Click here to load reader
Upload
elibun
View
85
Download
29
Tags:
Embed Size (px)
DESCRIPTION
application management console
Citation preview
June 10, 2013
User Guide
Release 4.5.1
Revision/Update Information: June 10, 2013
Software Version: Retina CS 4.5.1
Revision Number: 1
COPYRIGHTNOTICE
Copyright © 2013 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is
also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”) or
BeyondTrust’s authorized remarketer, if and when applicable.
TRADE SECRETNOTICE
This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the
proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and
may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when
applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying,
modification and use.
DISCLAIMER
BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly
provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,
INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A
PARTICULAR PURPOSE.
LIMITED RIGHTS FARS NOTICE (If Applicable)
If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This
software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation
that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture,
duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))
LIMITED RIGHTS DFARS NOTICE (If Applicable)
If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to
limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at DFARS 252.227-
7013.
TRADEMARK NOTICES
PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,
PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Virtualization,
PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker
Identity Services are trademarks of BeyondTrust.
Retina, Retina® CS, Iris, Blink, Retina® Web, and REM are registered trademarks of BeyondTrust. SecureIIS and Enterprise Update
Server are trademarks of BeyondTrust.
Windows® is a registered trademark of Microsoft Corporation
FICTITIOUS USE OFNAMES
All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely
coincidental.
Retina CS User Guide
BeyondTrust® June 10, 2013 2
Contents
I. Retina CS Management Console i
Retina CS Overview 1
Retina CS Architectural Overview 2Retina CS Components 3
Retina Network Security Scanner (RNSS agent) 3Retina Protection Agent (RP agent) 3eEye Manager Service 3AppBus (Application Bus) 3Events Client 3Central Policy Server 4Enterprise Update Server 4Third Party Patch Service 4Scheduling Service 4Shared Services Engine 4
How a Scan Works 5How Job Scheduling Works 6Access Retina CS 8Access the Client Portal 9
Retina CS Tools 10
Overview 11Working with Smart Rules 11
Understanding Smart Rule Filters 12Smart Rule Filters 13Predefined Smart Groups 14Creating an Asset Smart Rule 16Creating a Vulnerabilities Smart Rule 17Cloning a Smart Rule 19Marking a Smart Group as Inactive 20
Creating an Address Group 20Creating a Smart Rule based on an Address Group 22
Creating an Active Directory Query 22Working with Attributes 23Working with Tickets 25
Creating a Ticket 25Managing Ticket Details 26Marking a Ticket as Inactive 27Tracking Open Tickets Using a Smart Rule 27
Reports and Scan Templates 30
Running a Report on Existing Scan Data 31Creating Scheduled Reports 32
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 i
Viewing Scheduled Reports in the Calendar View 32Reviewing Report Results 33
Creating a Report 34Creating a Report Category 34
Viewing and Downloading Reports 35Managing Report Templates 36
Setting Report Output Options 36Configuring Scan Settings 38
Working with Audit Groups 41Working with Port Groups 42
Creating a Custom Audit 43Report Templates and Audit Groups 46
Report Templates 46Audit Groups 54Regulatory Reporting Pack Audit Groups 54
Asset Management 55
Interpreting Scan Results on the Dashboard 56Reviewing Asset Details 57
Risk Scores 57Changing Asset Properties 58
Changing the Display 58Setting Display Preferences 59Filtering Records 60
Managing Jobs 61Reviewing Job Details 61Reviewing Scheduled Job Details 62Viewing Scheduled Scans in the Calendar View 63Viewing Scan Event Details 64Aborting or Pausing a Job 64Changing Job Page Settings 65
Mobility Scanning 67
Overview 67Configuring a BlackBerry Connector 67Configuring an Android Connector 69
Deploying the Application to Android Devices 70Configuring Settings on Android Devices 70
Configuring an ActiveSync Connector 71Reviewing Mobility Scan Results 72Creating Custom Audits for Mobile Devices 72
Cloud Scanning 74
Requirements 74Amazon EC2 Requirements 74VMWare VCenter Requirements 74
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 ii
Configuring a Cloud Connector 75Scanning Paused or Offline VMWare Images 76
Multi Tenant 78
Overview 78Smart Rules Manager and Browser Pane 79Working with Scan Credentials 79Quick Rules 80Organization Filters 80Patch Management Module 80Mobility Connectors 81Retina Protection Agents 81
Setting Up Organizations 82Step 1 Creating a Workgroup 82Step 2 Adding an Organization 83Step 3 Creating a User Group for a Tenant 84
Managing Users 85
Creating User Groups 85User Group Permissions 87Access Levels 90Permissions Required for Configuration Options 90
Creating User Accounts 91Reset Retina CS Account Password 92Auditing Retina CS Users 92Adding Credentials 93
Creating an SSH Credential 93Creating Oracle Credentials 94Adding Credentials for Active Directory Access 95
Setting Retina CS Options 96
Account Lockout Options 96Account Password Options 97Auto Update Options 97Display Options 98Email Notifications 98Maintenance Options 98Proxy Settings 100Refresh Settings 100
Maintenance 102
Viewing Status for Scanners and Agents 102Determining if a Retina Agent is Available 102Removing Retina Agent Files 103Configuring a Failover Agent 104
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 iii
Creating a Support Package 104Diagnostics 106
Monitoring Services 106
II. BeyondTrust Modules 108
Retina Scanner Agents 109
Discovery Scanning 110Running a Discovery Scan 110Discovering Assets Using a Smart Group 111Discovering Assets Manually 111
Running a Vulnerability Scan 112Reviewing Vulnerability Scan Results 115
Creating a Quick Rule 116Excluding Vulnerabilities 117Malware Toolkit Vulnerabilities 118
Remediating Vulnerabilities 119Setting CVSS Metrics 119Setting CVSS Environmental Metrics 120Setting Base and Temporal Metrics 120
Reviewing Asset Risks on the Network Map 122Configuring Retina Agent Scan Options 123
Performance Settings 123Timeout Values 123Event Routing 124Setting Restrictions on Scan Times 125Configuring General Scan Options 125
Scanner Pooling 127
PowerBroker for Windows 129
Overview 129Creating a Smart Group 130Creating PowerBroker Rules 131
Including Arguments in a Rule 133Marking Events to Exclude 133Deploying and Managing Policies Using Retina CS 134
Deploying Policies 135Reviewing Policies 135
Session Monitoring 135Viewing Events on the Session Viewer 136Saving Session Data 138
Patch Management Module 139
Overview 140How Patching with WSUS Works 140How a Patch Deployment Works 141
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 iv
Connecting to a WSUS Server 143Requirements 143Adding a Connection 144Connecting to a Downstream Server 145Installing the WSUS Administration Console 145
Registering Smart Rules 146Redeploying Configuration 148
Approving Patch Updates 148Reviewing Patch Details 150
Deleting Patches 151Third-Party Patching 151
Generating a Certificate 152Subscribing to Vendor Patch Updates 152List of Supported Vendors 154
System Center Configuration Manager 155
Overview 155Requirements 155Creating a Connection to a SCCM Site Server 155Deploying a Package to a Collection 156SCCM and 3rd Party Patching 157
Using Group Policy to Configure SCCM Assets for 3rd Party Patches 158
Retina Protection Agents 161
Overview 162How RP Agent Deployments Work 162
Downloading Retina Protection Agents 163Configuring a Default Policy 163Preparing Target Assets 164
Using the 3rd Party Deployment Tool 165Updating RPA Licenses 166Deploying the Protection Policies 166
Storing Retina Protection Agent Serial Numbers 167Reviewing Details about Protection Agents 168Removing Protection Agents 169
Configuring Protection Policies 170Working with Rules and Rule Groups 170Creating a Rule Group and Setting Rules 171Creating a Protection Policy 172Creating a Dynamic Policy 172Organizing Your Policies 176
Rules Reference 177System Wide Firewall Rules 177Application Firewall Rules 179IPS Signature Rules 181Trusted and Banned IPs 184
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 v
Registry Protection Rules 185Execution Protection Rules 186File Integrity Rules 188Windows Events Rules 193Source Names 193Trusted List Options 195Miscellaneous Options 195
PowerBroker Servers for Unix & Linux 197
Overview 197Retina CS and PowerBroker Servers Architecture 197
Managing PowerBroker Servers Events 199Creating a Smart Group 199Using pbreplay to Play the Logged Events 199Searching the I/O Logs 200
Search Parameters 201
PasswordSafe 207
Overview 207Configuring PasswordSafe 207
Creating a Connection to Your Appliance 208Creating User Groups 208Adding a Managed System 210
Managing Passwords 212Requesting a Password 212Approving a Password 214Retrieving a Password 215
Regulatory Reports Pack 216
Compliance Scans 217Healthcare Pack Compliance Scans 217Finance Pack Compliance Scans 217Government Pack Compliance Scans 217
Running a Compliance Scan 218Reviewing Compliance Scan Results 219
Configuration Compliance Pack 220
Setting Permissions for Configuration Compliance 220Managing Benchmarks 221
Importing Benchmarks 221Setting OVAL Tests Option 222
Appendix A: Preparing Your Database Application for Scans 223
Preparing Your MySQL Database 223
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 vi
Appendix B: BMC Remedy 224
Creating a Connector to your BMC Remedy Server 224Creating a Smart Group 226Exporting the Data 226
Retina CS User Guide Contents
BeyondTrust® June 10, 2013 vii
I. Retina CS Management Console
Retina CS Overview
Retina CS Tools
Reports and Scan Templates
Asset Management
Mobility Scanning
Cloud Scanning
Multi Tenant
Managing Users
Setting Retina CS Options
Maintenance
Retina CS User Guide I. Retina CS Management Console
BeyondTrust® June 10, 2013 i
Retina CS OverviewIn this section,
Retina CS Architectural Overview
Retina CS Components
How a Scan Works
How Job Scheduling Works
Accessing Retina CS
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 1
Retina CS Architectural OverviewRetina CS architecture follows a top-down, tiered approach to compliance
and security management throughout your organization.
Retina Network Security Scanners run vulnerability assessments, and Retina
Protection Agents can perform endpoint host security. All communication
between agents and Retina CS is encrypted and stored in a SQL Server
database.
Multiple Retina CS Servers can replicate data to produce a tiered architecture
and all management control and results are available through an Internet-
enabled application.
Retina CS Architecture
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 2
Retina CS ComponentsThis section provides information on each of the components that Retina CS
relies on in running scans, protecting assets, etc.
Retina Network Security Scanner (RNSS agent)
The Retina Network Security Scanner is the scan engine responsible for
scanning the assets in your environment. The RNSS agent receives
instructions from the Central Policy service.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
Retina Protection Agent (RP agent)
The agent designed to protect your assets. The Retina Protection agent
provides layers of protection, including: virus and spyware, firewall,
intrusion prevention, system protection, and vulnerability assessment.
A security certificate is required by the Events Client to communicate with
the agent. This certificate can be created during the Retina CS installation.
eEye Manager Service
This component is the Retina CS web interface.
The eEye Manager Service also acts as a background service that gathers
information from the Events Client (which retrieves information from the
agents). The events are then encrypted and sent to the database.
AppBus (Application Bus)
Provides communications between BeyondTrust components and receives
events to insert in the Retina CS database. This function can also be done by
a dedicated Event Server for scalability.
Events Client
The Events Client is responsible for forwarding information gathered by the
RNSS agent and RP agent.
The Events Client sends the information to the eEye Manager Service. The
Events Client is installed when an RNSS agent or RP agent is installed.
Events Client CertificateGenerate security certificates to ensure secure transmission of data between
clients and Retina CS. Use the Retina CS Configuration Tool to generate
certificates. For more information, refer to the Retina CS Installation Guide.
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 3
Central Policy Server
Central Policy is a service that sends RNSS agents and RP agents their
settings. Central Policy is the component responsible for sending the agents
job information.
For example, the RNSS agent needs to know the targets and the audits to
run against those targets. This information is selected in the Retina CS
management console. When the scan starts, the Central Policy kicks the job
information to the agent.
The same for the RP agent policies. The protection policy needs to know
the policy to push out to the selected protected assets. Policies are defined
in the Retina CS management console, and when the policy is deployed, the
Central Policy kicks out the job information to the RP agent to apply to the
target asset.
Enterprise Update Server
Using the Enterprise Update Server, you can centrally manage updates for
your BeyondTrust applications, receive updates automatically or manually
and distribute updates to client systems on your network.
You can schedule automatic updates to ensure that your assets are protected
by the latest vulnerability audits.
Third Party Patch Service
Gathers third party patches and makes them available for distribution using
WSUS.
Scheduling Service
Responsible for contacting the Update server and downloading the latest
product updates and audit updates.
Shared Services Engine
Receives Retina Protection agent deployment details from the AppBus and
sends those details to the assets where the RP agent is being deployed.
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 4
How a Scan WorksThis section provides the communication workflow between Retina CS and
the agents.
For a list of ports that Retina CS uses, see Ports Used by Retina CS.
uCreate the scan job in Retina CS Management Console. The scan job
includes details such as the IP addresses to be targeted, scan
template, and scheduling information.
�The Central Policy service notifies the RNSS agent with the
instructions for the scan job.
�The RNSS agent goes out to the assets as provided in the scan job
details and gathers the data based on the selected scan template.
�Gathered information from the RNSS agent is passed through the
Events Client to the Retina CS Event Server. The data sent is in
.mmf format.
�The Retina CS Event Server passes the information to the SQL
Server. The gathered info is normalized.
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 5
Ports Used by Retina CS
Function Components Port
Database
connectivity
CS to SQL Server,
Retina Insight to SQL
Server
1433
Event Client RNSS and RPA to
Retina CS
21690
RPA Central
Policy
Endpoint to Retina CS Version 1 – 2000
Version 2 – 443
RNSS Central
Policy
RNSS to Retina CS Version 1 – 10001
Version 2 – 443
Update Servers SyncIt or EUS to
BeyondTrust
443 or 80
Client Browser User to Retina CS or
Retina Insight
443 or 80
PowerBroker
Mobile
Connector to PBM 443
Android Mobile
Connector
Android agents to
Retina CS
21691
Retina CS
replication
CS to CS for Enterprise
tiering
21692
How Job Scheduling WorksThe following job scheduling overview assumes multiple scanners are used.
u Create a Smart Rule, includes setting:
l List of scanners
l Choosing the asset distribution algorithm
l Choosing the targets
� Targets are determined by:
l Assets that are in the database (Assets are already discovered).
Assets will be discovered if the following are included in the Smart
Rule:
l Address groups
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 6
l Cloud assets
l LDAP queries
�Asset distribution algorithm assigns scanners to assets.
For round robin assignments, targets are assigned first if their IP
address is known. Then targets are assigned to scanners by the name
of the target if it is known.
After this assignment occurs, scanners are always associated with
assigned assets.
� Two .xml files are sent to the Retina scanner agent:
l a file that contains job scheduling information
l a file that lists the targets assigned to the scanner
Round robin assignment
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 7
Access Retina CSWhen working in Retina CS, note that times displayed match the web
browser on the local computer (unless stated otherwise).
To log on Retina CS:
1. Select Start > All Programs > eEye Digital Security > Retina CS >
Retina CS.
You can also log on to Retina CS using the URL provided to you by your
Security Administrator.
2. Enter your username and password.
The default username is Administrator and the password is the
Administrator Password you set in the Retina CS Configuration wizard.
3. Click Login.
If you forget your password, click Forgot your Password? Enter your
username to have a new password sent to your registered email address.
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 8
Access the Client PortalYou can access product downloads, license keys, product documentation,
and technical support, including knowledge base articles using the client
portal. You will need your username and password provided in your product
confirmation email.
To access the client portal:
1. Using your web browser, log on to www.eEye.com/clients. The Client
Portal is displayed.
2. Type your username and password from your product confirmation
email, then click Sign In.
3. Select from one of the following options:
– Product Downloads. You can access and download the most
current versions of your licensed software.
– Product Licensing. You can access and manage your product
licenses.
– Documentation. You can access documentation for each product as
well as additional guides, technical bulletins and knowledge base
articles, as needed. Typically the documentation set consists of
Installation Guides, User’s Guides and online help systems.
– Technical Support. You can access knowledge base articles,
support request forms and release notes. In addition, you can view
and update your support tickets.
Retina CS User Guide Retina CS Overview
BeyondTrust® June 10, 2013 9
Retina CS ToolsIn this section,
Overview
Working with Smart Rules
Understanding Smart Rule Filters
Predefined Smart Groups
Creating an Asset Smart Rule
Creating a Vulnerability Smart Rule
Cloning a Smart Rule
Marking a Smart Group as Inactive
Creating an Address Group
Creating an Always Address Group
Creating a Smart Group Based on an Address Group
Creating an Active Directory Query
Working with Attributes
Working with Tickets
Creating a Ticket
Managing Ticket Details
Marking a Ticket as Inactive
Tracking Open Tickets Using a Smart Rule
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 10
OverviewRetina CS provides a set of tools to help you organize assets for scanning.
Depending on the number of assets that you want to scan, or the critical
nature of some of your assets, consider organizing the assets using address
groups or Active Directory queries which can be part of a Smart Rule.
The following list provides examples on ways you can use these tools:
l Create an IP address group that organizes assets by a range of IP
addresses, including CIDR notation and named hosts.
l Use an Active Directory query that will organize assets by organizational
unit. Create a Smart Rule and use the query as your asset selection
criteria.
l Change the properties for assets (after a scan runs), then use the
attributes as the selection criteria in the Smart Rule. For more
information, see Changing Asset Properties.
Scans can return a lot of information. To help you review scan results, you
can create filters and set preferences on the Assets page to easily review scan
results. For more information, see Changing the Display.
Working with Smart RulesA Smart Rule is a filter that you can use to organize assets. You can organize
the assets using one of the following Smart Rules types:
• Asset Smart Groups – Organizes the assets based on the filters selected.
• Vulnerability Smart Groups – Organizes the vulnerabilities based on the
vulnerabilities filter selected.
The user must be a member of the Administrators group, or be granted the
Asset Management permission to work with Smart Rules.
Note: When a non-administrator user creates a Smart Group, that Smart
Group will automatically be associated with:
– Read permissions to all user groups that the user is a member of.
– Write permissions to all user groups the user is a member of and
also has the Asset Management permission. The Asset
Management permission allows the user to create a Smart Rule.
Use a Smart Rule to register assets as Smart Groups to:
• Run vulnerability scans against
• Apply protection policies to
• Register for Patch updates
• Monitor and view
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 11
A Smart Rule updates results automatically, ensuring that assets that match
the criteria in the rule are current.
For example, a simple filter on assets might be finding all assets in the
domain EMEA, as shown:
If an asset can no longer be contacted or no longer meets the criteria in the
rule, the rule dynamically updates. At any time when you select the Smart
Rule for a scan (for example), you can be sure the list of assets is current.
Understanding Smart Rule Filters
There are many filters available to you to create Smart Rules. For example,
you can filter on such properties as Asset fields, Installed Software,
Assigned Attributes, or Operating System.
You can create address groups or an Active Directory query to use as filters.
You can create these filters in the Smart Rule Manager or from the Configure
tab. For more information, see Creating an Address Group and Creating an
Active Directory Query.
You can use more than one filter to refine or extend the scope of assets in
the Smart Rule. Filters can be joined with 'and' (Match All Criteria) or 'or'
(Match Any Criteria) conditions.
• If you select Match All Criteria, then every indented filter under it must
be true for an asset to be included.
• If you select Match Any Criteria, then only one of the indented filter
items under it must be true for an asset to be included.
The following filter example will include all assets in the EMEA domain that
are either servers or workstations.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 12
Smart Rule Filters
Review the following tables for more information about available Smart Rule
filters.
Table 1. Asset Smart Rule Filters
Active Directory
Query
Create an LDAP query to include or exclude
assets in the selected domain.
For more information, see Creating an Active
Directory Query.
Address Group
Create a group of IP addresses.
For more information, see Creating an Address
Group.
Asset Fields
Group the Smart Group by asset fields, such as,
asset name, device ID, domain or DNS, risk, and
kind.
You can include more than one asset field filter in
the Smart Rule to refine the results.
Assets with Open
Tickets
For ticket tracking, create a Smart Rule that filters
on open tickets. The Smart Rule filter can be set
to include overdue tickets.
Assigned Attributes
Create a filter based on an attribute.
If the attribute is unassigned on a particular asset,
you can choose to include or exclude the asset
from the rule.
AttacksFilter assets based on attack. Select attacks from a
list, or filter on attack name or ID.
Child Smart Rule
You can reuse a Smart Rule to save time when
creating new Smart Rules. This is especially useful
if the Smart Rule is a complicated set of filters.
Reusing a Smart Rule further refines the assets
that will be a part of the Smart Group.
Cloud Assets Filter assets on the cloud connector.
Installed Software Filter on any combination of installed software.
MAC Address Filter by MAC address of assets.
MalwareFilter assets based on malware. Select malware
from a list, or filter on malware name or ID.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 13
Operating System
Filter on any combination of OS. Operating
systems included in the list are those detected in
your network.
Assets with no OS detected, can be included or
excluded from the rule.
Ports
Filter by port group. Assets with open ports in the
port group can be included or excluded from the
rule.
Processes Filter on any combination of processes.
Protection Agents Filter by protection agents.
Services Filter by any combination of service.
VulnerabilitiesFilter by vulnerability, CVSS score or vector, PCI
severity,
Vulnerability ScannersFilter by Retina scan agent. Can filter for
responsive or unresponsive scan agents.
Windows Events
Filter by Windows events that are available in the
Windows Event Viewer (for example,
Application, Security, or System).
Workgroup Filter by workgroup.
Table 2. Vulnerabilities Smart Rule Filters
Child Smart Rule Filter the vulnerabilities by child Smart Rules.
Vulnerability fields Filter by the name of the vulnerability.
Vulnerability has
mitigation patch
Filter by patch updates that are available to
remediate the vulnerability.
Vulnerability in audit
group
Filter by audit group. For example, All Audits,
Zero Day, or any of the compliance audit groups
available.
Vulnerability severityFilter by severity level: low, information, medium,
high.
