows node.

6. Right-click the GPO and right-click on the PowerBroker for Windows node and select licensing.

7. Click the License Request tab.



8. Provide a contact name, select the type of license that you are requesting, enter the name of your company ororganization, and (optionally) enter comments.

9. Select the domains to be licensed.10. In the Registered Domains field, click Add.11. In the Select Domain dialog, click Browse.12. Select a domain and click OK.13. Click Calculate for Users, and then click Calculate for Computers to determine the number of non-disabled

users and computers currently in the selected domain.14. Edit the Users and Computers fields to set quantities appropriate for your organization.15. Click OK.16. Repeat these steps for each domain or OU that you want to license.17. Click Export to generate a license request file.18. Email your license request file to [email protected]. Your BeyondTrust sales representative

(if ordering directly from BeyondTrust) or an authorized reseller will respond to you. After your licenserequest is approved, a license key is sent to the email address you provided.

Importing a License FileAfter you receive a license you must import it into PowerBroker for Windows. To import a license key, do thefollowing:



http://[email protected]/

1. After installing PowerBroker for Windows, edit a GPO.2. In the Group Policy Management Editor, click User Configuration, Policies, BeyondTrust.3. In the Group Policy Management Editor menu bar, click PowerBroker for Windows, Licensing.

4. On the Local License tab, click Import.

5. Select the PowerBroker for Windows license.xml file that you received from your BeyondTrust salesrepresentative or authorized reseller, and click Open.

6. Click OK.Note: The license is automatically applied to new GPOs when policy is edited from this computer; however, you

must deploy the license to all existing GPOs for it to take effect in those GPOs.

Tip: Manually importing a license

To manually import a license rather than using the previous procedure, copy the license.xml file to:%AllUsersProfile%\Application Data\BeyondTrust\PowerBroker Desktops

When using aWindows version prior to Windows Vista, using %AllUsersProfile% points to:

C:\Documents and Settings\All Users When using Windows Server 2008 R2, Windows Server 2008,Windows 7, or Windows Vista, using %AllUsersProfile% points to: C:\ProgramData

Note: The license is automatically applied to new GPOs when edited from this computer.However, you must deploy the license to all existing GPOs for it to take effect in those GPOs.



Deploying a License to Existing GPOsTo apply a new license to existing GPOs, deploy the license to each GPO as follows:

1. In the Group Policy Management Console (GPMC), edit a GPO.2. In the Group Policy Management Editor, click User Configuration, Policies, BeyondTrust.3. In the menu bar, click PowerBroker for Windows, Licensing.

4. Click the GPO License tab and then the Deploy button to deploy the new license to this GPO.Note: The Deploy button displays only if you have imported a valid license on the local computer.

5. Repeat for each GPO that contains BeyondTrust settings.

Frequently Asked Licensing QuestionsThis section can help you to determine how many licenses you require.

Do I need a license to process PowerBroker for Windows rules and policysettings?A license is not required to use basic rules and policy settings provided with PowerBroker for Windows. A license isrequired to create and use custom rules and policy settings of your own creation.

Do I need user licenses?User licenses are required to configure PowerBroker for Windows items under the User Configuration node in theGroup Policy Management Editor. A user configuration item is processed when the user logs in and Windowspolicy is refreshed (but only if the user is logged in).

Which containers (domains) should I license?License the domain or container at the highest level in which all objects in the container and all subcontainers canbe configured by PowerBroker for Windows. For the network shown in the following example diagram where youwant to apply policy rules only to the Eng, MIS, and Finance departments, you must license the CA and Financeorganizational units (OUs).



How many licenses do I need?A license is required for all active computer and/or user objects in the licensed domain. In the network shown inthe previous diagram, if a GPO containing PowerBroker for Windows items is to be applied to the TX subdomain, alicense is required for all active objects in the TX, Mktg, Sales, and HR subcontainers.

Are objects in subcontainers counted towards licensed totals?Yes, all active objects in the licensed domain are counted in the license total.