Zero day
vulnerabilities
Filter on zero day vulnerabilities. Include or
exclude the vulnerabilities from the Smart Group.
Predefined Smart Groups
By default there are Smart Groups already defined and created.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 14
Predefined Smart Groups cannot be changed or deleted. However,
predefined Smart Groups can be marked as inactive (except for the All
Assets Smart Group) to improve performance on large databases. For more
information, see Marking a Smart Group as Inactive.
The predefined Smart Groups are displayed in the Smart Groups browser
pane and are organized in the following categories.
Table 3. Predefined Smart Groups for Assets
Agents and ScannersDetects assets where protection agents and Retina
scanners are deployed.
Assets and DevicesIncludes default Smart Groups for all assets and all
assets labeled as workstations.
Intelligent Alerts
Includes Smart Groups that detect assets added
since yesterday, and mobile assets with critical
vulnerabilities. Intelligent Alerts are inactive by
default.
Servers
Includes Smart Groups that detect assets that are
mail servers, web servers, database servers,
domain controllers, and SCADA. Only the Web
Servers Smart Group is marked as active.
Virtualized Devices
Includes Smart Groups for virtual environments,
including Microsoft Hyper-V and Parallels.
Assets detected as virtual environments are part
of these Smart Groups.
This default category also includes two Smart
Groups, Virtual Servers and Virtual
Workstations. Assets that are servers or
workstations might not be detected, and
therefore, not included in the Smart Group. For
example, the asset might be a router or unknown
and will not be part of the Smart Group.
Table 4. Predefined Smart Groups for Vulnerabilities
All VulnerabilitiesIncludes all assets where there are vulnerabilities
detected.
Zero Day
Vulnerabilities
Includes all assets where zero day vulnerabilities
are detected.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 15
Creating an Asset Smart Rule
You can configure an asset Smart Rule to:
• Create Smart Groups
• Send email alerts with a list of assets
• Set attributes on assets
• Create a ticket with a list of assets
• Enable for Patch management
• Set environmental metrics for CVSS scoring
• Set scanner pooling
To create a Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
The Smart Rules Manager displays existing Smart Rules.
3. Select Asset based smart rules from the Smart Rule type list.
4. Click New Rule.
5. Enter a name and description.
6. The Active check box is selected by default. The Smart Rule is always
available for processing when Active is selected. Clear the check box so
the rule is not processed.
7. Enter a category name or select a category from the list. Use categories
to organize your Smart Rules in the Smart Groups browser pane.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the
following:
– Show asset as Smart Group - When selected, the rule is displayed
in the Smart Groups pane as a Smart Group. You can select the
Smart Group to filter the list of assets in the Smart Groups pane.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 16
You can also select the default view to display on the Assets page
when the Smart Group is selected.
Smart Groups are also used for running scans, applying protection
policies, and registering for patch updates.
– Send an email with a list of assets - Select and enter the email
addresses for notification when the rule criteria is matched.
Emails are only sent if the list of assets that match the rule is
changed from the last time the rule was processed.
– Set attributes on each asset - Select the attribute type from the list
and then select the attribute.
– Create Ticket - Select tickets parameters, including ticket
assignment, severity, and email alert. For more information, see
Creating a Ticket.
– Enable for Patch Management - Select to create a Smart Group
for managing patch updates to assets. For more information, see
Registering Smart Rules.
– Set Environmental CVSS Metrics - Select environmental metrics
for CVSS. For more information, see Setting CVSS Metrics.
– Set Scanner Properties - Select one or more Retina scanner agents
to lock to the Smart Group. See Scanner Pooling.
– Export Data - Select to manage a Smart Group for the BMC
Remedy connector.
– Mark each asset inactive - Assets detected as inactive will no
longer be displayed on the Assets page or in reports.
– Deploy PBW Policy – Select to deploy PowerBroker for Windows
policies to the assets that match the criteria selected in the Smart
Rule.
10. Click Save.
Creating a Vulnerabilities Smart Rule
You can configure a vulnerabilities Smart Rule to:
• Manage vulnerabilities
• Use as filters in grids and reports
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 17
To create a vulnerabilities Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
The Smart Rules Manager displays existing Smart Rules.
3. Select Vulnerability based smart rules from the Smart Rule type list.
4. Click New Rule.
5. Enter a name and description.
6. The Active check box is selected by default. The Smart Rule is always
available for processing when Active is selected. Clear the check box so
the rule is not processed.
7. Enter a category name or select a category from the list. Use categories
to organize your Smart Rules in the Smart Rules Manager.
8. Select the filters in the Asset Selection Criteria section of the manager.
9. From the Perform Actions section of the manager, select one of the
following:
– Show vulnerability as Smart Group – When selected, the rule is
displayed on the Vulnerabilities page as a filter for the list of assets
selected in the Smart Groups browser pane.
– Create vulnerability audit group – To create a read-only audit
group.
10. Click Save.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 18
Cloning a Smart Rule
You can clone your custom Smart Rules or the predefined Smart Rules.
An example scenario: you created a Smart Rule where the 'discover assets'
option is selected and you run the rule once a month. You can clone the
Smart Rule, turn off 'discover assets', and configure the new Smart Rule to
run more frequently. This saves you time in recreating the filters in the
initial Smart Rule.
To clone a Smart Rule:
1. Select the Assets tab.
2. Click Manage Smart Rules.
Select the Smart Rule, and then click the clone icon.
If you are using the Multi Tenant feature, select the organization from
the list, and then click OK.
3. On the Smart Rules Manager page, edit the Smart Rule filters as needed.
4. Click Save.
The Smart Rule is active only after you click Save.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 19
Marking a Smart Group as Inactive
You cannot delete predefined Smart Groups. However, if you have a lot of
Smart Groups, you can save on processing time if you mark unused Smart
Groups as inactive.
An inactive Smart Group is no longer displayed in the Smart Group browser
pane (until marked active again).
Creating an Address Group
Not supported in Retina CS Community.
Create an address group then use the address group as an IP address filter
when creating a Smart Rule.
An address group can contain included or excluded IP addresses. IP
addresses are entered as an IP range, named host, or as a CIDR block.
To work with address groups, the Retina CS user must be a member of the
Administrators group, or be assigned the Asset Management permission. See
Creating User Groups.
Creating an Always Address GroupYou can create an address group and name it Always. The Retina scanner
agent is designed to recognize this address group name and includes the
group in every scan (regardless if the group is selected in the scan job).The
address group can include and exclude IP addresses.
The next time a scan runs, the address group is synchronized with the Retina
scanner agent. The IP addresses, whether included or omitted are considered
part of the scan that is running.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 20
For example, the Always address group is configured with the following:
10.10.10.60 and buffett-laptop (omitted). A scan tries to scan 10.10.10.50
and buffett-laptop. The results:
• 10.10.10.60 is included in the scan since that IP address is added to the
Always address group
• buffett-laptop is excluded from the scan since that asset is explicitly
omitted in the Always address group
• 10.10.10.50 is scanned as usual
Note that if an asset was scanned and then later added to the Always address
group as Omit, the asset is not scanned but might still be displayed in the
report. This only occurs with some reports.
To create an address group:
1. Click the Configure tab, and then click Address Groups.
2. Click + in the Address Group pane.
3. Enter a name for the address group.
4. Select the address group and then click + in the Type/Entry pane.
5. To create an Address Group filter:
– Click New to open the New Address Group dialog box. Enter IP
addresses to include or exclude, and then click Save.
To exclude IP addresses, enter the IP addresses, and then select the
Omit this entry check box.
– Click Import to import a .txt file with a list of IP addresses to
include and exclude. The list depends on your particular needs. The
list can include all IP addresses to exclude if that is how you want to
create your filter.
To exclude IP addresses, use the format: 192.x.x.x (1)
The following shows an example of how a CIDR block, an excluded
IP address, and excluded named hosts are displayed after importing:
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 21
Creating a Smart Rule based on an Address Group
When you are configuring an address group you can choose to create a Smart
Group based on the address group.
Create the address group and add IP addresses as described earlier. Click the
arrow as shown:
The address group Smart Group is displayed in the Smart Groups browser
pane:
Creating an Active Directory Query
Not supported in Retina CS Community.
Create an Active Directory query to retrieve information from Active
Directory to populate a Smart Rule. For example, create a query that uses
computer names for a selected domain.
To work with Active Directory queries, the Retina CS user must be a
member of the Administrators group, or be assigned the Asset Management
permission. See Creating User Groups.
To create an Active Directory query:
1. Click the Configure tab, and then click Active Directory Queries.
2. Click New.
3. Enter a name for the query.
4. Enter a path name or click Browse to search for a path.
On the Select Active Directory Path dialog box, the forest is
automatically detected. The Domain list is populated with the domains
in the forest. Select a container and click OK to close the dialog box.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 22
5. Select a scope to apply to the container: This Object and All Child
Objects, Immediate Children Only.
6. Enter a name and description for the filter.
7. Click Advanced and enter the LDAP query details.
8. Click Credentials and provide credentials (optional).
Minimum permissions assigned for the credentials must be Read on the
computer assets that you are enumerating.
9. Click Test to ensure the query returns expected results.
10. Click Save.
Working with Attributes
Not supported in Retina CS Community.
You can use attributes to label assets. Set an attribute on each asset in a
group using a Smart Rule.
You can then select the attribute as a filter when you create a Smart Rule.
Select an attribute from the Assigned Attributes list in the Asset Selection
Criteria section. For more information, see Creating a Smart Rule.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 23
Retina CS ships with attributes already created. You can also add attribute
types and attributes that meet your particular requirements.
You can use the Criticality attribute to weight the importance of an asset in
your environment. Assign the criticality attribute using a Smart Rule or on
the Asset Details page for an asset (see Changing Asset Properties).
To add an attribute type and attribute:
1. Click the Configure tab, and then click Attributes.
2. Click + and then select Attribute Type.
3. Type an attribute name.
4. To add an attribute, select an attribute type.
5. Click + and then select Attribute.
6. Type an attribute name.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 24
Working with Tickets
Not supported in Retina CS Community.
In this section,
Creating a Ticket
Managing Ticket Details
Tracking Open Tickets Using a Smart Rule
Use the ticket system to assign tickets to members of your security team.
The team can review, remediate, and resolve vulnerabilities and attacks on
protected assets.
You can create tickets to manage the remediation of vulnerabilities, attacks,
and malware.
Ensure your user groups have the correct ticket permissions assigned. For
more information, see User Group Permissions.
Note: You can create an Active Directory user group and assign the group
ticket permissions.
The users that are members in the Active Directory group must log
on to Retina CS at least once before the user name is displayed in the
Assigned to list. Logging on also activates the email notification for
the user.
Creating a Ticket
Using the ticket system, you can create tickets for managing the life cycle of
vulnerabilities, attacks, and malware.
You can create a ticket from the following pages:
• Assets
• Attacks
• Vulnerabilities
• Malware
To create a ticket:
1. Select the arrow for a vulnerability, and then select Create Ticket.
2. Enter the details for the ticket.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 25
A ticket ID is automatically generated after you save the details for the
ticket.
3. Click Save.
A Smart Rule is autogenerated when a ticket is saved. This Smart Rule is
intended to help you keep track of assets affected by the vulnerability,
attack or malware. No intervention is required by you.
The next time the Smart Rule is processed, affected assets where
solutions are applied will no longer be part of the Smart Rule. When all
assets have the solution applied, the Smart Rule autogenerated ticket is
removed from the Smart Rules Manager.
The autogenerated tickets are not displayed in the Smart Rules browser
pane.
Managing Ticket Details
To change the details for a ticket:
1. Select the Assets tab, and then select Tickets.
2. Select i.
3. On the Ticket Details dialog box, change the ticket properties as needed.
If you select the Close status, the ticket is no longer displayed on the
Tickets pane.
4. If available, click the x revisions link to view details about activity on
the ticket.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 26
5. Click Back to Ticket Details.
6. Click Save.
Marking a Ticket as Inactive
If a ticket is accidentally created or no longer needed, your security team
member can mark the ticket as inactive. An inactive ticket is essentially a
ticket that is deleted.
An inactive ticket is no longer displayed on the Tickets page. However, the
Retina CS administrator can always see the tickets (active or inactive).
You can mark a ticket as inactive on the Ticket Details page or from the
Smart Rules Manager.
To mark a ticket as inactive:
1. Select the Assets tab, and then select the Tickets tab.
2. Select the ticket and then click i.
3. Clear the Active check box.
4. Click Save.
The ticket is no longer displayed on the Tickets page. The inactive
ticket cannot be selected.
Tracking Open Tickets Using a Smart Rule
Use Smart Rules to track open tickets and tickets that are overdue.
To create a Smart Rule:
1. Select the Assets tab, and then click the Manage Smart Rules button.
2. Click New Rule.
3. Enter a rule name and description.
4. Select the criteria and actions as shown.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 27
5. Select the Auto-close Ticket check box to close and remove the Smart
Group from the Smart Rules Manager. The ticket is only closed after all
assets are remediated.
6. Click Save.
Later, you can run the Tickets report to view a current list of open
tickets. Select the ticket Smart Group and any other relevant parameters.
Retina CS User Guide Retina CS Tools
BeyondTrust® June 10, 2013 28
Reports and Scan TemplatesIn this section,
Running a Report on Existing Scan Data
Reviewing Report Results
Creating a Report
Creating a Report Category
Viewing Reports
Managing Report Templates
Setting Report Output Options
Configuring Scan Settings
Working with Audit Groups
Working with Port Groups
Creating a Custom Audit
Reports and Scan Templates
There are two report template types available:
Scanning only. For more information, see Managing Scan Report Templates.
Scanning and running reports on existing data. For more information, see
Running a Report on Existing Scan Data.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 30
Running a Report on Existing Scan Data
Not supported in Retina CS Community.
You can run reports on scan information that is stored in the Retina CS
database.
You cannot run reports on existing data using the Protection reports.
Checkpoint
– Create a Smart Group to scope the assets to include in the report.
For more information, see Creating a Smart Rule.
Reports will open in a new window. Ensure pop-up blockers are disabled for
the Retina CS web site.
To run a report on existing data:
1. Select the Assets tab.
2. Select the assets, and then click Scan.
3. Select the report, and then click Report.
4. Select the report parameters:
Note that the NONE export type provides a snapshot of the data and
produces results faster than selecting PDF output.
By default, the All check box is selected. Be sure to clear the All check
box if you want to use specific parameters for your report. Selecting All
uses all criteria available for that parameter.
5. Click Run Report.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 31
Creating Scheduled Reports
To schedule a report:
1. Set the report parameters as described in the preceding procedure (To
run a report on existing data).
2. Click Subscription, and then set the following:
– Notify when complete - Select the check box and enter email
addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
– Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
Alternatively, click + and select users or user groups.
The reports will be emailed to the users entered.
– Schedule Type - Select One Time or Recurring.
If you select Recurring, select the frequency of the schedule run
times.
3. Click Save after you enter the scheduling information.
Viewing Scheduled Reports in the Calendar View
You can review the scheduled reports in a calendar that shows a summary of
the reports scheduled for the month.
To view the scheduled reports for the month:
1. Click the Jobs tab, and then click Scheduled in the Reports section.
2. Click Toggle Calendar.
3. Click the Report icon to open the report for a completed report.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 32
Reviewing Report Results
Expand the document map to view the list of vulnerabilities.
Click the link for the vulnerability in the document map list or in the main
report. You can review more information about the vulnerability such as:
description, fix information, references, and CVSS score.
If you export the report to PDF output, the list of vulnerabilities in the
document map is displayed as bookmarks in the PDF.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 33
Creating a ReportYou can create a report template based on an existing report template.
A report template consists of:
• Report output settings – Select options to determine how information is
presented in the report output. Includes report sections that present the
information collected from the scan
• Scan settings – Select options to determine the data to collect from
assets. Includes audits, ports, and additional scan options that make up
the scan
Report templates are organized using report categories.
To create a report:
1. Click the Reports tab, and then click Manage Report Templates.
2. Click New Report.
3. Select a template and click Create.
4. Select a section and then drag section parts into the section pane.
You can enter the name of the section part in the text box to select.
Section parts vary based on the report template selected.
5. Select the Shared check box if this report template can be used by other
Retina CS users.
6. Click Save.
7. Enter the name of the report and the report category.
8. Click Save.
Creating a Report Category
A report category is a container that helps to organize similar reports. Every
report that you create must be assigned to a category.
To create a report category:
1. Click the Reports tab then click Manage Report Templates.
2. Click New Report Category.
3. Enter a name for the report category and click Create.
4. Drag an existing report from another category to populate the new
category.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 34
Viewing and Downloading ReportsOn the Reports tab, you can:
• View reports
• Download a report to PDF format
• Access the Manage Report Templates page. For more information, see
Managing Report Templates.
To view and download a report:
1. Click the Reports tab.
2. Select one of the following:
– Double-click a report to view. Or, select a report, and then click i.
– Click the download button and then click Save File to save the
report in PDF format. Enter the report name, or use the default, and
then click Save.
– Click the delete button to delete the report.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 35
Managing Report TemplatesYou can customize template settings, including sections in the report output
and scan settings.
To access a report template:
Click the Reports tab, and then click Manage Report Templates.
Select the report template and click the arrow to select a menu item.
– Edit Report. See Setting Report Output Options.
– Duplicate Report. Create a copy of the selected report. Select Edit
or Rename from the menu to continue.
– Rename Report. Enter the new name when prompted.
– Delete Report. Confirm the deletion when prompted.
– Edit Scan Settings. See Configuring Scan Settings.
Setting Report Output Options
You can select the sections to include in the report, such as cover page and
report content.
To change the report output:
1. Click the Reports tab.
2. Select a report and click the arrow to display the menu.
3. Select Edit Report.
4. Select a report section.
For some reports, you can edit parameters on the Header section. Click
the pencil icon to display and select the parameters.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 36
5. The Section Parts pane displays the sections that you can use. Drag a
section part into the middle pane. You can also enter the name of the
Section Parts in the Search box.
6. To remove a section from the report, select the section and select the
garbage can.
7. Click Save.
8. Enter a name for the report and the report category.
9. Click Save.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 37
Configuring Scan SettingsThe following scan settings can be set when you are configuring an audit
scan:
• Audits. An audit contains the vulnerabilities and risks that you want to
search for on your selected assets. The audit information is organized in
audit groups.
The audit groups provided are industry standard and include: SANS20
(All), SANS20(Windows), and Zero-day. For a complete list, see Audit
Groups.
• Ports. Select the port or port group ranges that you want to include in
the scan.
• Options. Select scan policy options, advanced options, and remote
agent settings.
To configure an audit scan:
1. Click the Reports tab, and then the click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits, and then drag an audit group to the scan settings pane.
To search for an audit group, type the audit group name in the Search
box. For more information, see Audit Groups.
5. Select Ports, and then drag port groups to the scan settings pane.
To search for a port group, type the port group name in the Search box.
For more information, see Port Groups.
6. Select Options.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 38
7. Expand Scan Policy Options and select the scan options:
– Perform OS Detection - Determines the operating system for the
target.
– Get Reverse DNS - Scans for reverse Domain Name System
(rDNS) and retrieves the domain name for the target IP address.
– Get NetBIOS Name - Scans for a Network Basic Input/Output
System.
– Get MAC Address - Scans for the Media Access Control address or
unique hardware number.
– Perform Traceroute - Determines packet routes across an IP
network.
– Enumerate [parameter] Via NetBIOS - Uses the NetBIOS protocol
to determine and list audits specified in the Audit Group.
The parameters include registry, users, shares, files, hotfixes, named
pipes, machine information, audit policy, per-user registry settings,
groups, processes, user and group privileges and software.
– Maximum Number of Users to Enumerate - Sets a maximum
number of users for providing detailed descriptions.
All users are enumerated if you set the value to 0.
– Hardware - Determines the hardware for the target.
– Perform Web Scanning - Scans remote web servers and audits
installed applications.
– Web Scan Depth - Sets the number of links to follow from the
home page.
– Perform Database Scanning - Scans remote database instances.
8. Expand the Advanced Options and select the scan options:
Note: Performance issues may be experienced when running a Connect
Scan, Force Scan, and UDP Scan simultaneously. These instruct
Retina to negotiate a full connection to each port on each device.
On a Class B network, you could be waiting for 65,535 devices
to time-out on a minimum of 65,535 connections each. In
addition, stack changes in Windows XP SP2 cause connect scans
to slow greatly due to the 10 incomplete connection limit.
– Enable Connect Scan Mode - Run if other methods, such as a
slow dial-up, are unreliable.
The operating system is negotiating a full connection to each device.
Because multiple port scanning methods are not used, Retina cannot
determine a number of items, such as operating system.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 39
– Enable Force Scan - Run if the targeted devices are not going to
answer SYN or ICMP scanning.
Forces Retina to run protocol discovery on each port of each device
to determine the protocol.
Only use in a highly locked down network where the standard port
scanning methods will be filtered or blocked. Force Scan should not
be used in IP ranges.
– Extended UDP Scan - Runs a complete scan on all User Datagram
Protocol (UDP) frames without timing out.
Forces Retina to expect an answer. The IP will eventually timeout.
– Disable Tarpit Detection - Stops tarpit detection.
A TCP tarpit program intentionally reduces the size of data packets
to slow communication transmissions. This can cause incorrect scan
results.
To scan systems running tarpits, set the tarpit to allow unimpeded
connections from the Retina scanner.
– Detailed Audit Status - Retrieves data on the port, operating
system and protocol scanned and details the vulnerabilities open,
fixed and not verified.
– Randomized Target List - Uses a random list of target assets to
scan rather than a sequential list of IP addresses.
This load balances the target IP list across the network by
distributing the target list across subnets rather than running all the
targets in a subnet at the same time sequentially.
9. Expand Retina Local Scan Service Options to set the following:
– Perform Local Scanning - Deploys a remote Retina scanner agent
to target assets during a scan. Deploy a remote Retina agent to run
WMI and remote registry scans.
After the scan runs, the deployed remote agent is removed from the
asset.
– Enumerate Ports via Local Scan Service - Enumerates local ports
using netstat, including active connections and the program or
service using the port. OFF by default.
– Enable WMI Service - Starts (and then stops) the WMI service.
The service is only active during the scan. OFF by default.
– Enable Remote Registry Service - Starts (and then stops) the
remote registry on a target. The service is only active during the
scan. OFF by default.
10. Click Update.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 40
Working with Audit Groups
Retina CS ships with audit groups that are populated with audits. Each audit
group has a preconfigured set of audits.
On the Scan settings page for an audit group, you can:
• Change the audits in the audit group
• Create an audit group
• Copy an audit group
• Create an audit. For more information, see Creating a Custom Audit.
• Revert the settings to the default values
Note that you cannot delete an audit group that ships with Retina CS.
To manage audit groups:
1. Click the Reports tab and then the click Manage Report Templates.
2. Select a report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits in the Settings pane.
To search for an audit group, type the name in the Search box.
5. Click Manage in the Audit Groups pane to:
– Edit an audit – Select the audit and click the pencil icon. You cannot
change all audits. Select All Editable Audits from the Show list to
display all audits that you can change.
– Create an audit group – Click + at the bottom of the Audit Groups
pane. Enter the name of the new audit group.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 41
– Copy an audit group – Click . Enter a name and click Copy.
– Edit an audit group – Select the audit group from the Audit Groups
pane. You can also type the name of the audit group in the box to
search for the audit group.
6. Select the Automatically enable new audits in this group check box
to add all the new audits selected when created.
7. Click Revert to revert to either the last saved version of the selected
audit group or the default value.
8. Click Update.
Working with Port Groups
Port groups contain the list of ports to scan. You can change the ports
assigned in a port group, add port groups that will be available to all audit
scans, and delete port groups.
Retina CS ships with port groups already configured with a range of ports
(for example, HTTP Ports and Discovery Ports). Note that you cannot
delete a port group that ships with Retina CS.
To change port groups:
1. Click the Reports tab and then click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Ports in the Settings pane.
5. Click Manage in the Port Groups pane to:
Use the Grid Size slider to adjust the view.
– Add a port group – Click + on the Port Groups pane. Enter the
name of the port group and click Create.
– Edit a port group – Select the port group from the Port Groups pane.
You can also type the name of the port group in the box to search for
and display the port group.
– Remove a port from a group – Select the port, and then select Clear
from the Protocol menu.
– Add a port or group of ports – Select the ports, and then select the
protocol from the list: Both, TCP, UDP. The grid is updated with
the corresponding color of the protocol.
To select multiple ports, drag and click on the range. Alternatively,
enter the port number or port number range in the Select Ports box
and click the arrow.
6. Click Revert to cancel your changes.
7. Click Update.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 42
Creating a Custom AuditYou can create an audit that addresses particular risks or vulnerabilities that
you want to protect your assets from.
You can select the rule category, risk level associated with the rule, audit
type and details. For example, you can create the following audit: ensure the
latest service pack and particular hotfix has been installed for Windows 2003
OS 32-bit/64-bit.
To create customized audit scan settings:
1. Click the Reports tab, and then the click Manage Report Templates.
2. Select the report and click the arrow to display the menu.
3. Select Edit Scan Settings.
4. Select Audits in the Settings pane.
5. Click Manage in the Audit Groups pane.
6. Click +New Audit to start the Audit wizard.
7. Click Next.
8. On the Audit Description page:
a Type the audit name.
b. Select the audit category, such as Database, Mail Servers,
Miscellaneous, or Windows.
c. From the Risk Level list, select the severity level that
corresponds to the severity of the vulnerability:
– High - Risks that allow a non-trusted user to take control of a
susceptible host.
Vulnerabilities that severely impact the overall safety and
usability of the network.
– Medium - Risks that are serious security threats and would
allow a trusted but non-privileged user to complete control of a
host or would permit a non-trusted user to disrupt service or gain
access to sensitive information.
– Low - Risks associated with specific or unlikely circumstances.
These vulnerabilities can provide an attacker with information
that could be combined with higher-risk vulnerabilities to
compromise the host or users.
– Information - Host information that does not necessarily
represent a security threat, but can be useful to the administrator
to assess the security. These alerts are displayed with the list of
vulnerabilities.
d. Describe the vulnerability.
e. Describe how to remediate, investigate or mitigate the
vulnerability.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 43
9. On the Audit Type page, select the type of audit:
– Banner - Determines vulnerabilities in the banner information, such
as firewall name, IP addresses and server name.
– CGI Script - Determines vulnerabilities in the common gateway
interface that passes a Web user's request to an application program
and to receive data back to forward to the user.
– Registry - Detects vulnerabilities by scanning registry entries and
values.
– Hotfix - Determines vulnerabilities by scanning service packs,
hotfixes and patches.
– File Version - Determines if a file exists. The audit can check if the
file exists or not.
– File Checksum - Determines vulnerabilities based on file checksum
comparisons.
Supported values include: MD5, SHA1, SHA256.
Network performance issues might occur if you use this feature. Use
this feature with caution.
– Remote Check - Verifies if a specific Unix program or patch is
installed on an operating system.
– Mobile Software - Determines if software exists for mobile devices.
– BlackBerry Device - Determines vulnerabilities based on
BlackBerry device specifications.
– Share - Determines if a share is accessed by unauthorized users.
The Audit Details page displays parameters based on the audit type that
you select in step 9.
10. Enter the information for the audit type, and then click Next.
– Banner audit details - Select the banner protocol, and then type the
banner name.
– CGI Script audit details - Type the URL path to the script name.
– Registry - Select Path, Key, or Value from the menu. Select the
operating systems that the vulnerability affects.
Note that the registry path cannot contain the selected Hive value.
– Service Pack – Hotfix - Determines vulnerabilities by scanning
service packs, hotfixes and patches.
– File Version - Verifies the software version.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 44
Enter the file name, set file version information (optional), and select
operating systems to check.
– File Checksum - Select the file checksum from the list.
Enter a file name, checksum value, and file version. Use an asterisk
(*) to compare all file versions.
– Remote Check - Verifies if a specific Unix program or patch is
installed on an operating system.
– Mobile Software - Enter the name of the software, and set if software
exists. Can also audit on the version number.
– BlackBerry Device - Enter model, serial number, device ID,
platform version, and OS version.
– Share - Select user account access on the share, type of access on the
share, and OS version. Optionally, list the accounts by SID.
11. On the Vulnerability Details page, enter the BugTraq and CVE details, as
needed.
– BugTraq - A security portal dedicated to issues about computer
security, such as vulnerabilities, methods of exploitation and
remediation.
– CVE - Common Vulnerabilities and Exposures is a dictionary of
publicly known information security vulnerabilities and exposures.
CVE’s common identifiers enable data exchange between security
products and provide a baseline index point for evaluating coverage
of tools and services.
12. On the Audit Wizard Summary page, click the pencil to change the audit
information.
13. Click Finish.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 45
Report Templates and Audit GroupsNot all report templates or audit groups are supported in Retina CS
Community.
The following tables list the report templates and audit groups available with
Retina CS.
You can run reports on existing scan information that is stored in the Retina
CS database.
You can run all reports from Retina Insight. For more information, refer to
the Retina Insight User Guide.
Report TemplatesTable 5. Vulnerabilities
Report Name Description
Access Lists targets that are inaccessible and includes a
reason. For example, the target does not exist on
the network, or administrative rights were not
provided.
All Audits Scan Lists all vulnerabilities found.
Drill down by vulnerability to review more
information, such as fixes, references, exploits and
affected assets.
Discovery Scan Lists the targets found on the network, including:
workstations, routers, laptops, printers.
Credentials are not required for a discovery scan.
PCI Compliance
Report
Details the vulnerability results of PCI security
scans.
Payment Card Industry Data Security Standard (PCI
DSS) specifies security requirements for merchants
and service providers that store, process, or
transmit cardholder data. PCI Security scans are
conducted over the Internet by an Approved
Scanning Vendor (ASV).
The Retail Report pack is required for this report.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 46
Report Name Description
Vulnerabilities by
Reference
Lists vulnerabilities by CVE reference ID.
Drill down into an ID for more information, such as
assets affected and potential fixes.
Vulnerabilities
Delta
Provides the vulnerability differences between two
scans.
Vulnerabilities Lists vulnerabilities grouped by assets.
The report details the vulnerabilities with criticality,
descriptions, fix information and references. The
references provide a link to the CVE web site. You
can run custom or standard reports to review the
system, users and security issues.
Vulnerability
Exclusions
Lists vulnerabilities that are set to exclude. Includes
the expiry date and reason properties.
Vulnerability Export Provides a tabular list of all vulnerabilities
discovered and their associated details.
The Attacks report uses information gathered by Retina Protection Agents.
Table 6. Attacks
Report Name Description
Attack Displays the total number of attacks, attacks per
asset, assets attacked, attacker IP address, a list of
the top x attacks, criticality and trends over time.
Drill down into each attack for more information,
such as action, port, protocol, and attacker.
Malware Displays the total number of malware attacks, a list
of the top x malware attacks, trends over time, and
assets affected.
Drill down into each malware attack for more
information, such as location of the malware, asset
and IP address, etc.
Delta reports are useful for comparing changes such as add/remove of user
accounts, software, OS upgrades.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 47
Table 7. Assets
Report Name DescriptionAsset Export Displays assets in a selected scan in a .csv format.
Information includes: the asset name, IP address,
DNS, domain and operating system.
Assets Provides asset and risk information by hardware,
MAC address, operating system, port, process,
services, share and user account.
OS Delta Displays the differences in operating systems
between two scans.
OS Lists top 100 and bottom 100 discovered operating
systems.
Assets are grouped by OS. IP address, asset name,
DNS name and risk.
Port Delta Displays the port differences between two scans.
Port Lists top 100 and bottom 100 discovered ports for
the assets included in the scan.
Assets are grouped by port. IP address, asset, DNS
and risk level are included.
Click an asset to drill down to more information:
vulnerabilities, MAC address, ports, processes, and
more.
Protection Agent
Configuration
Displays the policies applied on an asset.
Retina Protection Agent module.
Service Delta Details the service differences between two scans.
Service Lists top 100 and bottom 100 discovered services
for the assets included in the scan.
Assets are grouped by service. IP address, asset
name, DNS name, and risk level are included.
Click an asset to drill down to more information:
vulnerabilities, MAC address, ports, processes, and
more.
Share Delta Displays the shares differences between two scans.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 48
Report Name Description
Share Provides a summary of top and bottom shares and a
breakdown by IP address, asset name, DNS name,
operating system and criticality.
Software Lists top 100 and bottom 100 discovered software
for the assets included in the scan.
Assets are grouped by software. IP address, asset
name, DNS name, and risk level are included.
Click an asset to drill down to more information:
vulnerabilities, MAC address, ports, processes, and
more.
Software Delta Displays the software differences between two
scans.
User Delta Lists the number of new, unchanged and removed
users.
Drill down by asset to review a summary of the user
updates.
User Lists top 100 and bottom 100 discovered users for
the assets included in the scan.
Assets are grouped by user. IP address, asset name,
DNS name, and risk level are included.
Windows Event
Report
Lists Windows event types based on your selection:
Application, System, Security.
Retina Protection Agent module required.
Table 8. Executive Overview
Report Name Description
Executive Summary Provides an overview summary of assets and trends,
such as audits by machine and audits by severity.
Table 9. Patches
Report Name Description
Patches Lists the assets included in the scan and the number
of patches that need to be applied to each asset.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 49
Report Name Description
Lists each patch available and includes a link to more
information for the patch. Each patch also provides
the name of the violated audit.
Table 10. Hardware
Report Name Description
Hardware Delta Lists a summary of hardware differences between
two scans.
Drill down by asset to review differences.
Hardware Lists the hardware discovered on each asset included
in the scan.
Table 11. Regulatory Compliance
Report Name Description
COBiT
Compliance
Provides a report that ensures your environment
satisfies the framework identified in the COBiT
framework.
Additional components: Any report pack.
FERC-NERC Maps monitored controls to NERC requirements.
Additional components: Government report pack.
GLBA Compliance Provides security risk assessments that satisfy the
requirements in the GLBA.
Additional components: Financial report pack.
HIPAA
Compliance
Maps configuration, patch and zero-day
vulnerabilities to HIPAA security rules.
Running a scan using the default scan settings
ensures compliance to Section 164.308
Administrative safeguards, (a)(8) Standard:
Evaluation.
Additional components: Healthcare report pack.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 50
Report Name DescriptionHITRUST
Compliance
Displays vulnerabilities mapped to HITRUST
regulatory compliance standards. Supported sections
from the standard and vulnerability counts are
displayed.
ISO-27002
Compliance
Maps configuration, patch and zero-day vulnerabilities
to satisfy ISO-27002.
Additional components: Any report pack.
ITIL Compliance Maps compliance violations and vulnerabilities back
to ITIL best categories.
Additional components: Any report pack.
MASS 201 Maps configuration, patch and zero-day
vulnerabilities to MASS 201.
Additional components: Government report pack.
NIST 800-53 Maps configuration, patch and zero-day
vulnerabilities to NIST 800-53 standard used to
support FISMA compliance.
Additional components: Government report pack.
SOX Compliance Maps configuration, patch and zero-day
vulnerabilities to defined SOX requirements.
Additional components: Retail or Healthcare report pack.
Table 12. Protection
Report Name DescriptionProtection Policy
Differences Report
Provides a summary of differences in a protection
policy.
You cannot run reports on existing data for the
Protection reports. This report is intended to provide
configuration information for your Retina Protection
agent policies.
Table 13. Configuration Compliance
Report Name Description
Benchmark
Compliance
Runs a benchmark scan based on a selected
benchmark template and policy.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 51
Report Name Description
Benchmark Export Provides a summary of differences in a benchmark
policy.
Additional components: Configuration Compliance module
Table 14. Patch Management
Report Name Description
Approved Patches Lists assets where patches are approved.
Installed Patches Lists installed patches.
Required Patches Lists required patches.
Additional components: Patch Management module
Table 15. Tickets
Report Name Description
Ticket Displays details such as Status (Open, New, Closed),
Severity, Assigned user, due date, ID, and ticket
title.
Table 16. Mobility
Report Name Description
Mobile Assets Lists mobile assets discovered.
Mobile
Vulnerabilities
Lists vulnerabilities associated with mobile assets.
Table 17. PowerBroker Windows
Report Name DescriptionApplication ActiveX
Details
Displays information about installation events for
ActiveX controls in Internet Explorer.
Applications by
Computer
Displays information about application usage on a
client.
Applications By
Hash
Displays information about all applications under
management tracked by hash code.
Details include, hash code of the binary file,
application name, file version, product name, and
certificate publisher, etc.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 52
Report Name DescriptionApplications By
Path
Displays information about all applications under
management tracked by launch path.
Dashboard Report Displays charts about the applications most
frequently launched, requiring elevation, triggering
User Account Control (UAC), launched by Shell
rule.
Also, charts about ActiveX controls, rules applied,
local administrators, and the ratio of administrator
users to standard users.
File Integrity by
Asset
Displays the assets managed using PowerBroker for
Windows File Integrity rules.
File Integrity by
Rule
Displays the assets organized by the PowerBroker for
Windows rules.
Shell Rule
Executions
Displays information about all applications that run
based on a shell-rule.
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 53
Audit Groups
Access Scan All Audits
Android ActiveSync
BlackbBerry
Databases Database Servers
Domain Controllers
FDCC-Windows XP FDCC-Windows Vista
Mail Servers
SANS20 (All) Secure Audits Configuration
SANS20 (Unix) SCADA
SANS20 (Windows)
Third Party Patch Assessment
Virtualization Web Applications
Zero-Day
Regulatory Reporting Pack Audit Groups
COBiT Compliance GLBA Compliance
HIPAA Compliance HITRUST
ITIL Compliance ISO-27002 Compliance
NERC/FERC Compliance Mass 201 CMR 17 Compliance
PCI Compliance NIST 800-53 Compliance
SOX Compliance
Retina CS User Guide Reports and Scan Templates
BeyondTrust® June 10, 2013 54
Asset ManagementIn this section,
Interpreting Scan Results on the Dashboard
Reviewing Asset Details
Risk Scores
Changing Asset Properties
Changing the Display
Setting Display Preferences
Filtering Records
Managing Jobs
Reviewing Job Details
Reviewing Scheduled Job Details
Viewing Scan Event Details
Aborting or Pausing a Job
Changing Job Page Settings
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 55
Interpreting Scan Results on the DashboardTo review scan results:
1. Log on to Retina CS.
2. Select a date tab to update the view with metrics for the selected date
range.
3. Select the Custom dates tab and click the arrow to select a date range.
The middle pane displays the following information:
– Overall Threat Level – Plots attacks and vulnerabilities over time
by severity. Change the Counts to display the results by type. Click
on the graph to expand the display.
– Anomalies – Displays higher frequency
malware/virus/spyware/attack/vulnerability occurrences, assets
with higher risk, ports/software with lower frequency, expired
reports, expired scans, and long scans.
– Asset Risk – Displays the risk for all assets in the environment.
Hover over the pie chart to display the percent call out. The values
on the chart are calculated every 4 hours. For more information on
risk scores, see Risk Scores.
The lower pane displays the following information:
– Critical Alerts – The event date and description.
– Operational Status – Information about scheduled scans.
– Completed Reports – The reports that ran.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 56
1. Click Show Status to display status detail, including the names of scans.
Hover over the job icon to see more details.
2. Click the refresh button to update the information on the dashboard.
Reviewing Asset DetailsOn the Assets tab you can review your protected assets and determine if
there are vulnerabilities, attacks, or malware compromising your assets.
To review asset information:
1. Select the Assets tab, and then select a Smart Group.
Click and to expand the assets pane.
2. Select an asset, and then click i.
You can change properties for an asset. Click Edit. For more
information, see Changing Asset Properties.
On the Assets Details pane, select an item to review more information:
Risk Scores
The risk score indicates the potential for an asset to be attacked. You can
use the risk score to determine which assets need the most urgent attention.
The asset risk score is calculated using factors such as: vulnerability, number
of attacks, exposure (open ports, number of users, shares, for example), and
overall threat level.
Risk scores range from 0 to 9.99:
• 0 indicates a low risk or there is no data available to determine a
potential risk.
• 9.99 indicates the highest risk. Asset is most vulnerable to an attack.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 57
An asset risk score is displayed in the following areas:
• Pie chart on the Dashboard page
• On the Assets tab
• Details page for each asset
Changing Asset Properties
You can use the Asset wizard to change the following asset properties:
owner, active, and asset attributes such as business unit.
Assign or change attributes to help organize and identify assets. For more
information about attributes, see Working with Attributes.
Run a discovery scan to populate the Assets pane.
To change the details for an asset:
1. Select the Assets tab.
2. Select an asset, and then click the i.
Alternatively, double-click the asset to open the asset details pane.
3. On the Asset Details pane, click Edit.
4. Click Next on the Welcome page of the Asset wizard.
5. On the Edit Asset Details page, select the asset properties.
6. On the Edit Asset Attributes page, select the attribute values and then
click Next.
The default attributes that you can apply are: Geography, Business Unit,
Criticality, and Manufacturer.
7. Review the settings, and then click Finish.
Changing the DisplayYou can change the information displayed on Retina CS pages, including:
• Columns
• Number of records displayed at one time
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 58
• Create filters to display records that meet the filter criteria
Setting Display Preferences
You can set display preferences on the following pages:
• Assets page
• Vulnerabilities page
• Agents page
• Jobs page
• User Audits page
Note that you can display a Domain and filter by Domain. If the domain
name is not known or the asset is not part of a domain, then the field is
blank. The Domain filter is not displayed by default.
To set display preferences:
1. Select the Assets tab.
2. Click the preferences button.
3. On the Preferences dialog box, set the following:
– Columns to Show - Select the check boxes for the columns that
you want to display.
– Show Filter - Select to always display the filtering text boxes and
lists.
For more information, see Filtering Records.
– Records Per Page - Select the number of records to display at one
time.
4. Click OK to close the Preferences dialog box.
5. Click to open the Save Preferences dialog box.
6. Select display settings, and then click Save Preferences.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 59
Filtering Records
Create a filter to match certain records that you want to view on the page.
To set filtering on assets:
1. Select the Assets tab.
2. Select the show filter button to display the filter options.
3. Enter filter criteria and click .
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 60
Managing JobsOn the Jobs page, you can review:
• Active, scheduled, and completed scan jobs
• Active and completed Retina Protection agent deployments
• Active, scheduled, and completed reports
• View scheduled scans and scheduled reports in a calendar view
• SCCM package deployment status
• Windows event details
Reviewing Job Details
You can review job details for a scan (running or complete).
On the Job Details page, you can review the number of assets scanned, the
number of processes successfully scanned, credentials used for the scan, and
a drill-down to the assets scanned.
A target is defined in a scan as a combination of: a single IP address, a
computer name, a list of IP addresses, a list of computer names, an IP range,
and cloud devices.
An asset is a device that is discovered from the range of targets defined in
the scan. For example, the scan properties include these IP addresses in a
range: 10.100.10.20 and 10.100.10.21. During the scan, there might not be a
device attached to 10.100.10.20. That will be reflected in the number
shown in the Targets and Assets displayed on the job details page.
The agent name indicates if the scanner is in a scanner pool. For more
information, see Scanner Pooling.
To review job details:
1. Select the Jobs tab.
2. Select the Active tab for the Scans section.
3. Double-click a job to open the Job Details pane.
In the following example, you can review the job details while the job is
in progress.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 61
Reviewing Scheduled Job Details
You can change the following settings for a scheduled job:
• Job name
• Smart Rule
• Credentials
• Schedule
The Last Refresh Date indicates the date when the Smart Rule was
processed. Assets added or removed after the Last Refresh Date are not
reflected in the Smart Rule.
The Smart Rules are processed every 6 hours. Depending on the schedule
and how frequently assets change in your environment, you might want to
change the refresh rate. Otherwise, assets might not be included in the scan
as you expect. For more information, see Refresh Settings.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 62
Viewing Scheduled Scans in the Calendar View
You can review the scheduled scans in a calendar that shows a summary of
the scans scheduled for the month.
To view the scheduled scans for the month:
1. Click the Jobs tab, and then click Scheduled in the Scans section.
2. Click Toggle Calendar.
3. Click the Report icon to open the report for a completed scan.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 63
Viewing Scan Event Details
You can review a summary of the gathered scan events.
Aborting or Pausing a Job
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 64
Changing Job Page Settings
Click the Job Page settings icon to change display settings.
On the Job Grid Settings dialog box, you can configure the default job type,
refresh intervals, and the maximum number of assets displayed on the page.
Retina CS User Guide Asset Management
BeyondTrust® June 10, 2013 65
Mobility ScanningIn this section,
Overview
Configuring a BlackBerry Connector
Configuring an Android Connector
Deploying the Application to Android Devices
Configuring Settings on Android Devices
Configuring an ActiveSync Connector
Configuring a PowerBroker Mobile Connector
Reviewing Mobility Scan Results
Creating Custom Audits for Mobile Devices
OverviewA mobility scan scans mobile devices against scan templates to determine if
there are any vulnerabilities.
You can use the predefined scan templates that ship with Retina CS or create
a custom scan template. Create a custom template to scan for particular
device software and hardware versions, for example.
Running a mobility scan also retrieves information such as device ID, model,
and serial number on BlackBerry, Android, and mobile devices on
ActiveSync server.
After you create a mobility connector, a Smart Group is created. The Smart
Group name is the same as the connector name. The Smart Group is
populated with the devices that are detected when a scan runs.
Configuring a BlackBerry ConnectorThe BES connector, which uses RIM API technology, establishes a
connection to the BlackBerry Admin service to retrieve the device
information.
Mobility scans run on the Retina CS server, and do not use a scanning agent.
To configure a BlackBerry connector:
1. Click the Configure tab.
2. Click the Mobile tab.
3. Click + in the Mobility Connectors pane, and select BlackBerry.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 67
– General - Enter a name and description for the connector.
– Connection Details - Enter the information for the BES host.
Use the port number where BES is configured to listen. Confirm the
port number in your BlackBerry Admin service configuration.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
During a synchronization, all BlackBerry devices connected to the BES
host are detected, including software versions and any vulnerabilities
found based on the audit group selected.
4. Click Update.
5. To run the scan now, click Scan Now.
Scan Now is only available after you click Update.
A Smart Group is populated with the devices that are detected when the
connector is created. Go to the Assets page to see the new Smart Group.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 68
Configuring an Android ConnectorTo configure a connection to an Android mobile device:
• Create connection details on the Configure tab.
• Create a configuration file that you can email to your mobile device
users.
When a valid connection is established the audits will be downloaded to the
mobile device. Scan results are then uploaded to the Retina CS server.
To configure an Android connector:
1. Click the Configure tab.
2. Click the Mobile tab.
3. Click + in the Mobility Connectors pane, and select Android.
– General - Enter a name and description for the connector.
– Connection Details - Enter the authentication key for the Android
connector.
Note that this connector opens the 21691 port to communicate to
Android devices. Ensure this port is available.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
– Distribution - Click Prepare Configuration File to generate a file
that contains the server information for the connector.
The device user needs the password to run the configuration file.
Select the check box to allow Android devices that are using the
configuration file to communicate to the server using an untrusted SSL
certificate.
Although this option is available, it is recommended to use a trusted SSL
certificate.
4. Click Update.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 69
After you create a connector, an Android connector Smart Group is
displayed in the Assets pane.
If you using a configuration file, you can distribute the file now using email.
Be sure to provide the configuration file password using another method so
the Retina CS Server information in the configuration file remains secure.
Deploying the Application to Android Devices
BeyondTrust Scanner for Android is available on Google Play.
If you do not want to install the BeyondTrustScanner using Google Play,
you can download the Android Package (APK) file from the Android
Connector page. To install the BeyondTrustScanner APK on an Android
Device, you must enable the Unknown Sources setting.
You can manually deploy the app in the following ways:
– Ensure your Android devices are configured to receive email.
– Email the APK file to the user's email address.
– Select the attachment to start the installation. The Android
application installation dialog box is displayed.
• USB
– Connect the Android device to your workstation. If prompted,
enable USB File Sharing and Mass Storage modes.
– After your workstation recognizes the device, copy the APK file.
– Using a file management app from the Android Market (such as
EStrongs File Manager or Linda), open the APK file to start the
installation. The Android app installation dialog is displayed.
– After the application has been manually installed on the device,
disable the Unknown Sources setting.
Configuring Settings on Android Devices
After the BeyondTrustScanner is installed on the device, the device user can
run the configuration file. The user must enter the configuration file
password before the BeyondTrustScanner is automatically configured with
the Server information in the file.
If you chose not to distribute the configuration file to your users, you can
manually configure each mobile device using the BeyondTrustScanner
Application’s Settings.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 70
Note that after the mobile device is configured to communicate with a
Retina CS Server, the Scan Time is dictated by the Android Connector. Any
Scan Time values that have been previously configured in the
BeyondTrustScanner Application will be ignored.
To manually configure the Android application:
1. Tap the BeyondTrustScanner application.
2. Set the following on each device:
– Notifications - Tap to turn on notifications.
Updates on the status of scans are displayed to the user.
– Asset Name - Tap to enter the name for the asset.
This is the name that will be displayed on the Asset Details pane in
Retina CS. By default, this is the user’s Google account name.
– Allow Untrusted SSL - Tap to allow untrusted SSL.
– Authentication Code - Enter the authentication code that you
entered when configuring the connection in Retina CS.
– Server - Enter the IP address and port for the Retina CS server.
Enter the default port (21691) that is opened when a connector is
created.
3. Click Synchronize.
If your server settings are correct and your server is accessible, a list of
Android Connectors that match the Authentication Code are displayed.
4. To register the device with the Retina CS Server, select an Android
Connector from the list.
Configuring an ActiveSync ConnectorCreate a connector to an ActiveSync server to scan all mobile devices
associated with the server.
Note that currently, Retina CS supports Windows Phone 7, iPhones, and
Android mobile devices. While other mobile device types will be detected
and scanned, some information might not be displayed (such as device type,
model, OS).
To configure an ActiveSync connector:
1. Click the Configure tab.
2. Click the Mobile tab.
3. Click + in the Mobility Connectors pane, and select ActiveSync.
– General - Enter a name and description for the connector.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 71
– Connection Details - Click the Browse button to select the forest
and domain where the Exchange Server resides.
– Credentials - Enter the credentials that can access the Exchange
Server.
– Scan Options - Select an audit group.
– Synchronization - Select a synchronization schedule.
4. Click Update.
After you create a connector, an ActiveSync Smart Group is displayed in the
Assets pane. The Smart Group will be populated with assets after a scan
runs.
Reviewing Mobility Scan ResultsYou can review scan results on the Mobile tab.
Double-click a device to open the details page:
Creating Custom Audits for Mobile DevicesYou can create a custom audit for your mobile devices.
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 72
The procedure to create a custom audit is the same as in Creating a Custom
Audit.
You can review the following table for details on audit types and audit
details that are specific to mobile devices.
Audit Type Audit Details
Mobile SoftwareProvide information, including: software, if the
software exists, operating systems and versions.
BlackBerry
Device
Provide attributes for BlackBerry devices: model,
serial number, device ID, version, and operating
systems.
ActiveSync
DeviceProvide a list of device types and operating systems.
Android DeviceChoose from a list of Android attributes, including:
model, manufacturer, release
Retina CS User Guide Mobility Scanning
BeyondTrust® June 10, 2013 73
Cloud ScanningIn this section,
Requirements
Amazon EC2 Requirements
VMWare VCenter Requirements
Configuring a Cloud Connector
Scanning Paused or Offline VMWare Images
You can run scans on the following cloud types: Amazon EC2, VMWare
vCenter, GoGrid, Rackspace, and IBM SmartCloud.
RequirementsBefore you create a cloud connector, ensure the following requirements are
in place.
Amazon EC2 Requirements
To use the Amazon EC2 connector, you must adhere to the following
recommendations from Amazon:
• User accounts must have minimal permissions assigned (for example,
describe instances)
• Small or Micro instances cannot be scanned.
The following minimum permissions are required to successfully enumerate
a list of targets and run a scan:
• ec2:DescribeInstances
• ec2:DescribeInstanceStatus
• ec2:StartInstances
• ec2:StopInstances
• ec2:DescribeImages
VMWare VCenter Requirements
You can scan VMWare virtual machines.
Ensure the following requirements are in place before you configure the
VMWare connector in Retina CS.
• Retina 5.17 or later
Retina CS User Guide Cloud Scanning
BeyondTrust® June 10, 2013 74
• Retina CS 3.5 or later
• VMWare Tools must be installed on the targets that you want to scan.
– Log on to the VMWare web site and download the Virtual Disk
Development Kit (VDDK):
http://www.vmware.com/support/developer/vddk/
– Retina only supports version 5.1 of the VDDK. Ensure you copy the
following file: VMware-vix-disklib-5.1.0-774844.i386.exe
– Run the VDDK installer on the Retina computer using local
Administrator credentials.
• Retina CS needs access to https://<VMWare server>/sdk through port
443.
Configuring a Cloud ConnectorYou can configure a cloud connector in one of the following ways:
• On the Configure tab.
• On-the-fly when you are creating a cloud connector Smart Group.
To configure a cloud connector and Smart Group:
1. Select the Assets tab, and then click Manage Smart Rules.
2. Click New Rule, and then enter the name, description, and category.
3. Select Cloud Assets from the Asset Selection Criteria section.
4. Click the browse button to open the Manage Cloud Connections dialog
box.
5. Click New.
6. Enter a title, and then select the provider: Amazon E2, VMWare
VCenter, GoGrid, Rackspace, or IBM SmartCloud.
7. On the New Connection dialog box, enter the connector information:
– Amazon - For Amazon cloud connections, you must enter the
region, access key ID, and secret access key.
Instances associated with the region are displayed in the Connection
Test Results section.
– VMWare vCenter - For VMWare cloud connections, enter the
VMWare server name and credentials.
Click Advanced to set a network for a VM if that VM needs to be
turned on.
If you scan snapshots, the results are displayed as attributes on the
details pane for the VM.
– GoGrid - Select the account type, enter the user name and API key.
Retina CS User Guide Cloud Scanning
BeyondTrust® June 10, 2013 75
– Rackspace - Select the account type, enter the user name and API
key.
– IBM SmartCloud - Select the region, enter the user name and
password.
After you configure the connector, click Test to ensure the connector
works.
8. Click Save.
9. In the Perform Actions area of the Smart Rules Manager, select Show
asset as Smart Group, and then click Save.
After you create a cloud connector, you can run a scan and review the results
to determine if any cloud assets are vulnerable.
Scanning Paused or Offline VMWare Images
By default, paused or offline VMs are turned on during a scan. After the scan
runs, the VMs are reverted to the paused or offline state. To scan offline
VMs, see Scanning VMDK Files.
If you suspect that a VM is suspicious, you can turn on the VM in another
secure network where other VMs will not be under potential threat. The
scan runs as usual, then the VM is reverted to the paused or offline state.
When creating the connector click the Advanced button. You can configure
each host that is a member of the vCenter instance.
The option that you select applies to all VMs on the host.
Note: The advanced options dialog box varies depending on your vCenter
configuration. The list of available options includes all other
networks configured for your vCenter instance or on your ESX
server.
Retina CS User Guide Cloud Scanning
BeyondTrust® June 10, 2013 76
Scanning VMDK FilesYou can scan a VMDK file rather than turning on a VM. Ensure the check
box is selected as shown.
Scan times are faster when VMs remain powered off. However, scan results
might differ from scan results for VMs powered on (for example, open ports
and running processes might not be detected for VMs powered off).
Retina CS User Guide Cloud Scanning
BeyondTrust® June 10, 2013 77
Multi Tenant
Not supported in Retina CS Community.
Overview
Smart Rules Manager
Working with Credentials
Quick Rules
Organization Filters
Patch Management Module
Mobility Connectors
Retina Protection Agents
Setting Up Organizations
Step 1 Creating a Workgroup
Step 2 Adding an Organization
Step 3 Creating a User Group for a Tenant
OverviewThe Multi Tenant feature in Retina CS allows you to define multiple
organizations (or tenants) where each organization’s asset data is kept
isolated from all other organizations. Only Smart Rules marked as Global can
combine asset data across multiple organizations.
Most Retina CS features are available with Multi Tenant, including:
• Smart Rules
• Patch management module
• Mobility connectors
Features not available, include: exclusions, tickets, and report templates.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 78
Smart Rules Manager and Browser Pane
All of the pre-packaged Smart Rules are part of the Global rules. When a pre-
packaged Smart Rule is turned on, then the Smart Rule applies to all assets in
every organization. You can select the Global rules from the Smart Groups
browser pane.
When you initially create an organization:
l The Default Organization is provisioned with an All Assets Smart Rule.
l The new organization is provisioned with an All Assets Smart Rule.
Create Smart Rules in the usual way. For more information, see Creating a
Smart Rule.
You can easily switch between tenants on the Smart Groups browser pane
and on the Smart Rules Manager page.
Working with Scan Credentials
You can create credentials when running a scan. However, when using the
multi-tenant feature, you can create global credentials or credentials for an
organization.
All users can see global credentials. Correct permissions are needed to see
tenant-specific credentials.
It is recommended to create credentials specific to each tenant.
In the following scenario, while XYZ Financial is the organization selected,
you can choose to create credentials only for XYZ or select the Set as Global
check box.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 79
For more information about credentials, see Adding Credentials.
Quick Rules
When you create a quick rule from the Vulnerabilities page or the Attack
page the rule applies to whichever organization is selected in the Smart
Groups browser pane.
When you create a quick rule from the Address Group, you can select the
organization.
Organization Filters
When working with more than one customer, use the Organization filters to
see only assets, Retina scan agents, or Retina protection agents associated
with a particular customer.
The Organization filter is only displayed if more than one active organization
is available to the currently logged-on user.
Additionally, when managing your user groups, you can filter Smart Rules by
organization.
Patch Management Module
If you are using Multi Tenant, note the following when using the Patch
Management Module:
• For each WSUS server connection, you must select an organization.
• When creating a Smart Rule, the credentials displayed are only for the
selected organization.
• Credentials created when you create the Smart Rule are only associated
to that organization.
• The list of available WSUS servers includes all global connections plus
any specific to the organization.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 80
For more information, see Patch Management Module.
Mobility Connectors
You can associate an organization with any of the mobility connectors.
Select the organization when creating the connector.
For more information, see Mobility Scanning.
Retina Protection Agents
A workgroup is required when deploying Retina protection agents in a Multi
Tenant environment.
For more detailed information about deployment, see Deploying the
Protection Policies.
Selecting a WorkgroupFor unknown assets (assets not scanned by Retina CS), you must select a
workgroup associated with the organization. Assets might be unknown when
using the settings:
• Single IP address
• IP range
• CIDR notation
• Named Hosts
For known assets (assets detected and in the Retina CS database), a
workgroup does not need to be selected. The assets are already associated
with a workgroup. Assets are known when using the settings:
• Currently selected Smart Group
• Currently selected Assets
Creating a WorkgroupWhen an organization is selected in the Smart Groups browser pane, then
you can enter a workgroup name if one is not already created for the
organization.
The workgroup name must be unique across all organizations. If you enter a
name that exists, an error message is displayed.
Note that you cannot enter a workgroup name when Global is selected in
the Smart Groups browser pane.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 81
Viewing the Workgroups AvailableThe workgroups displayed depend on the item selected in the Smart Groups
browser pane.
• Global - All workgroups are displayed. The organization is in
parentheses.
• Organization - Only workgroups associated with the organization are
displayed.
Setting Up OrganizationsKey steps in setting up the organization
• Create a workgroup
• Create an organization
• Create a User Group
Step 1 Creating a Workgroup
Permissions: Users Accounts Management permission needed to assign
workgroups to an organization.
Every Retina scanner agent or Retina protection agent must be assigned a
workgroup. A workgroup is typically created when the agent is initially
deployed.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 82
You can add and delete workgroups. However, you cannot rename
workgroups.
You can only delete a workgroup if it is not associated with an organization,
mobility connector, Retina scanner or Protection agents.
Use the REM Client Configuration tool to create a workgroup.
To create the workgroup:
1. Log on to the asset where the agent resides.
2. Start the REM Client Configuration Tool.
3. Select the Enabled Application tab, and select the check box for the
agent.
4. Select the Workgroup tab and enter a name and description.
5. Click OK.
Step 2 Adding an Organization
An organization is automatically populated with an All Assets Smart Group.
To create an organization and associate with a workgroup:
1. Click the Configure tab, and then click the Organizations tab.
2. Click the Create New Organization button.
3. Enter the name of the organization.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 83
The Active check box is selected by default and must be selected to
successfully run scans on the tenant's assets.
4. Click the Create button.
5. Scroll to the Workgroups tab.
6. Click the edit icon for the organization, and then select the organization.
7. Click the check mark to save the changes.
Step 3 Creating a User Group for a Tenant
You can create a user group for a tenant. The users in the group can then log
on to Retina Insight and run reports. When creating the user group, ensure
that you assign the Retina Insight permission. Additionally, assign Read
permissions to the tenant's Smart Rules. The users can then run reports
based on the Smart Rules.
Creating a user group for a tenant is optional and only required if your client
wants to run reports from Retina Insight. For more information, see
Managing Users.
As a security measure, a tenant cannot log on to Retina CS.
Retina CS User Guide Multi Tenant
BeyondTrust® June 10, 2013 84
Managing Users
Not supported in Retina CS Community.
In this section,
Creating User Groups
User Group Permissions
Access Levels
Creating User Accounts
Reset Retina CS Account Password
Auditing Retina CS Users
Create user groups and user accounts so that your Retina CS administrators
can log on to Retina CS.
You can delegate Retina CS administrator responsibilities by explicitly
assigning certain Read and Write permissions to a user group. After a user
group is created, create and add user accounts to the group.
Creating User GroupsYou can create a user group based on the delegation model you designed for
your Retina CS administrators.
Alternatively, you can add an Active Directory group. Members in that
group can log on to Retina CS and perform tasks based on the permissions
assigned to the group.
An Administrators user group is created by default. The permissions
assigned to the group cannot be changed. The user account you created
when you configured Retina CS is a member in the group.
For a complete list of the Read and Write permissions available, see User
Group Permissions.
When a user is added to a group, the user is assigned the permissions that are
assigned to the group.
To create a user group:
1. Select the Configure tab then select the Accounts tab.
Select the button to change the view between all users and all groups.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 85
2. To create a user group, click + in the User Groups pane.
3. Select Group or Active Directory Group from the list.
4. Enter a name and description for the user group or Forest and Domain
for Active Directory group. These fields are required.
If you select Active Directory Group, then the Select Active Directory
dialog box is displayed. If the Retina CS server is a member of a domain,
the Forest name is automatically populated. Note, however, that you
might need to click Credentials if the Retina CS application pool
identity does not have sufficient rights to query Active Directory.
If the Retina CS server is not a member of a domain, you need to set
proper credentials first (click Credentials) and then enter a valid Forest
name and click Go. Next, select a domain from the drop-down menu. A
list of Security Groups in the selected domain is displayed.
For performance reasons, a maximum of 250 groups from Active
Directory is retrieved. If the selected domain contains more than 250
security groups, you can use the Group Filter field to shorten the
displayed list. The default filter is an asterisk (*) which is a wildcard filter
that returns all groups. Some examples of other filters are:
a* (returns all group names that start with a)
*d (returns all group names that end with d)
*sql* (returns all groups that contain 'sql' in the name)
5. Select the Active check box to activate the user group. Otherwise, clear
the check box and activate later.
6. Select the permissions and access levels.
7. Select the Smart Rules and access levels to the rules.
8. Click Create.
9. Create and add user accounts.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 86
User Group Permissions
Permissions in Retina CS must be assigned cumulatively. For example, if you
want a Retina CS administrator to manage only Configuration Compliance
scans, then you must assign Read and Write for the following permissions:
Asset Management, Benchmark Compliance, Reports Management, Scan -
Job Management, Scan Management.
The following table provides information on the permissions that you can
assign to your user groups.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 87
Permission Name Apply Read and Write to…
Asset Management Create Smart Rules; edit or delete on the
Asset Details window; create Active
Directory queries; create address groups
Attribute Management Add, rename, delete attributes when
managing user groups.
Benchmark Compliance Configure and run benchmark compliance
scans.
Credential Management Add and change credentials when running
scans and deploying policies.
Deployment Activate the Deploy button.
File Integrity Monitoring Work with File Integrity rules.
Manual Range Entry Allows the user to manually enter ranges for
Scans and Deployment rather than being
restricted to Smart Groups.
The specified ranges must be within the
selected Smart Group.
Option Management Change the application options settings
(such as, account lockout and account
password settings).
Patch Management Use Patch Management module.
PowerBroker for Unix &
Linux
Use the PowerBroker Servers module
PowerBroker for Windows Activates access to the PowerBroker for
Windows features, including PBW asset
details and the exclusions page on the
Configure tab.
Protection Policy
Management
Activate the protection policy feature.
User groups can deploy policies, and manage
protection policies on the Configure tab.
Reports Management Run scans, create reports, create report
category.
Retina CS Login Access the Retina CS management console.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 88
Permission Name Apply Read and Write to…
Retina Insight Sign in to Retina Insight, generate reports,
and subscribe to reports.
After you create a user group for Retina
Insight, go to the Configure tab in Insight
and run the process daily cube job.
Data between Retina CS and the Insight
cube must be synchronized.
Scan - Audit Groups Create, delete, update and revert Audit
Group settings.
Scan - Job Management Activate Scan and Start Scan buttons.
Activates Abort, Resume, Pause and Delete
on the Job Details page.
Scan - Policy Manager Activate the settings on the Edit Scan
Settings view.
Scan - Port Groups Create, delete, update and revert Port Group
settings.
Scan Management Delete, edit, duplicate, and rename reports
on the Manage Report Templates.
Activate New Report and New Report
Category.
Activate Update button on the Edit Scan
Settings view.
Session Monitoring Use the Session Monitoring features.
Ticket System View and use the ticket system.
Ticket System Management Mark a ticket as Inactive. The ticket no
longer exists when Inactive is selected.
User Accounts
Management
Add, delete, or change user groups and user
accounts.
User Audits View audit details for Retina CS users.
Configure tab, User Audits window.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 89
Access Levels
Access Level Description
No Access Neither Read nor Write check boxes are selected.
Users can only view the dashboard and corresponding
views.
Read Users can view selected areas, but cannot change
information.
Read and Write Users can view and change information for the
selected area.
Permissions Required for Configuration Options
Configure tab option Permission
Accounts Everyone can access.
Users without User Account
Management permission can only
edit their user record.
Active Directory Queries Asset Management
Address Groups Asset Management
Attributes Asset Management
Benchmark Management Benchmark Compliance
Cloud Connections Asset Management
Mobile Asset Management
Organization User Accounts Management
Patch Management Patch Management
SCCM Patch Management
Protection Policies Everyone can access
Scan Options Scan Management
Services Member of the build-in RCS
Administrators group
User Audits User Audits
Workgroups User Accounts Management
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 90
Creating User AccountsUser accounts create the user identity that Retina CS uses to authenticate
and authorize access to specific system resources.
When you delete a user account or group that is assigned tickets, a dialog
box is displayed where you can reassign the ticket to another user or group.
A user account must be a member in a user group.
Checkpoint
You must create a user group before you can create a user account. For more
information, see Creating User Groups.
To create a user account:
1. Select the Configure tab, and then select the Accounts tab.
2. From the Groups/Users button select the Groups view.
3. Select a user group.
4. Click + in the Users pane.
To edit a user, select the user account. The User Details pane is
displayed.
5. Complete the First Name, Email Address, User Name, Password, and
Confirm Password. These fields are required.
Note: If you are changing the password, see Reset Retina CS Account
Password.
6. Enter the user’s phone numbers (optional).
7. Select an Activation Date and an Expiration Date for the user account.
8. Select the User Active check box to activate the user account.
9. Select the Account Locked check box to lock the account.
10. Select one or more user groups from the list and click Add.
11. Click Create.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 91
Later, after you create a user, you can change the group membership. Change
the view to the Users view. Select a user account and change the group
membership.
Reset Retina CS Account PasswordYou can change the password for a Retina CS user account.
To reset a user password:
1. Select the Configure tab then select the Accounts tab.
2. Select the user name from the Users pane.
3. Click Reset Password.
4. Enter the new password.
5. Click Update.
Auditing Retina CS UsersYou can track the activities of your Retina CS administrators.
You can review:
• Logon and log off times
• IP address where the admin logged on from
• Any actions taken. For example, configure user settings.
If there are a lot of audit activities, you can use the search feature to display
only those that are relevant. You can also configure display preferences and
filters to refine the information displayed. For more information, see
Changing the Display.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 92
The following example shows that the Administrator added and then
removed an address group.
Adding CredentialsYou can create the following credential types:
• SSH. See Creating an SSH Credential.
• Windows
• MySQL
• Microsoft SQL Server
• Oracle. See Creating Oracle Credentials.
Retina scanner agent version 5.14 (or later) is required to support this
feature.
To add a credential:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. Select a credential type from the list: Any, Windows, MySQL, MS SQL
Server.
4. Enter the user account information: domain, user name, password, and
key.
5. If you are creating Microsoft SQL Server credentials, select the
authentication type.
6. If you are creating more than one credential, you can use the same
confirmation key for all credentials. Select the Use the same key for all
check box, and then enter the key.
7. Click Save.
Creating an SSH Credential
You can create Public Key Encryption credentials to connect to SSH-
configured targets. You can select a credential that contains a public/private
key pair used for SSH connections.
DSA and RSA key formats are supported.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 93
Optionally, when configuring SSH, you can select to elevate the credential:
• Use sudo. Using sudo, you can access scan targets that are not
configured to allow root accounts to log on remotely. You can log on as
a normal user and sudo to a more privileged account. Additionally, you
can use sudo to elevate the same account to get more permissions.
• Use pbrun. Using pbrun, you can elevate the credential when working
with PowerBroker Servers for Unix & Linux target assets.
To create an SSH credential:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. From the Type list, select SSH.
4. Enter a description and user name.
5. Select an authentication type from the list:
– Password - Enter a password.
– Public Key - Enter the private key file name and passphrase. Click
Browse to navigate to the file.
A public key is generated based on the contents of the private key.
6. Enter a description and key.
7. To elevate credentials, select one of the following from the Elevation
list:
Elevating credentials is optional.
– sudo – Enter a sudo user name and password. You can use the user
name provided in the Username box and leave the sudo username
blank.
– pbrun – Enter the pbrunuser user name.
8. Click Save.
Creating Oracle Credentials
If you are scanning Oracle databases, you can create Oracle credentials.
The tsanames.ora file is updated automatically after you create an Oracle
credential.
To create Oracle credentials:
1. On the Set Scan Options page, expand Credentials Management and
click the pencil icon.
2. Click Add.
3. From the Type list, select Oracle.
4. Provide a user name, description, and password.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 94
5. Select an access level from the list: Standard, SYSDBA, or SYSOPER.
6. Select additional connection options:
– Connect To - Select from: Database SID, Named Service.
– Database SID - Enter the database SID.
– Protocol - Select a protocol: TCP, TCPS, NMP.
– Host - Enter the host name where the Oracle database resides.
– Port Number - Enter a port number.
7. Enter a key.
8. Click Save.
Adding Credentials for Active Directory Access
You can add credentials to access a particular Active Directory domain. Add
credentials for each forest/domain combination.
To add Active Directory credentials:
1. Click the Configure tab then select the Accounts tab.
2. Click + and select Active Directory Group.
3. Click Credentials.
4. Click Add.
5. Enter the forest name, domain name, user name, and password.
Enter the user name using the format: <domain name>\user name.
Otherwise, the domain you enter in the Domain box is used.
6. Click Test.
Success is displayed when the credentials provided can successfully
contact the domain.
7. Click OK.
Retina CS User Guide Managing Users
BeyondTrust® June 10, 2013 95
Setting Retina CS OptionsIn this section,
Account Lockout Options
Account Password Options
Auto Update Options
Display Options
Email Notification Options
Maintenance Options
Proxy Settings
Refresh Settings
Account Lockout Options
Not supported in Retina CS Community.
You can set lockout options, such as lockout threshold and duration.
To set account lockout parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Lockout
Options.
3. Set the following account lockout options:
– Account Lockout Duration - Sets the number of minutes the user
is locked out.
– Account Lockout Threshold - Sets the number of times a user can
try their password before the account is locked out.
– Account Lockout Reset Interval - Sets the number of
unsuccessful password entry attempts before generating a reset
notification.
– Unlock Account upon Password Reset Notification - Select the
Yes check box to email a new password and unlock the account
when Forgot Your Password is selected.
If not selected, an email is sent with a new password but the account
is not unlocked.
4. Click Update.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 96
Account Password Options
Not supported in Retina CS Community.
You can set account password parameters, such as a complexity requirement
and password length.
To set account password parameters:
1. Select Options.
2. On the Application Options dialog box, expand Account Password
Options.
3. Set the following password options:
– Password Must Meet Complexity Req. - Requires users to adhere
to complex password rules when creating a password.
– Enforce Password History - Enter the number of passwords a user
must create before an old password can be reused.
Enter 0 to not enforce a password history. There are no restrictions
on using past passwords when 0 is entered.
– Minimum Password Length - Enter the minimum number of
characters for the password.
– Maximum Password Age - Enter the maximum number of days
before a password must be changed.
– Minimum Password Age - Enter the minimum number of days
that a password must be used before it can be changed.
4. Click Update.
Auto Update OptionsRetina CS contacts the Update Server to retrieve the latest product and audit
updates. Downloading updates ensures your assets are secure against the
latest vulnerabilities.
By default, Auto Update is turned on.
To activate Auto Update:
1. Select Options.
2. On the Application Options dialog box, expand Auto-Update Options.
3. Select the Yes check box.
4. Click Update.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 97
Display OptionsYou can turn on auto-expansion and set the number of items to display per
page.
To set display options:
1. Select Options.
2. On the Application Options dialog box, expand Display Options.
3. Select the Yes check box to open the report in a new window.
This feature is available only with reporting on existing data.
4. Enter the number of items to display per page.
5. Select the Yes check box to turn on auto-expansion.
6. Click Update.
Email NotificationsThe email notification sends an email when an error occurs while running
reports.
The email address is stored in the Retina CS database.
Note: Email settings are initially set in the Retina CS configuration tool.
Ensure that you use the same information here.
To add an email address for notification:
1. Select Options.
2. On the Application Options dialog box, expand Email Notification
Options.
3. Enter an email address in the From Email Address box.
4. Verify the SMTP server name and port.
5. Enter the username and password.
6. Click Update.
Maintenance OptionsYou can remove collected data from the Retina CS database. Configure the
number of days to retain data.
Not all maintenance options are supported in Retina CS
Community.
To specify the maintenance options:
1. Select Options.
2. On the Application Options dialog box, expand Maintenance Options.
3. Enter the number of days that pass before data is purged.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 98
– Purge General Events Older Than - Purges the raw information
sent by the protection agents and Retina agents. The default number
of days is 7.
– Purge Vulnerabilities Older Than - The vulnerabilities are
displayed in the Vulnerabilities module until fixed or purged.
Recommended: 90 days. However, this can vary for different
environments. Once the data is purged, the vulnerabilities are
removed from the database.
– Purge Attacks Older Than - Attacks are discovered by the
protection agent.
Recommended: 90 days.
– Purge Assets Older Than - This covers assets that were
discovered once, but are never discovered again (the asset might be
inactive or removed). Recommended: 30 days.
– Purge Audit Data Older Than - Purges audit data.
– Purge Retina Agent Jobs every N days - Purges jobs. The default
value is every 30 days.
Enter 0 if you do not want to purge the jobs.
– Purge Chart Data Older Than - Purges chart data. The default
value is 90 days.
– Purge Application Events Older Than - Purges the application
events sent by the protection agent and Retina agents. The default
value is 7.
– Purge Application Log Files Older Than - Purges the raw
information sent by the protection agents. The default value is 30.
– Purge Asset Attributes Older Than - Purges the raw information
sent by the protection agents and Retina agents. Recommended: 7
days.
– Purge Scans Older Than - Purges the raw information sent by the
protection agents and Retina agents. Recommended: 7 days.
– Purge Scans Events Older Than - Purges the raw information
sent by the protection agents and Retina agents. Recommended: 7
days.
– Purge Attack Events Older Than - Purges the raw information
sent by the protection agents. Recommended: 7 days.
– Purge Windows Events Older Than - Purges the information sent
by the protection agents. The default value is 90 days.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 99
– Purge Closed Tickets Older Than - Enter the number of days
before closed or inactive tickets are deleted.
The calculation for purging ensures the ticket is closed and uses the
date the ticket was last updated, not the due date.
For example, a ticket has a due date 60 days in the future but the
ticket was closed and not edited for over a week. If the purge setting
is set to 7, then the ticket is purged even though the due date is in
the future.
– Server Localization - en-US. Reserved for future use.
– Purge PBW Events Older Than - Purges the PowerBroker for
Windows events.
– Purge PBUL Events Older Than - Purges the events sent by
PowerBroker Servers.
– Purge FIM Events Older Than - Purges the File Integrity events
captured by PowerBroker for Windows.
4. Click Update.
Proxy SettingsYou can configure a proxy server if the Retina CS server does not have
direct Internet access.
To set up a proxy server:
1. Select Options.
2. On the Application Options dialog box, expand Proxy Settings.
3. Select the Yes check box.
4. In the Address box, enter the IP address or domain name of the proxy
server.
5. Enter the user name and password for the proxy server.
6. To override any local proxies, select the Yes check box.
7. Click Update.
Refresh SettingsYou can set refresh intervals for scan jobs and Smart Rules.
Scans can run more efficiently when Smart Rules are set to refresh at longer
intervals.
To set refresh settings:
1. Select Options.
2. On the Application Options dialog box, expand Refresh Settings.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 100
– Maximum job refresh frequency (minutes) - Retina CS jobs are
refreshed at the interval entered here. When the refresh occurs,
updates to schedules, scanners, and Smart Rules will be updated for
the job.
The default value is 360 minutes (6 hours).
– Maximum Smart Rule Refresh Frequency for asset updates
(minutes) - Set the number of minutes for the refresh interval for
Smart Rules.
Asset changes (assets added or removed from the Smart Rule) that
occur between the refresh interval are reflected in the rule.
The default value is 60 minutes.
Retina CS User Guide Setting Retina CS Options
BeyondTrust® June 10, 2013 101
MaintenanceViewing Status for Scanners and Agents
Determining if a Retina Agent is Available
Removing Retina Agent Files
Configuring a Failover Agent
Diagnostics
Monitoring Services
Creating a Support Package
Viewing Status for Scanners and AgentsYou can review details about your deployed Retina scanners and protection
agents.
Use the Agent Details page to determine if scanners or agents are out of
date.
To view asset details:
1. Select the Assets tab.
2. Select Agents.
3. Click the i button to review additional information.
The Agent Details page displays the following: IP address, computer
name, OS, workgroup, domain, and agent name and versions.
Note that you can change viewing preferences for the Agents page. You
can select preferences and create filters to determine the list of agents
and scanners that are displayed. For more information, see Changing the
Display.
Determining if a Retina Agent is AvailableA Retina scanner agent might lose connectivity to Central Policy. You can
determine connectivity in the following places:
• When you are setting up a scan, there is a warning icon next to an agent
name.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 102
• On the Agents page for Vulnerability Scanners, there is a warning icon in
the Retina Last Updated column.
The agent might not be able to accept the job request.
Ensure the computer hosting the Retina agent is online.
Removing Retina Agent FilesClean Retina CS records for scheduled, queued, and completed jobs.
Ensure your Retina CS administrators are assigned the Scan Management
permission. For more information, see Creating User Groups.
To clean Retina agent files:
1. Select the Assets tab, and then select the Agents tab.
2. Select the agent in the list, and then click i.
3. Click Agent Maintenance.
– Clean Retina Files - Deletes files from the following directory:
C:\Program Files (x86)\eEye Digital Security\Retina 5\Scans
– Clean RCS Files - Removes all jobs for the selected agent,
including scheduled, queued, and completed jobs.
– Reschedule existing scheduled jobs - When the Clean RCS Files
check box is selected, you can select this check box to reschedule
jobs automatically.
4. Click OK to save the settings.
5. Click Reset Engine to restart the Retina CS services.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 103
Configuring a Failover Agent
Not supported in Retina CS Community.
You can configure a backup agent to provide redundancy in case an agent
fails.
To configure a failover agent:
1. Click the Assets tab.
2. Expand Agents and Scanners, and then click Vulnerability Scanners.
3. Click the Agents tab.
4. Select an agent, and then click i.
5. On the Agent Details pane, click Configure Failover Agent.
6. Select an agent. The Failover Agent field displays the name of the agent
that you select.
7. Click OK.
You can configure a failover agent timeout on the Configure tab. The default
timeout is 15 minutes.
Creating a Support PackageCreate a support package that can be used by Beyond Trust Technical
Support. The package includes,
• All logs in the Retina CS Logs folder.
• Storage size statistics on the Retina CS database.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 104
• Certain database tables that contain information on Retina Protection
agents and Retina scanner agents and their jobs.
To generate the package:
1. Select Help > Generate Support Package.
2. Click Generate Support Package.
3. Click Save File.
4. Save the .zip file and email to your Technical Support representative.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 105
Diagnostics
Not supported in Retina CS Community.
In this section,
Monitoring Services
Monitoring Services
On the Services page, you can:
• Turn on debug logging
• View the log files
• See the status of the service (Running, Stopped, Paused)
• Change credentials for the service
To review Retina CS services:
1. Select the Configure tab.
2. Select the Services tab.
3. Click View to open and review details in the log.
4. Click Email to send the log to selected email addresses.
To turn on debug logging:
1. Select the Configure tab.
2. Select the Services tab.
3. To turn on debug logging, click Enable Debug Logging.
All Retina CS services are restarted if you turn on debug logging.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 106
Turn off debug logging after you finish troubleshooting Retina CS to
improve performance.
To change the credentials for the service:
1. Select the Configure tab.
2. Select the Services tab.
3. Click the button as shown:
4. Enter the credentials, and then click OK.
Retina CS User Guide Maintenance
BeyondTrust® June 10, 2013 107
II. BeyondTrust ModulesRetina Scanner Agents
PowerBroker for Windows
Patch Management Module
System Center Configuration Manager
Retina Protection Agents
PowerBroker Servers for Unix & Linux
PasswordSafe
Regulatory Reports Pack
Configuration Compliance Pack
Retina CS User Guide II. BeyondTrust Modules
BeyondTrust® June 10, 2013 108
Retina Scanner AgentsDiscovery Scanning
Running a Discovery Scan
Discovering Assets Using a Smart Group
Discovery Assets Manually
Running a Vulnerability Scan
Reviewing Vulnerability Scan Results
Creating a Quick Rule
Excluding Vulnerabilities
Remediating Vulnerabilities
Setting CVSS Metrics
Setting CVSS Environmental Metrics
Setting Base and Temporal Metrics
Configuring Retina Agent Scan Options
Performance Settings
Timeout Values
Event Routing
Setting Restrictions on Scan Times
Configuring General Scan Options
Scanner Pooling
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 109
Discovery Scanning
Run a discovery scan to locate network assets, such as workstations, routers,
laptops, and printers. A discovery scan also determines if an IP address is
active.
You can periodically repeat the discovery scans to verify the status of
devices and programs and the delta between the current and previous scan.
Note that discovered assets do not count toward your license.
Running a Discovery Scan
You run a discovery scan in the same way as a vulnerability scan. See
Running a Vulnerability Scan for a step-by-step procedure.
Review the following recommended Discovery scan settings:
• On the Set Scan Options page, setting credentials is not required.
Typically, setting credentials for other types of scan templates is
recommended. However, for a discovery scan, you want to ensure that
all types of systems are detected and credentials are not necessary.
After assets are detected, you can run audit scans using credentials to
ensure more thorough scan results.
• On the Scan Policy Options page, here are some recommended settings:
Perform OS
DetectionSelect this check box.
Perform
TracerouteSelect this check box.
Enumerate * Clear all enumerate check boxes.
Randomize Target
ListSelect this check box.
Change the settings on the Edit Scan Settings page. See Configuring Scan
Settings.
• Discovery ports. The default TCP discovery port list: 21,22,23,25,80,
110,139,443,445,554,1433,3389
Use more than one scanner to distribute the coverage across the network.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 110
Discovering Assets Using a Smart Group
You can discover assets when the Smart Group filter is an address group,
Active Directory query, or Cloud connector.
Any assets online since the Smart Group was last processed are detected
when the Use to discover new check box is selected.
The scan results on the Assets page reflects the number of assets found.
If you create an address group that includes /19 CIDR block, that
range includes 8190 potential assets (the discovery scan will
always try to discover that many assets). Keep this in mind when
you are reviewing scan results.
Key steps:
• Create an address group or Active Directory query that includes the IP
address range or domain. See the step-by-step procedures: Creating an
Active Directory Query or Creating an Address Group.
Alternatively, you can create the address group or query on-the-fly when
you are creating the Smart Group.
• Create a Smart Group that includes the address group or query as the
filter. Ensure the discover assets check box is selected.
Note that you can use the Discover New assets check box on any scan.
However, the scan is slower when this option is selected.
It is recommended that you run a discovery scan at a regular interval (for
example, monthly or weekly schedule). Full vulnerability scans can then run
only on known targets.
Discovering Assets Manually
You can discover assets manually by entering a host name, IP address or
address range when running a discovery scan.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 111
Running a Vulnerability ScanBefore setting up your scan settings, ensure the following is in place:
• When you run a scan in Retina CS, you must select a report template to
determine the scope of the scanning. For a complete list of report
templates, see Reports Templates and Audit Groups.
• Determine the assets to include in the scan. For example, you can create
Smart Groups, enter IP address ranges, or list named hosts.
Note that on the Assets page, you can individually select the assets to scan.
Tip: Ad hoc Scanning
You can enter any combination of IP address, IP address
range, and CIDR notation in the Named Hosts box. Separate
the entries using a comma.
For example, 10.10.10.20, 10.10.10.4-10.10.10.8,
192.168.1.0/24
Note, however, if an IP address is invalid no error message
indicates the address is invalid and will not be scanned.
To run a scan:
1. Select the Dashboard tab and click Assess; or select the Assets tab
and click Scan.
2. Select a report and click Scan.
3. Expand Scan and select one of the following:
Currently selected Smart Group, Currently selected Assets, a Single IP,
an IP Range, a CIDR Notation, or Named Hosts for the assets selected.
You can enter more than one named host. Separate the entries using a
comma.
If you select Currently selected assets and select a schedule other
than Immediate, then Retina CS automatically updates the scheduled job
on the agent with the list of assets in the selected Smart Group as they
change.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 112
4. Benchmark scans only. Expand Benchmark Compliance Profile and
select a scan profile.
5. Expand Credentials Management and enter the credentials.
Click Test Credential to ensure the correct credentials are entered. You
can use Active Directory credentials or Retina CS web server
credentials. The test only applies to Windows credentials. Note that the
test is not to ensure access to target assets.
You can store credentials to reuse later. For more information, see
Adding Credentials.
a. To add credentials, click the pencil.
b. Click Add.
c. Enter the password, description, and key.
d. If you are creating more than one credential, you can use
the same confirmation key for all credentials. Select the
Use the same key for all check box, and then enter the
key.
e. Click Save.
f. Select the new credential and click OK.
6. Expand Report Delivery to select the report delivery options.
– Export type - Select a report format: PDF, DOC, XLS, NONE.
The export types available depend on the report selected.
– Do not create a report for this vulnerability scan - Select this
option if you want to only scan and collect the results. No report will
be generated.
– Notify when complete - Select the check box and enter email
addresses. Separate entries using a comma.
Alternatively, click + and select users or user groups.
Email notification is sent when the scan and report are complete.
– Email report to - Select the check box and enter email addresses.
Separate entries using a comma.
Alternatively, click + and select users or user groups.
The report will be emailed to the users entered.
7. Expand Advanced to select the agent to run the scan.
– Job Name - Type a job name. Otherwise, the default job name is
used.
– Agent - Select the computer where the scan engine resides.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 113
– Use job-specific Scan Restrictions - Select the check box to
display a scheduling grid. Click the squares to set the restricted time
frame. Scans will not run during those times.
If scans are scheduled to run during a scan restriction, the scan can
be aborted when the restriction window starts. Select the check box
to apply this setting.
For more information, see Setting Restrictions on Scan Times.
– Benchmark Scans only.Store OVAL Test in database - Select the
check box to store OVAL test results to the Retina CS database.
8. Expand Schedule to select a schedule:
Note: If the server and client computers are located in different time
zones, the scan runs during the server time zone. This applies to
one-time scans and recurring schedules.
– Immediate - Select to run the job now.
– One Time - Select to schedule jobs to run one time. Select the start
time and date.
– Recurring - Select one of the following:
– Daily – schedules jobs for weekdays, or every x number of days.
Enter the number of days.
– Weekly – schedules jobs every week selected (1-52), starting on
the day of the week selected.
– Monthly – schedules jobs for the day of the month selected for
every month selected. Options include the
first/second/third/fourth and last day of the month selected.
You can delete or change the recurring scan job later on the Jobs
page. See Managing Jobs.
9. Select Abort the scan if it takes longer than and enter the time in
minutes to restrict the length of time the scan runs.
10. Click Start Scan.
11. Click Show Status to view the progress of the scan. You can also view
the progress on the dashboard or through the Jobs page.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 114
Reviewing Vulnerability Scan ResultsAfter you run vulnerability scans you can review the results to determine the
assets that are vulnerable and require remediation.
You can view vulnerabilities that can be exploited. For any vulnerability with
a CVE-ID, exploit information associated with the CVE-ID is also
displayed. In some cases, exploits are displayed that are not associated with a
CVE-ID.
The Microsoft Exploitability Index is also included in the Exploits
information. The index values correspond to the values that are provided in
security bulletins issued from Microsoft. For more information on
interpreting the index values, refer to Microsoft documentation.
You can set display preferences and create filters to change the information
displayed on the Vulnerabilities page. For more information, see Changing
the Display.
To review the results:
1. Select the Assets tab.
2. Select Vulnerabilities.
Click and to expand the vulnerabilities pane.
You can create Smart Rules based on vulnerabilities. Using this tool can
provide additional filtering selected assets.
3. Click i to view more information about a vulnerability.
4. On the Vulnerabilities Details pane, select the following to review more
information:
– Exploit Count - The number indicates the exploits on the
vulnerability.
Click the button to review the database, module, and module URL.
– Assets - The number indicates the assets affected by the
vulnerability.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 115
Click the button to expand the details pane and review the asset
information.
– References - The number indicates the available resources for
remediation of the vulnerability.
Click the button to expand the details pane. Select a web site to find
out more information on the vulnerability.
– Patches - The number indicates the patches that can fix the
vulnerability.
Click the button to review more information about the patches.
For more information, see Managing Patch Updates.
– STIGs - The number indicates the STIGs associated with the
vulnerability.
Click i to open the STIG Details window. You can review the
following information: MACs, IA Controls, References, Systems
Affected.
– More Information - Click to open the Vulnerability Details window
to view a description of the vulnerability, solution, PCI severity,
references, and CVSS score.
You can also set or remove an exclusion property on the
vulnerability. For more information, see Excluding Vulnerabilities.
Creating a Quick Rule
After you run a scan, you can organize assets linked to a specific
vulnerability, attack, or malware by creating a Quick Rule.
In the Attacks, Vulnerabilities, or Malware view, you can click the arrow to
create a Quick Rule that instantly creates a grouping of assets in the Smart
Groups pane.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 116
Excluding Vulnerabilities
You can exclude vulnerabilities from the display and only view those that
require remediation to satisfy regulatory compliance.
Depending on your environment, accepted vulnerabilities (a false positive)
might be reported in the scan. For example, if Anonymous FTP is
configured on your network, vulnerabilities will be reported in your scan
results. Since this type of vulnerability does not require remediation (patch
or compliance updates), you can ignore these scan results.
Records for exclusions reside in the database. During an audit, you can
remove the exclusion on the record.
You can run the Vulnerability Exclusions report to keep track of the
exclusions. The report includes the reason for the exclusion and the expiry
date.
Note: Vulnerability exclusions do not apply to the parent Smart Group
when the exclusion is set at a child Smart Group.
To set or remove the exclusion property on a vulnerability:
1. Select the Assets tab.
2. Select the Vulnerabilities tab.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 117
3. Click the Exclusions check box for a vulnerability.
4. On the Manage Vulnerability Exclusion dialog box, select the options:
– Action - Select to set or remove the exclusion.
– Exclude Vulnerability - Select the Smart Group where you want to
apply the exclusion.
You can also select Globally. The exclusion applies to all assets.
– Reason/Note - Provide a detailed description on why the
vulnerability is excluded.
For example, you might want to note that the vulnerability is an
accepted false positive.
The reason is required and is displayed in the Vulnerability
Exclusions report to help you keep track of the exclusions.
– Expiration Date - Select the expiration date on the exclusion.
5. Click Save.
Malware Toolkit Vulnerabilities
A malware toolkit can be detected if there is one associated with a
vulnerability.
To see if a vulnerability belongs to a malware toolkit:
1. Select the Assets tab.
2. Select the Vulnerabilities tab.
3. Select a vulnerability and click the i.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 118
A red T indicates that the vulnerability is associated with a malware
toolkit.
4. Click View Toolkits.
Review more information about the malware toolkit and the recommended
mitigation action.
Remediating VulnerabilitiesYou can remediate vulnerabilities by viewing solutions on the Vulnerability
Details page.
You can use the ticket system to assign a vulnerability or attack to a member
of your security team. See Working with Tickets.
1. Select the Assets tab, and then click Vulnerabilities.
2. Click i for a vulnerability.
A description and solution are displayed.
The Mitigation column provides information on action to take to remediate
the vulnerability.
Setting CVSS Metrics
Depending on your security plan, you might want to change CVSS scores.
Changing the score indicates to your security team the urgency to remediate
a vulnerability.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 119
You can change the base and temporal values to change the CVSS score
(depending on the weight of the vulnerability and the urgent nature to
remediate the vulnerability).
You can configure:
• Environmental scores using the Smart Rules Manager.
• Base and temporal scores using the Vulnerability Details page.
You must be familiar with CVSS scoring definitions and concepts. Refer to
the CVSS Scoring Guide.
Setting CVSS Environmental Metrics
The environmental metrics are based on your security plans. Determine the
level of impact a vulnerability has on your assets and assign environmental
metrics accordingly.
You can create a Smart Group that includes the assets where you want to
assign the environmental metrics.
To set the environmental metrics on assets:
1. Select the Assets tab.
2. Click Manage Smart Rules.
3. Click New Rule.
4. Enter a name and description, and set the Smart Rule criteria that
determines the scope of the assets.
5. In the Perform Actions area, select Set Environmental CVSS Metrics.
6. Select the metrics from the corresponding lists.
7. Click Save.
Later when you edit the Smart Group, the Show asset as Smart Group list is
also displayed, as shown:
Setting Base and Temporal Metrics
After you create a Smart Group that contains the assets with the preferred
environmental metrics, you can update CVSS scores on the Vulnerabilities
page.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 120
To change the CVSS metrics for a vulnerability:
1. Select the Assets tab.
2. Select the Smart Group with the environment metrics configured.
3. Click Vulnerabilities.
4. Select a vulnerability, and then click i.
5. Click the pencil.
6. Change the base and temporal values.
The CVSS score and CVSS vector change as you change the base and
temporal metrics.
Click the vector link to go to the National Vulnerability Database CVSS
v.2 Calculator web site.
7. Click Save.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 121
Reviewing Asset Risks on the Network MapOn the network map you can review the assets at risk in your environment.
The network map requires Sun Java 5.0 SE Update (or later) to display
correctly.
To review assets using the network map:
1. Select the Assets tab.
2. Click Map.
The network map might disappear when you select other menu items or
options on the window. Click Home to display the network map again.
3. Click the nodes on the map.
4. Hover on the items to display vulnerability information.
5. To filter the information displayed in the network map, select a Smart
Group and view only those vulnerabilities you are interested in.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 122
Configuring Retina Agent Scan Options
Not supported in Retina CS Community.
You can configure Retina scan options to improve performance and
reliability.
Performance Settings
The number of scan targets can affect server performance and scan quality.
The result is an unresponsive or slow server or poor scan quality, such as
known services not being found or known open ports not being identified.
To improve performance, you can:
• Reduce the number of targets
• Adjust the scan speed downward
• Override the TCP connection limit to increase the scan speed
If you override the TCP connection limit, the TCP incomplete connections
limits are removed for all applications during the scan.
Timeout Values
Configure ping and data timeout values to compensate for network latency.
If pings are not returning in time for Retina to detect them, increase the ping
timeout value.
To configure scan options:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the Scanner tab.
4. In the Performance area, configure the following settings:
– Number of Simultaneous scan targets - Set the number of
targets to scan simultaneously.
The maximum is 128 targets.
– Adaptive Scan Speed - Set the delay between bursts of packets
sent during a SYN scan.
1 = longest delay
5 = almost no delay
– Enable TCP connection limit override - Select the check box to
override the TCP connection limit.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 123
Note: The TCP Connection Limit Override is available on
Windows XP SP2 and later and Windows 2003 SP1 only.
This is not available for Windows NT or Windows 2000.
5. In the Reliability area, configure the following settings:
– Ping Timeout - Enter the number of seconds.
– Data Timeout - If the Retina agent is not receiving complete data
from assets or hosts when services are under heavy load, increase the
timeout value.
6. Click Save.
Event Routing
Turn on event logging to send scan data to Retina CS, including:
• Port information
• Services
• General scan information
To turn on event routing:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the Event Routing tab.
4. Select the Enable Event Logging check box.
5. Select the risk level of the audits to include in routing to Retina CS.
Audits include a risk level that corresponds to the severity of the
vulnerability detected.
– Information - Details host information that does not necessarily
represent a security threat, but can be useful to the administrator to
assess the security.
– Low - Defines risks associated with specific or unlikely
circumstances.
– Medium - Describes serious security threats that would allow a
trusted but non-privileged user to gain access to sensitive
information.
– High - Indicates vulnerabilities that severely impact the overall
safety and usability of the network.
6. Click Save.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 124
Setting Restrictions on Scan Times
You can set a scan restriction so that scans will not run during the restricted
time frame.
Apply scan restrictions on:
• One scan only. Configure the restricted scan time when you are
configuring the scan.
• Global. Configure the restricted scan time on the Configure tab.
To set a scan restriction on all scans:
1. Select the Configure tab.
2. Select the Scan Options tab.
3. From the Agent list, select an agent or select Global.
If you select an agent, you might want to override scan restrictions
already set for that agent. Select the Use Global Scan Restrictions
check box to apply the global settings.
4. Click the squares to set the restricted time frame.
5. Select the Abort in progress scans check box to stop all scans that are
running when the scan restriction window starts, otherwise running
scans are paused and then resume when the scan restriction ends.
Configuring General Scan Options
To configure general scan options:
1. Click the Configure tab.
2. Click the Scan Options tab.
3. Click the General tab.
4. To turn on logging, select the logging check box.
5. To automatically check for updates, configure the following settings:
– Check for updates to a schedule - Select a start time and
frequency.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 125
– Check for updates when launching Retina - Select the check box
to check for updates when you start Retina.
– Number of seconds to prompt before launching - Enter the
number of seconds to wait before starting the updater.
6. Set a timeout value for a failover agent. To configure a failover agent, see
Configuring a Failover Agent.
7. Set maintenance options to purge Retina information.
8. Set the minutes that pass before Retina checks for updates from the
Central Policy server. The default value is 15 minutes.
9. Click Save.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 126
Scanner PoolingYou can use scanner pooling to select more than one scanner agent when
scanning a large number of assets. When more than one scanner is selected
for a scan job, the list of target assets is divided among the selected scanners
in a round-robin style, evenly distributing the target scan range.
To use scanner pooling, select more than one scan agent when running a
scan, or use the "Set Scanner" action in a Smart Rule to lock a set of
scanners to that Smart Group.
Note that when using scanner pooling, you cannot automatically generate a
report when a scan finishes.
To lock a scanner agent to a Smart Group:
1. Select the Assets tab, and then click Manage Smart Rules.
2. Click New Rule.
3. Enter a name and description.
4. From the Perform Actions area, select Show asset as Smart Group.
5. Click the +, and then select Set Scanner.
6. Click the browse button to select the scanners to associate with the
Smart Group.
7. Select the distribution algorithm.
– Round Robin Asset Distribution - Targets are assigned to scanners
one-by-one. This method balances the distribution of scan targets.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 127
– Rule Locked Asset Distribution - The Rule Locked distribution
algorithm is designed and recommended for multiple scanner jobs
where child Smart Rules are defined in a parent Smart Rule.
Each child Smart Rule will always use the scanner assigned in the
child Smart Rule when this distribution algorithm is used.
This ensures that scanners assigned in child Smart Rules will not
scan across other child targets.
8. Click Save.
Note that on the Job Details page, the agent name indicates if the scanner is
part of a pool.
Retina CS User Guide Retina Scanner Agents
BeyondTrust® June 10, 2013 128
PowerBroker for WindowsUsing Retina CS and PowerBroker for Windows together, you can:
• Collect privilege-related event log data from assets.
This data includes information about the applications being used, the
privileges they require, and how they are launched, and information
about which users have administrator privileges.
• Deploy PowerBroker for Windows policies to your assets.
Create your PowerBroker for Windows rules and policies as usual using
PowerBroker for Windows. Upload the policies to Retina CS and using
the Central Policy technology, deploy the rules to your managed assets.
• Create File Integrity rules in PowerBroker for Windows and manage the
results in Retina CS.
• Sort and filter data into useful reports and generate PowerBroker rules
for applications based on user needs for privilege elevation. This is a best
practice approach for discovering applications and the construction of
quick and concise rules for any user or computer.
• Configure Session Monitoring in PowerBroker for Windows and review
the events in the Retina CS console.
Note: Before you can use the Application Discovery functions of
PowerBroker to create rules, install Retina CS on a compatible host
with the proper prerequisites or install an appliance with the solution
from BeyondTrust.
For more information about the PowerBroker reports available in Retina CS,
see PowerBroker for Windows Reports.
Overview
u
PowerBroker for Windows (PBW) is designed to integrate directly
into your corporate Active Directory (AD) structure without
modifying your existing schema.
An administrator loads a Group Policy Option (GPO) snap-in onto
an asset that uses the Microsoft Management Console (MMC).
�An administrator can then create policies and rules that are stored in
the AD domain.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 129
�An administrator can also access the Retina CS management console
through a web interface to run reports or create additional rules
based on collected events from the environment.
�
As domain assets log on (servers, workstations, or remote clients
labeled “4”) they receive policy from the domain controller that is
processed by the PBWagent.
The PBWagent is installed on each device and can be distributed
through a software delivery solution or even through GPO. This
enforces privilege identity management rules on the endpoint and
sends status events back to Retina CS for additional reporting,
trending, and rule creation.
Creating a Smart GroupYou can create a Smart Group to organize your PowerBroker assets. You can
set filters based on the PowerBroker client, Windows events, and
PowerBroker Windows events.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 130
For detailed instructions on Smart Groups, see Working with Smart Rules.
Creating PowerBroker RulesYou can create rules after event data is collected from PowerBroker for
Windows.
For more detailed information about rules, refer to the PowerBroker for
Windows product documentation.
The rule types that you can create from Retina CS include, Active X, Hash,
Path, Publisher, MSI. Exclusions rules can also be created.
To create a PowerBroker for Windows rule:
1. On the Retina CS console, select the Assets tab, and then click the
PowerBroker tab.
2. Click the arrow for the events and select the rule type.
Note: There are two ways that you can view events: Rollup and All.
The Rollup view displays all events grouped by Message,
Application/ActiveX, Path, Publisher, EventType, RuleType,
then Hash. In the Rollup view you can select more than one
event. In the All view, select one event at a time.
The PowerBroker Rule XML dialog box is displayed.
3. Copy the XML code to the collection in the PowerBroker for Windows
GPMC snap-in.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 131
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 132
Including Arguments in a Rule
When you are creating a rule you can include arguments. Select the Yes
check box on the Application Options dialog box.
Arguments can be included when creating the following rule types: Path,
hash, .msi.
Creating rules for a denied application (28698) will include arguments when
the check box is selected.
Marking Events to ExcludeYou can exclude events from rules. For example, you might want to exclude
certain applications that are flagged as requiring administrative privileges.
To exclude events:
1. On the Retina CS management console, click the Configure tab, and
then click Exclusions.
2. Select an existing exclusion or click + to create an exclusion.
3. Select the exclusion type:
– Admin rights – Exclude all events that match the ‘path’ for the
exclusion you chose. Retina CS provides a predefined list of these
exclusions. This list contains applications that are commonly
incorrectly detected as requiring administrative privileges.
Any exclusion path with a “*” will recurse directories. For example,
c:\windows\system32\* will exclude any exe’s in system32 and any
executables in a subdirectory of system32.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 133
You must provide the full path. For example,
C:\Windows\HelpPane.exe
– Application Exclusion – Excludes all events that match the
application you are excluding.
You must provide the application name only. For example,
HelpPane.exe
– Publisher Exclusion – Excludes all events that have the same
‘publisher’ value.
You must follow the format: "O=Microsoft Corporation,
L=Redmond,S=Washington,C=US"
4. Click Save.
Deploying and Managing Policies Using Retina CSYou can configure PowerBroker for Windows to use Central Policy to
deploy policies through Retina CS rather than using GPMC.
During the installation of PowerBroker for Windows, you can choose to
deploy policies using Central Policy. Ensure the following Central Policy
setting is selected:
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 134
For more information about deploying PowerBroker for Windows, refer to
the PowerBroker for Windows Installation Guide.
Deploying Policies
Create your rules and policies in PowerBroker for Windows as usual.
Create Smart Rules to determine the assets where the policies need to be
deployed.
To use Retina CS to deploy PowerBroker for Windows policies:
1. Log on to Retina CS, and then go to the Smart Rules Manager.
2. Select the PowerBroker for Windows assets and the policy that you want
to deploy.
3. Click Save.
Reviewing Policies
You can review the list of policies available from PowerBroker for Windows
on the Configure tab.
Session MonitoringYou can track the following events:
• Keystroke logging
• Mouse events
• Process events
• Screen captures
The events are configured in PowerBroker for Windows. For more
information on configuring session monitoring, refer to the PowerBroker for
Windows product documentation.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 135
Note: To use this feature you must have the Session Monitoring license
key activated. Contact your BeyondTrust representative for more
information.
Viewing Events on the Session Viewer
To view events:
1. On the Assets page, select the Smart Group where the assets reside.
2. Select PowerBroker for Windows from the list, and then click Session
Monitoring.
3. Click i for a particular asset.
On the Session Viewer page, you can view more details about the
events.
4. Double-click an event (or click i) to view more details about the event
on the right pane.
Filtering Events
You can filter the events that are displayed in the Session Viewer.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 136
Viewing Screen Capture EventsWhen viewing screen captures, you can zoom in and zoom out, and scroll
through all of the screen captures saved during the session.
If there is more than one monitor for an asset the Session Viewer displays
the following titles: Display1, Display2...
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 137
Saving Session Data
You can save the session monitoring data to a zip file to view the
information offline at a later time.
It might take a few minutes to save the file depending on the number of
events captured.
To save session data to a file:
1. On the Assets page, select the Smart Group where the assets reside.
2. Select PowerBroker for Windows from the list, and then click Session
Monitoring.
3. Click the arrow for an asset, and the select Download Session Data.
4. Save the file to the preferred location.
Retina CS User Guide PowerBroker for Windows
BeyondTrust® June 10, 2013 138
Patch Management ModuleThe Patch Management module requires a license to activate the feature
set. Contact your BeyondTrust representative.
In this section,
Overview
How Patching with WSUS Works
How a Patch Deployment Works
Third-party Patch Deployment
Connecting to a WSUS Server
Requirements
Adding a Connection
Connecting to a Downstream Server
Installing the WSUS Administration Console
Registering Smart Groups
Redeploying Configuration
Approving Patch Updates
Reviewing Patch Details
Deleting Patches
Third-Party Patching
Generating a Certificate
Subscribing to Vendor Patch Updates
List of Supported Vendors
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 139
OverviewUse the Patch Management Module to deploy important patches to selected
assets.
Note: Using the Patch Management Module does not override any
automation policies you might have in place with your existing
Windows Server Update Services (WSUS) configuration. Those
policies are retained and applied as usual.
How Patching with WSUS Works
Retina CS integrates with WSUS to facilitate Microsoft and third-party
patching. Retina CS uses WSUS as the patching engine and effectively
becomes a management console to WSUS.
You must be familiar with WSUS features to understand the Retina CS
integration with WSUS. The WSUS client is built into the Microsoft OS,
however, it needs to be enabled and configured. In typical WSUS-only
environments this is accomplished through GPOs. When using Retina CS,
clients are enabled and configured through Retina CS.
The Retina CS configuration and patch deployment process is outlined here.
uConfigure a Retina CS connection to an existing WSUS Server;
Retina CS becomes a management console for WSUS.
�Configure Smart Groups for patch management. This configures
members of the Smart Group, i.e., the clients, for WSUS by making
changes to the registry.
� Identify and approve patches.
�Clients periodically check WSUS for approved patches which are
then subsequently downloaded and installed.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 140
How a Patch Deployment Works
uPatches are approved in Retina CS; consequently, they are marked
as approved in WSUS.
� The client polls WSUS for any relevant, approved patches.
�Patches are downloaded to the client. Optionally, per the Smart
Group settings, the client may be notified that approved patches are
available and then prompted to download and install them.
�Patches are automatically installed per default settings. Optionally,
per the Smart Group settings, the client may be notified that
patches have been downloaded and then prompted to install them.
� The new patch status is sent to WSUS.
� Retina CS retrieves the current patch status from WSUS
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 141
Third-party Patch DeploymentThird-party patching is the same as Windows patching with the following
differences at these steps.
�Third party patches are sent to the client with the third-party
certificate that was generated when the connection to WSUS was
created.
�
The certificate from WSUS is verified against the existing certificate
on the client that it received when its associate Smart Group was
enabled for patch management. Trust is now established for third
party patch deployment per Microsoft requirements.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 142
Connecting to a WSUS ServerTo deploy patch updates, you must connect to a Windows Server Update
Services (WSUS) server.
If you are working in a larger environment and use downstream servers to
apply patch updates, you can create connections to the downstream servers
in the Patch Management configuration. This helps distribute the workload
of applying patches to many assets.
Requirements
Installing on Windows Server 2003 SP1• Microsoft IIS 6.0
Ensure the user installing and configuring WSUS is a member in the
group IIS_WPG
• Update for BITS 2.0 and WinHTTP 5.1
(http://go.microsoft.com/fwlink/?LinkID=47251)
• Microsoft .NET Framework Version 2.0 Redistributable Package (x86)
32-bit (http://go.microsoft.com/fwlink/?LinkID=68935)
64-bit (http://go.microsoft.com/fwlink/?LinkID=70637)
• Microsoft Report Viewer Redistributable 2005
(http://go.microsoft.com/fwlink/?LinkID=70410)
• Microsoft Management Console 3.0 for Windows Server 2003
(KB907265)
32-bit (http://go.microsoft.com/fwlink/?LinkID=70412)
64-bit (http://go.microsoft.com/fwlink/?LinkID=70638)
Installing Windows Server 2008• Microsoft IIS 7.0. Ensure the following components are turned on:
– Windows Authentication
– ASP.NET
– 6.0 Management Compatibility
– IIS Metabase Compatibility
• Microsoft Report Viewer Redistributable 2005
(http://go.microsoft.com/fwlink/?LinkID=70410)
• Microsoft SQL Server 2005 SP1
Note that .NET Framework 2.0 and BITS 2.0 update are part of the
Windows Server 2008 OS.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 143
Adding a Connection
You can create a connection to an upstream and downstream server.
The downstream server synchronizes with the upstream server to manage
patch updates. Note that downstream servers are configured in WSUS.
To connect to a WSUS server:
1. On the Retina CS console, select Configure, and then click the Patch
Management tab.
Alternatively, on the Dashboard, click Mitigate.
2. Click +, and then enter the server name, port number, and credentials
for the server.
Ports available: 80, 8530, 443 (SSL), or 8531 (SSL).
3. Click Test Connection to ensure the information is correct.
Note: The WSUS Administration Console must be installed if WSUS
and Retina CS are not on the same server. For more information,
see Installing the WSUS Administration Console.
1. Click Save.
2. After you connect to a WSUS server, set the following options.
– Synchronization - Select the time that you want to synchronize the
patches with the WSUS server.
The schedule determines the frequency that WSUS checks with
Microsoft Update Servers for new patches.
If this is a new installation, the initial synchronization can take
several hours depending on the number of items selected in the
Products and Classification section.
If you are using downstream servers, increase the frequency of the
synchronizations per day. All updates and approvals occur on the
upstream server. Increasing the frequency ensures that all assets
receiving updates from the downstream server are updated when the
approvals are applied on the upstream server.
– Products and Classifications - Select the updates to subscribe to.
– Downstream Servers - Displays the downstream servers for the
selected server.
– Third Party Certificate - Generate or import a certificate to
subscribe to vendor patch updates.
For more information, see Third-Party Patching.
Note that the Groups feature is not supported in Retina CS
Community.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 144
– Groups - Select the check boxes for the groups that already exist in
WSUS. Additionally, select synchronization frequency, credentials,
and how you want patches applied.
After you click Save, a patch-enabled Smart Group for each WSUS
group that you selected is displayed in the Smart Groups browser
pane.
Connecting to a Downstream Server
When you configure assets for patch updates in the Smart Rule, you can
choose the downstream server that will apply the updates and patches to the
assets.
In the Patch management Configure area, you can view information on
upstream servers and if there are any downstream servers configured on that
upstream.
A downstream server is displayed with a green arrow.
Installing the WSUS Administration Console
You must install the WSUS Administration Console if you want to connect
to an installation of WSUS on a different server.
Download the WSUS 3.0 Administration Console installer file:
http://go.microsoft.com/fwlink/?LinkId=88321
After you install the administration console, start the console and verify that
you can connect to the WSUS server that will be configured as the active
software update point.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 145
Registering Smart RulesRegistering the group adds the group to the WSUS server database. The
assets in the group are then available for the updates. If an asset is a member
in two groups, the patch update applied will be the most recent one.
You can review the status of a patch group on the Asset Details pane (select
the Assets tab, click i). If the status is registered, patches can be approved
and installed on the patch group.
Checkpoint
– Create a Smart Rule to associate with the patch update schedule. A
Smart Rule is required. For more information, see Creating a Smart
Rule.
To register patch updates for a Smart Group:
1. Select the Assets tab.
2. Click Manage Smart Rules and then click New Rule.
3. Enter a name and description for the patch group.
4. Select an existing category or create a new category.
5. Select the asset matching criteria. Select Asset fields from the list then
select matching criteria: Last Updated Date, Status, Current Policy,
Pending Policy, Wsus Status, or Patch Install Schedule.
6. From the Perform Actions area, select Enable for Patch
Management, then select values for the following:
– Credentials - Click the browse button to open the Manage Patch
Credentials page. Create or select the preferred patch credentials.
Ensure the credentials provided can access the registry and install the
certificate on the target asset.
The credentials apply only to the Patch module. The credentials are
not related to vulnerability scans or the WSUS server connection.
– WSUS Servers - Select the WSUS servers from the list.
– Important Updates - Select if you want to:
Download and install updates automatically – Client computers poll
WSUS at the selected day and time and download and install
approved updates.
Download updates but let me choose if the updates are installed –
Client computers poll WSUS at regular intervals (1 hour by default),
and download approved and relevant updates. After downloaded,
notifications are sent to the system log and notification area of Retina
CS.
Check for updates but do not download.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 146
– Every / At - Select a day and time the client computers will poll the
WSUS server.
– Retry registration of errored Patch Management assets - Select the
check box to try registration again if the initial registration attempt
fails.
7. Click Save.
After clicking Save, the following occurs:
• The client is contacted by one of three methods, listed in priority:
– If the client has the Retina Protection Agent (v. 4.7 or greater),
registry changes occur through the Central Policy connection.
– If the client does not have the RPA, registry changes occur through
the Remote Registry API. Remote Registry service must be enabled
on the client. The supplied credentials must have permissions for
Remote Registry.
– If the first two fail, then registry changes are facilitated through
WMI, a service running on the endpoint.
• Retina CS uses the supplied credentials to access and edit the client’s
registry. The client is configured for WSUS and then pointed to the
WSUS Server. All other relevant registry parameters are set, see:
HKEY_LOCAL_
MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\Sof-
tware\Policies\Microsoft\Windows\WindowsUpdate\AU
• Optionally, Retina CS downloads the third party certificate to the client.
The client is now configured to poll WSUS for any approved updates; this is
standard WSUS client behavior. Note that polling may not occur
immediately and it may take up to 6 hours for WSUS clients to display as
patch-enabled assets in Retina CS.
The patch group is displayed in the Smart Groups browser pane.
After the group is registered, you must approve the patches that you want to
apply to the assets.
Updates are installed during the time that you selected in step 6.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 147
Redeploying Configuration
You might need to redeploy the Smart Rule configuration settings in the
following scenarios:
• Registry settings are not properly set on the client
• Certificate for 3rd party patching not properly set
Select Redeploy Configuration to apply the settings in the Patch-enabled
Smart Rule.
Approving Patch UpdatesAfter you register a Smart Group for patch updates, you can approve the
patches for installation.
Track the status of patch updates on the Patch pane. Select the Assets tab
then Patch.
On the Approvals page, you can filter the patch status to determine the
patches that are installed, not installed, failed, and more.
Note that on the Approvals page, the most recent patches available are
always displayed. Any older patches superseded by new patches are no
longer displayed. You can however, select the Show Superseded Patches
check box to review older patches not applied.
To display the Superseded column, click the Preferences button and then
select Superseded.
To approve patch updates for registered Smart Groups:
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 148
1. Select the Assets tab, and then select Patch.
After a patch group is registered, you can access the last accessed group
through the Mitigate button on the Dashboard.
2. Select a registered Smart Group from the browser pane.
To view the number of patch updates installed and not installed, hover
on the icon.
3. Select an asset, and then click i.
By default, only critical updates are displayed. You might need to change
the filters to display the relevant patches. Click the Filters button and
select the filters.
To view superseded patches, select the Show Superseded Patches
check box.
Patches are superseded when a new patch is available.
Microsoft patches are superseded automatically when a synchronization
occurs with WSUS.
4. Select a patch, and then select Approve.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 149
5. Select the All Groups check box to apply the patch to all registered
patch Smart Groups; or select the check box for a particular Smart
Group.
The assets are set to check in with the WSUS server every hour.
If you select All Groups, and a group already has approved patches, the
menu changes to Keep existing approvals. This ensures that all previously
approved patches will still be deployed at the scheduled time.
Select Decline to remove the patch from the Not Installed list.
Select Not Approved will not apply the patch to the select Smart Group.
However, the patch is still displayed in the Not Installed list.
Reviewing Patch Details
Click i to review more information about the update.
Click Apply Patch Now to install the update to the designated assets.
When selected, the clients are forced to check in with WSUS. The patch is
applied immediately regardless of the installation settings in the Smart Group
associated with the clients. The credentials in the Smart Group are used to
apply the patch.
Note that the client evaluates and downloads the patch before the
installation occurs.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 150
Deleting PatchesYou can delete patches either on the Asset details page or on the approval
page where patches are listed.
Third-Party PatchingYou can download and deploy patches for third-party products such as
Adobe, WinZip, and Apple. For a complete list, see List of Supported
Vendors.
You can subscribe to vendor patches through the Retina CS Configure tab.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 151
Generating a Certificate
After setting up a connection to WSUS, a Third Party section is available.
A message indicates that a certificate is required when you initially log on
and go to the Third Party section. The certificate establishes trust between
the WSUS server and the client.
If the WSUS connection is configured to use SSL, you can use the Import
button on the Third Party Certificate tab to import an external certificate or
use the Generate button to create a self-signed certificate.
Note that if the upstream server has a third-party certificate, then the
downstream server automatically receives the certificate. The certificate
feature is not available for only downstream servers.
Click Generate.
Self-signed CertificatesIf you are using a self-signed certificate for 3rd Party Patching, sometimes
Windows will automatically delete it.
If Windows finds a discrepancy with an intermediate certificate on the server
it will check it against their list of approved SSL’s. If it does not match
Windows will remove it and log the following in the application log:
Event ID: 4108Successful auto delete of third-party root certificate
To disable this feature and keep your root certificate installed:
1. Click Start > Run > “gpedit.msc” > OK.
2. Double-click Administrative Templates > System > Internet
Communication Management.
3. Select Internet Communication settings.
4. Double-click Turn off Automatic Root Certificates Update.
5. Select Enabled, and then click OK.
Subscribing to Vendor Patch Updates
To subscribe to vendor patch updates:
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 152
1. Select the Configure tab, and then select Patch Management.
2. In the Products and Classifications section, select the vendor patches
that you want to subscribe to.
Note that the patch classifications apply to Microsoft updates only.
3. Select the check boxes for the vendor products, and then click Save.
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 153
List of Supported Vendors
Adobe Systems Incorporated
Adobe Flash Player
Adobe Acrobat
Adobe Reader
Adobe Shockwave - Firefox/IE
Apple Incorporated Safari
Foxit Corporation Foxit Reader
Google Incorporated Chrome
Igor Pavlov (LGPL) 7-Zip
Mozilla Foundation Mozilla Firefox
Opera Software ASA Opera Browser
Oracle Corporation Sun Java
Skype Limited Skype
win.rar GmbH WinRAR
WinZip International LLC WinZip
Retina CS User Guide Patch Management Module
BeyondTrust® June 10, 2013 154
System Center Configuration Manager
Not supported in Retina CS Community.
In Retina CS, you can create a connection to your Microsoft System Center
Configuration Manager (SCCM) site server and manage the software updates
to the collections.
OverviewThe SCCM feature in Retina CS offers you a way to create a connection to
your SCCM server and manage deploying software packages to selected
collections.
An important difference between traditional Smart Groups in Retina CS and
the SCCM Smart Groups is that asset data is gathered from the collections in
SCCM and is stored in the Retina CS database. The assets have not been
scanned by Retina CS. You can use the synchronize feature on the SCCM
configure page to ensure the most current data resides in the Retina CS
database.
The package deployment feature in Retina CS is similar to SCCM and offers
most of the options that you are already familiar with.
Requirements• The client must have SCCM installed or patches cannot be deployed and
applied.
• The SCCM Smart Groups are not patch-enabled like the WSUS Smart
Groups.
• The SCCM instance must have an Active Software Update Point
component configured prior to making a connection from Retina CS.
Creating a Connection to a SCCM Site Server
To connect to a SCCM Site Server:
1. On the Retina CS console, select Configure, and then click the SCCM
tab.
2. Click +, and then enter the server name, domain, user name and
credentials for the server.
3. Click Test Connection to ensure the information is correct.
4. Click Save.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 155
5. After you create the connection to a SCCM Site Server, additional tabs
are available.
You must select the collections to include in the Smart Group.
6. Click the Collections tab.
7. Select the collections, and then click Save.
A collection includes the assets that you want to apply patches to.
Collections are displayed here if at least one asset is detected in the
collection.
Note: You cannot change the autogenerated Smart Group.
Status information is provided for the following:
– Site Status - Displays a site status only. Includes such information as:
current status, site code, server availability (online or offline), event
information, version.
– Site Details - Displays information about the MS System Center
Configuration Manager.
A unique identifier (the site code) is added to every SCCM Smart Group.
This helps to identify the SCCM Site Server where the collection is from.
Deploying a Package to a CollectionPatches are immediately applied to the assets in the collection.
To deploy a package:
1. Select the collection in the Smart Groups browser pane.
2. Click the SCCM tab.
Review the client list to ensure that all targets have the SCCM client
installed.
3. Click Updates.
4. Review and select updates, and then click Deploy.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 156
The page identifies the software available to deploy and the status of the
software on the assets in the collection: Installed, Required, N/A, and
Unknown.
5. On the Deployment Package Details page, enter the following
information:
– Package name, description and deployment package location.
Note: The package source location must be entered as a UNC path
(\\servername\share\package name) and must be unique for
every package that you deploy. The share must already be created
on the server. This is SCCM behaviour.
6. Select the optional additional settings:
– Enforce an installation deadline for this deployment
– Enable Wake On Lan when the deadline for this deployment has
been reached
– Enable user notifications
– Enable reboot of client machines outside of maintenance window
– Suppress system restart on Workstations
– Suppress system restart on Servers
7. Click Deploy.
You can keep track of the successfully deployed packages on the Job
page.
SCCM and 3rd Party PatchingIf you are using SCCM, you can publish 3rd party patches to an Active
Software Update Point (SUP) by configuring the Update Point (WSUS
server) on the Configure > Patch Management tab in Retina CS.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 157
Any SUP that has an active WSUS connection in RCS should not be used to
create Patch-enabled Smart Rules. For more information, see Connecting to
a WSUS Server.
Using Group Policy to Configure SCCM Assets for 3rd Party Patches
Configuring SCCM assets to accept 3rd Party Patches involves two steps:
• Exporting the WSUS Certificate
• Configuring the Group Policy Object
Exporting the WSUS Certificate
Go through the steps in this section on the WSUS server that is the Active
Software Update Point for SCCM.
For detailed information on exporting a certificate, refer to the Help file
available with the Certificates snap-in.
To export a WSUS certificate:
1. Run .mmc, and then add the Certificates snap-in.
Be sure to select Computer account, and Local computer.
2. Expand the WSUS node.
3. Right-click WSUS Publishers Self-signed and select All Tasks >
Export.
4. In the Certificate Export Wizard, select the following:
– No, do not export the private key
– DER encode binary X.509 (.CER)
– Enter a file name for the certificate and go through the remaining
pages of the wizard.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 158
Configuring the GPO
Use the following procedures to configure the Group Policy Object (GPO)
to deploy configuration to SCCM enabled assets. The GPO saves the WSUS
certificate to the appropriate certificate stores and configures the assets to
accept third-party patches from non-Microsoft sources.
After the GPO is created, it must be linked to an OU that contains the
SCCM assets that you want to receive 3rd party patches.
To configure assets using Group Policy on Windows Server domains:
1. Open Group Policy Management Console (GPMC) on a domain
controller.
2. Create a GPO for the certificate at the domain level:
a. Select the domain you want to use, and then click Action > Create
a GPO in this domain, and Link it here.
b. Enter a name for the GPO, and then click OK. For example, enter
Patch Management Client Configuration Policy.
3. Select the new object, and then click Action > Edit .
4. Expand Computer Configuration > Policies > Windows Settings >
Security Settings > Public Key Policies.
5. Import the WSUS publishing certificate to the Trusted Root
Certification Authorities and Trusted Publishers stores.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 159
6. Turn on signed updates in the Windows Update administrative template:
a. Expand Computer Configuration >Policies> Administrative
Templates > Windows Components, and then select Windows
Update.
b. Double-click Allow signed updates from an intranet Microsoft
update service location .
c. Select Enabled, and then click OK.
7. Select an OU or domain and create a link to this new GPO.
Retina CS User Guide System Center Configuration Manager
BeyondTrust® June 10, 2013 160
Retina Protection Agents
Not supported in Retina CS Community.
In this section,
Overview
Downloading Retina Protection Agents
Configuring a Default Policy
Preparing Target Assets
Using the 3rd Party Deployment Tool
Updating RPA Licenses
Deploying the Protection Policies
Storing Retina Protection Agent Serial Numbers
Reviewing Details About Protection Agents
Removing Protection Agents
Configuring Protection Policies
Working with Rules and Rule Groups
Creating a Rule Group and Setting Rules
Creating a Protection Policy
Organizing Your Policies
Rules Reference
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 161
OverviewThis section provides information on how the Retina Protection agent
deployment works.
How RP Agent Deployments Work
u
The Application Bus service receives a message from Retina CS to
start a deployment. A deployment package is created and includes
these files:
l BlinkSetup.exe
l #deploy.xml
l deployc.pfx
l msxml3.dll
l msxml3r.dll
l startdeplservice.exe
To ensure secure deployment, the deployc.pfx file includes a
security certificate, eEyeEmsClientCert.pfx.
�The package is queued and ready to be copied to a share on the
target asset.
�
This starts the deployment service (startdeplservice.exe).
This service sends a message to Retina CS indicating the job status.
When the deployment is complete, the startdeplservice.exe is
removed from the asset.
�
The service runs BlinkSetup.exe and installs:
l The VS2008 runtime environment if required.
l RPA
Reports to Retina CS that installation was successful.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 162
Downloading Retina Protection AgentsThe Retina Protection Agent must be downloaded before you can deploy
policies to selected assets.
You can deploy Retina Protection Agents using one of the following ways:
• Download through the Retina CS console
• Copy the Retina protection agent installer to the following directory:
$Common Files\eEye Digital Security\Shared Services
Host\data\Setups\Blink\4.0.0. Change the name of the installer file to:
BlinkSetup.exe
• Use the 3rd Party Deployment tool. See Using the 3rd Party
Deployment Wizard.
To deploy the protection agent:
1. Select the Assets tab.
2. Click Protect.
3. If the protection agent deployment package is not found, click
Download Protection Agent.
Progress messages are displayed during the download. A file size
indicator updates every 10 seconds to show the status of the download.
After the Retina protection agent is downloaded, you must configure the
Default policy.
Air Gapped Connectivity to Retina CS
If the server where Retina CS resides does not have an Internet connection,
you can download Blink Professional and Blink Server from the client portal.
• Change the name of Blink Professional to BlinkSetup.exe and copy to
the following directory: C:\Program Files (x86)\Common Files\eEye
Digital Security\Shared Services Host\data\Setups\Blink\4.0.0\
• Change the name of Blink Server to BlinkSetup.exe and copy to the
following directory: C:\Program Files (x86)\Common Files\eEye
Digital Security\Shared Services Host\data\Setups\Blink Server\4.0.0\
Configuring a Default Policy
You must configure the Default policy to use the Retina CS server as the
central policy agent.
To configure the Default policy:
1. Select the Configure tab.
2. Click Protection Policies.
3. Select Default policy, and then select Edit Policy.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 163
4. Click the pencil icon next to Master Rules.
5. Expand Misc Options then select General.
6. Expand Central Policy.
7. Select the Yes check box to use central policy.
8. Use the default protocol, https.
9. Enter the Retina CS server name and password.
10. Click Update.
Preparing Target Assets
Assets must have appropriate permissions in place so that the protection
policies can be copied to the asset.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 164
Using the 3rd Party Deployment ToolUse the 3rd Party Deployment wizard to create Retina Protection Agent
deployment packages. You can create a directory, executable, or .msi.
To create a deployment package:
1. Select Start > All Programs > eEye Digital Security > Tools > 3rd
Party Deployment Wizard.
2. Select the directory where you want to create the package files and
where the package will be deployed.
3. Select the check boxes for the type of deployment package: Create
Directory, Create Executable, Create MSI.
4. Select Retina Protection Agent Setup information:
– Setup filename - Displays the name for the .exe. The default value is
BlinkSetup.exe.
– Serial number - Enter the serial number for the Retina Protection
Agent.
– Mode - Select a mode: Interactive, Alert Only, Silent, Hidden.
– Administrator password/confirm password - Enter a password.
– Enable Firewall - Select to turn on firewall protection.
– Enable Virus and Spyware Protection - Select to turn on virus and
spyware protection.
– Enable Intrusion Prevention - Select to turn on intrusion prevention.
– Enable System Protection - Select to turn on system protection.
– 3rd party AV uninstall password - Enter the password to uninstall
existing anti-virus and intrusion prevention applications if detected
during deployment.
5. Click Next.
6. To activate central policy, select the Use Central Policy check box.
a. Select the protocol: https, rem.
b. Select the server name where Retina CS resides.
c. Select the default policy.
d. Enter the password for central policy.
e. Enter the time interval to check for updates.
7. Click Next.
8. Select the Send REM events check box to activate REM events.
9. Click Next.
10. Enter your registration information and click Next.
11. Enter the URL to download updates. Click Next.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 165
12. Click Finish.
Updating RPA LicensesWhen your Retina Protection Agents (RPA) serial numbers are close to
expiry, you can deploy a serial number to all assets where RPAs are
deployed.
To update the serial number:
1. Select the Assets tab.
2. Select Agents, and then click Relicense.
3. Select the assets from the Smart Groups browser pane.
4. In the Deploy section, select: currently selected assets, single IP
address, IP range, CIDR notation or named host.
5. Select the check box to skip the assets that do not have an RPA
deployed.
6. Enter credentials.
7. Enter the serial number.
8. Click Run.
Deploying the Protection PoliciesUse the following procedure to deploy protection policies to selected assets
and agents.
Checkpoint
– Policies are only available after you deploy Retina protection
agents. For more information, see Downloading Retina
Protection Agents.
– Before proceeding, you might want to customize your policies.
For more information, see Configuring Protection Policies.
Note: Turn off the Require SSL setting in IIS Manager for the Retina CS
default web site.
Otherwise, the status displayed does not indicate when the
deployment has successfully completed.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 166
To deploy protection policies:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Select a policy and click Deploy.
3. Expand Status to determine the assets that already have Retina
protection agents deployed. Select Don't perform deployment on
these (n) assets, with n being the number of assets that do not have
the protection agent installed.
4. Expand Deploy to select the assets you want to apply the protection
policies to: Smart Groups, Single IP, IP Range, CIDR Notation, or
Named Host.
5. Expand Credentials Management to enter the domain, username, and
password credentials for the assets to deploy on. Credentials are
required.
For IP Range and CIDR Notation, the policies are deployed to the assets
that match the credentials entered.
6. Expand Software Removal Tool, and select the Enabled check box.
Enter a password, if required. This step is optional.
Third-party anti-virus and intrusion prevention applications are
uninstalled if detected during deployment.
7. Expand Advanced and enter the serial number and installation directory
for the Retina protection agent.
8. Select the Enable Event Forwarding check box to view malware and
vulnerability events on the Retina CS console.
9. Select the Force installation of Protection Agent check box to deploy
the protection agent to the selected targets.
10. Click Request Protection Agent Update to automatically download
updates for the protection agent.
11. Click Start Deploy.
Click Show Status to view the progress of the deployment; or click the
Jobs tab.
Storing Retina Protection Agent Serial Numbers
You can set a serial number as the default so that you do not need to enter
the serial number every time you deploy an agent.
The serial number is displayed differently depending on the permissions that
you are assigned. If you are assigned the Protection Policy Management
permission, all digits for a saved serial number are displayed and the Save as
Default button is available.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 167
If you are only assigned the Deployment permission the last section of the
serial number is displayed and the Save as Default button is not displayed.
You can clear the Use Default Serial check box at any time and then enter
another serial number.
For more information about permissions, see User Group Permissions.
Reviewing Details about Protection Agents
You can review the following information for a protection agent on the
Agents tab:
• Policy name
• Protection agent version
• Computer name where the agent is deployed
• Operating system
To review protection agent details:
1. Select the Agents tab.
2. To review only protection agent information, click the Preferences
button and clear any Retina scanner check boxes (for example, Retina
Version and Agent Name). This is optional.
3. Click the Filters button to set sorting information on the protection
agents. This is optional. This is helpful if there are a lot of protection
agents deployed in your environment.
Note that you cannot sort by Protection Agent Policy name.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 168
Removing Protection Agents
You can remove a deployed protection agent from an asset.
To remove a protection agent:
1. Click the Assets tab.
2. Click the Agents tab.
3. Click Uninstall.
4. Enter the IP addresses for the assets.
5. Enter the credentials, and then click Run.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 169
Configuring Protection PoliciesIn this section,
Working with Rules and Rule Groups
Creating a Rule Group and Setting Rules
Creating a Protection Policy
Organizing Your Policies
Rules Reference
When setting up a protection solution using Retina CS, you need to
determine the rules that you want to use to protect your assets. Retina CS
ships with a set of default rules and rule groups.
After you determine the rule set and configure rules, you can attach the rule
groups to a policy. The policy is then deployed to your assets.
Working with Rules and Rule Groups
When creating rules and rule groups, review the following sections to
understand how they work.
Rule Group OrderingWhen there is more than one rule group attached to a policy, the rules for all
attached groups are automatically merged into an effective set of rules for
the policy.
In the case where a specific rule is set in more than one attached group, the
group that is located higher in the list of attached groups takes priority. You
can click and drag on attached Rule Groups to modify their ordering and
thus their resulting relative priority.
Retina CS ships with a set of default rules. Each new policy automatically
inherits these default settings. Some rules are “on” while others are “off.”
Changing a default value is considered an override even if that setting is later
changed to its default state. This is important to understand since a rule
setting override is considered when multiple Rule Groups are merged in a
given Policy, but rules considered to be in their “factory default” state are
not.
To remove all rule setting overrides, from a rule category in a Rule Group,
select that category and click the arrow next to the category title. In the
context menu that appears, select “Revert to factory.”
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 170
For example, consider three cases where two Rule Groups are attached to a
policy, Group A (highest priority) and Group B. The factory default setting
for a particular rule is “off”.
o Case 1: In Group B, that rule is set to on. The rule in Group A has never
been changed and is considered the “default.” The effective merged rule
setting will be “on”.
o Case 2: The rule in Group B is set to “on”, but in Group A that rule has
been set to “on” previously, but later set to “off”. Since this “off”
setting is now considered an override over the default setting, the
effective merged rule setting will now be “off.”
o Case 3: The rule category where this rule resides is “reverted to factory
default” for Group A and now the effective merged setting is once again
“on”, this case now being identical to the first.
Master RulesEvery policy has a set of Master Rules which can be considered a non-shared
Rule Group (it is specific to one policy only) that always has the highest
priority when rules are merged. Any rule set in the Master Rules section will
override the same rule setting in any attached groups.
Creating a Rule Group and Setting Rules
A Rule Group is a container for the rules that you want to apply to protect
your assets. In Retina CS, a rule group can contain any combination of rule
categories that includes: system firewall, application firewall, IPS signatures,
and Trusted and Banned IPs. In each rule category, there are particular rules
that you can activate if you want to provide that specific protection to your
asset.
Rule groups provide proactive and reactive protection against intruder,
internal attack and machine misuse. When assigned to a policy, rule groups
are applied to assets, such as networks, servers, workstations and laptops.
To create a rule group:
1. Select the Dashboard tab and click Protect; or select the Assets tab,
and then click Protect.
2. Click Manage Rule Groups.
3. On the Manage Rule Groups page, you can:
– Click + to add a rule group. Enter a name for the rule group.
– Select the rule group from the Rule Groups pane to change the rule
group properties. You can type the name of the rule group in the box
to search for the rule group.
– Select the rule group and click - to delete the rule group.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 171
4. Select a rule group, then select a rule category to display the associated
rules.
Rule categories with arrows contain subcategories. Click the arrow to
display the subcategories; select the subcategory to display the rules.
5. Select a rule name check box to activate the rule. To create a rule, go to
Rules.
6. Click Revert to revert to either last saved or the default value for the
rule category.
7. Click Update.
Creating a Protection Policy
Create a policy that defines the rules you want to apply to your assets.
You can create a dynamic protection policy. A dynamic policy includes
conditions that determine the assets where the protection policy will be
applied. For more information, see Creating a Dynamic Protection Policy.
Checkpoint
– At least one policy category must be created to create a policy. See
Organizing Policies.
To create a protection policy:
1. Select the Assets tab.
2. Click Protect.
You can also create a policy from the Configure tab.
3. Click New Policy.
Drag rule groups to the rules pane. For more information, see Rule
Groups.
4. Click Create.
5. Enter the name of the policy and the policy group to which it is a
member. Click Update when editing an existing policy.
Creating a Dynamic Policy
You can attach a location to a policy. When a policy is processed, rule groups
and locations in the policy are also processed.
Locations and conditions define when a policy will be deployed to particular
assets.
l Location – One or more conditions.
l Condition – A set of criteria that determines the assets.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 172
Assets in an environment can change or be removed. The policy is dynamic
since only those assets that meet the criteria in the condition are included.
To manage locations, you must access an existing policy or through a new
policy.
The following procedure shows you how to create a condition and add the
condition to a location.
To create a dynamic policy:
1. Select the Dashboard tab, and then click Protect; or select the Assets
tab and click Protect.
2. Click New Policy.
You can also add locations to existing policies.
3. Click Add Location.
4. From the Location menu, select Manage Locations.
5. Click the + sign. Enter a name and click Create.
To edit an existing location, select the location from the Location pane.
To delete a location, select the location from the Location pane and click
the - sign.
6. Click Manage.On the Manage Conditions window, you can create and delete
conditions.
a. Click + to create a condition. Enter a name and click Create.
b. Select Command or Script from the Command Type list.
Command options:
CheckReachable
In the Command Parameters box,type the IP address or domainname.Pings the IP address or domainname to verify access in thenetwork. For example, if the IPaddress or domain is reachable,then the policy can be applied.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 173
CompareVersion
Verifies which version of protectionagent is installed on the assets. Thisfeature will be available at a laterdate.
Verify DNS In the Command Parameters box,type the IP address.Confirms the Domain Name Systemserver.
VerifyDHCP
In the Command Parameters box,type the IP address.Confirms the Dynamic HostConfiguration Protocol server.
Script options:
Script Name Java or Visual Basic script file.ClickUpload Script to upload ascript.
ScriptParameters
Script file location.
c. Select the Network Status Change Events check box if you want to
log network status changes.
d. Click Update.
7. Drag the condition from the Conditions pane.
8. More than one condition can apply to a location. The following operators
are available:
And = &
Or = |
Not = !
Parentheses group conditions
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 174
9. Click Update.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 175
Organizing Your Policies
A policy category is a set of similar policies. A policy must be assigned to a
category when the policy is created.
To organize policies:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
You can also create a category from the Configure tab.
2. Click New Policy Category.
3. Enter the policy category name and click Create.
4. Drag policies from other policy categories to populate the new policy
category.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 176
Rules ReferenceAs mentioned earlier, a protection policy contains the security rules that are
deployed to your assets.
This section details the rules available to you.
You can create, copy, edit, and delete rules. You cannot create rules for the
following rule categories: Identity Theft and Analyzers.
To copy, edit, or delete a rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
You can also manage rule groups from the Configure tab (Protection
Policies).
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
4. Select the rule category.
5. Select a rule name check box to activate the rule.
6. Select the rule, click the arrow and select one of the following menu
items:
– Edit Rule—to edit the selected rule. Click the pencil icon to change
the settings.
– Duplicate Rule—to create a copy of the rule. Edit the new rule as
needed.
– Delete Rule—to delete the selected rule.
Note that menu items are not available on all rules.
System Wide Firewall Rules
System Wide Firewall rules control the flow of data by examining each
packet and determining whether to forward the packet toward a specific
destination.
To create system-wide firewall rules:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 177
4. Select the System Firewall rule.
5. Click Create New Rule to start the wizard.
6. Complete the following pages.
a. Action
– Allow – traffic that matches the rule can pass through the
firewall.
– Deny – traffic that matches the rule cannot pass through the
firewall.
– Ask – a message is displayed requesting permission to pass
through the firewall.
– Log event – select to create an event log when the rule is
matched.
– Alert user – receive and log alerts from Blink when the rule is
matched. This can create a flood of alerts and increase the size of
the log file.
b. Protocol
– Select a protocol – TCP, UDP, TCP or UDP, ICMP, IP
c. Traffic Direction
– Traffic from Other Computers - filters only inbound traffic
received by your computer.
– Traffic from This Computer - filters only outbound traffic
sent from your computer.
– Any Direction - filters both inbound and outbound traffic.
d. Local IPs & Ports
– Rule applies to all IP addresses – Create a rule for all local IP
addresses.
– Specific local IP addresses – Click +, and then select:
Determine IP(s) at run-time, Single IP, IP Range, or Subnet.
Click Set.
– Rule applies to all ports – Create a rule for all ports.
– Specific ports – Click +, and then enter a port number, port list,
or port range.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 178
Use a comma to separate values. Ports in a range are separated
with a hypen.
e. Remote IPs & Ports
Options on this page are the same as Local IPs & Ports page.
f. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Rule Summary
Application Firewall Rules
Application Firewall rules tailor the protection closer to the applications and
the specific network environment being protected.
To create an Application Firewall rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the text box to search for the rule group.
4. Select the Application Firewall rules category.
5. Click Create New Rule to start the rule wizard.
a. Application
– Full Path – Retina CS compares the path stored in the firewall
rule to the path of the application requesting network access.
The rule triggers when there is a match. Select this option for
applications that are typically updated during normal use.
– Process Name - Retina CS compares the application process
name to the process that is requesting network access.
The rule triggers when there is a match. This is the least secure
option.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 179
– MD5 - Retina CS creates and stores an MD5 checksum of the
specified application. The MD5 algorithm is a method for signing
and verifying a file and its contents mathematically. At run-time,
Retina CS compares this MD5 checksum to the checksum of the
application that is requesting network access.
The rule triggers when there is a match. This is the default value
and the most secure option; however, if the application changes
during an auto-update, the rule becomes invalid. If selected,
enter the MD5 value.
– System Process – filters the system process requests from the
Operating System or Kernel Drivers running under a system
context. Typical system processes include printing and file
sharing.
b. Action
– Allow – traffic that matches the rule can pass through the
firewall.
– Deny – traffic that matches the rule cannot pass through the
firewall.
– Ask – a message is displayed requesting permission to pass
through the firewall.
– Log event check box – select to create an event log when the
rule is matched.
– Alert user check box - receive and log alerts from Blink when
the rule is matched. This can create a lot of alerts and increase
the size of the log file.
c. Protocol
– Select a protocol – TCP, UDP, or TCP or UDP
d. Traffic Direction
– Traffic from Other Computers - filters only inbound traffic
received by your computer.
– Traffic from This Computer - filters only outbound traffic
sent from your computer.
– Any Direction - filters both inbound and outbound traffic.
e. Local IPs & Ports
– Rule applies to all IP addresses – Create a rule for all local IP
addresses.
– Rule applies to all ports – Create a rule for all ports.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 180
– Specific ports – Click +, and then enter a port number, port list,
or port range.
Use a comma to separate values. Ports in a range are separated
with a hypen.
f. Remote IPs and Ports
Options on this page are the same as Local IPs & Ports page.
g. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
IPS Signature Rules
You can create IPS network signatures that filter a specific protocol, such as
FTP, ICMP, and SMTP. For example, you can create an application layer IPS
signature that filters traffic from the subject line of all incoming or outgoing
email messages associated with the EMAIL protocol.
When you create an IPS signature rule, you can choose the Network Layer
or Application Layer protocol. The wizard pages change depending on the
protocol that you select.
For the following procedure, the wizard pages described assume CGI Scripts
and Network Layer options are selected.
To create an IPS signature rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the box to search for the rule group.
4. Expand IPS Signatures and select a subcategory to display the
associated rules.
5. Click Create New Rule to start the wizard.
Protocol
Select a protocol.
IP Protocol
– Fragment Flags – Select the check box then select: More Fragment,
Don't Fragment Bit, Reserved Bit.
– Don't Care – The value is ignored.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 181
– Set – The binary value of the corresponding flag for 1s only is
verified.
– Not Set – The binary value of the corresponding flag for 0s only
is verified.
– IP ID – Select Less Than, Equal To, or Greater Than and set the ID
number.
– IP Protocol – Select Less Than, Equal To, or Greater Than and set
the protocol.
– Time to Live – Select Less Than, Equal To, or Greater Than and set
the time.
– IP Options – Select Record Route, End of Option List, No
Operation, Internet Timestamp, Security, Loose Source Routing, or
Strict Source Routing.
– Type of Service – Select the service: Minimize Delay, Maximize
Throughput, Maximum Reliability, or Minimize Monetary Cost.
Traffic Direction
– Inbound – Filters only inbound traffic received by your computer.
– Outbound – Filters only outbound traffic sent from your computer.
– Both – Filters both inbound and outbound traffic.
Local IPs & Ports
– Rule applies to all IP addresses – Create a rule for all local IP
addresses.
– Specific local IP addresses – Click +, and then select: Determine
IP(s) at run-time, Single IP, IP Range, or Subnet. Click Set.
– Rule applies to all ports – Create a rule for all ports.
– Specific ports – Click +, and then enter a port number, port list, or
port range.
Use a comma to separate values. Ports in a range are separated with a
hyphen.
Remote IPs & Ports
Options on this page are the same as Local IPs & Ports page.
Search Pattern
– Click +, and then type the pattern to search on.
You can create patterns using hex characters or a combination of
ASCII and hex characters. A hex sequence must be enclosed in < >.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 182
– Start – (Optional) Enter the number of bytes to skip from the
beginning of the packet’s payload.
– Depth – Enter the total number of bytes to search in the packet’s
payload.
– Trigger rule if pattern not found – (Optional) Stop the action
from completing when the pattern is matched.
– Use regular expressions – (Optional) Find a specific word
followed by an alphanumeric.
– Match case on pattern – (Optional) Find a pattern that matches
the case in the Pattern field.
– Match only on patterns of same size – (Optional) Find a pattern
that matches the size in the Pattern field.
Action
– Stop attack – Stop the attack by terminating the session or dropping
packets.
– Capture Packets – Hold the packet for review by the user.
– Block IP for – Stop the attack for the specified number of minutes.
Available only for TCP-based IPS signatures.
This is not recommended for spoofable protocols, such as IP, UDP
and ICMP. In a spoofable attack, an attacker mimics the IP address
of critical systems and then forces the IP address to be added to the
banned list. Specify the frequency of the action.
– Log event – Create an event log when the rule is matched.
– Alert user – Receive and log alerts from RPA when the rule is
matched. This can create a flood of alerts and increase the size of the
log file.
Specify Threshold
– Take action for every occurrence of the event – When the
pattern is found, the action defined on the Action page occurs.
– Take action when the threshold is exceeded – When the
threshold is exceeded, the action defined on the Actions page
occurs.
The default is one event every one second.
Specify References
– (Optional) Enter more information about the vulnerabilities and
exploits.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 183
The information helps to define what the IPS signature protects
against.
Set More Details
– Enter more information about the rule.
– Rule severity – Select a severity between 0 and 9 (highest severity).
The severity level is included in the event log.
Rule Summary
Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Trusted and Banned IPs
You can set trusted and banned IP addresses to manage lists of hosts
processed by the Firewall and IPS protection engines. You must activate
Intrusion Prevention or System Firewall to use the Trusted and Banned IPs
feature.
l Trusted IPs – Add the IP address or range of IP addresses of trusted
critical machines. All data is then allowed from the trusted systems.
Note that if a trusted system attacks your Retina CS-protected server or
workstation, the attack will not be detected.
l Banned IPs – Provides time-based traffic blocking from an IP address.
You can ban an IP for a period of time or indefinitely. Data flowing from
known problematic hosts can be discarded without further processing.
If an IP address is added to the Trusted list and Banned list, that IP address
is banned.
All IPS Analyzer rules and signatures can be configured to ban the attacker
IP for a certain amount of time. For example, you may want to slow down
someone trying to guess your FTP password account by stopping them from
accessing the server for 10 minutes after each 10 failed attempts occurring in
less than three minutes.
To create a Trusted IP or Banned IP rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 184
4. Select the Trust IPs or Banned IPs rule category.
5. Click Create New Rule to start the wizard.
6. Enter the IP address, IP address range, or subnet.
7. Specify the time the IP remains on the list as either Permanent or Keep
for [n] Minutes. You can also include a date and time. The IP address is
automatically deleted from the IP list after the time period elapses.
8. Enter a description for the IP address.
9. Click Set. The IP address displays in either Trusted IPs or Banned IPs
list.
10. Click Update.
Registry Protection Rules
Registry rules protect registry resources against unauthorized modifications.
To create a Registry rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
4. Select the Registry rule category.
5. Click Create New Rule to start the wizard.
a. Select Resource Type
Registry is selected.
b. Resource Path
– Registry Key Path – Enter the registry path.
– Match Type – Select a matching type. See Caller Path page
details for descriptions.
c. Caller Path
– Caller Path – Enter the path.
– Match Type – Select a matching type.
Exact – Matches only the exact path. This is the fastest matching.
Partial – Matches if the pattern is found anywhere in the path.
This is the second fastest matching.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 185
Wildcard – Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
Regex – Creates the most complex matching rules. This can be
the slowest and should be used with care.
– MD5 Validation
Do not use caller MD5.
Auto-calculate caller MD5 – Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 – Enter a hex MD5 caller.
The MD5 algorithm is a method for signing and verifying a file
and its contents mathematically. At run-time, Retina CS
compares this MD5 checksum to the checksum of the
application that is requesting network access. There is an implicit
OR between the two types of matching, such as location and
MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
Select a Read or Write action to be matched by this rule.
– Allow – Traffic that matches the rule can pass through the
firewall. This is the default.
– Deny – Traffic that matches the rule cannot pass through the
firewall.
– Log – Select to create an event log when the rule is matched.
– Alert – Receive and log alerts from Blink when the rule is
matched. This can create a lot of alerts and increase the size of
the log file.
e. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Execution Protection Rules
Execution rules prevent the system from executing unauthorized processes.
To create an Execution rule:
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 186
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the text box to search for, display, and select
that Rule Group.
4. Select the Execution rule category.
5. Click Create New Rule to start the wizard.
a. Select Resource Type
Execution is selected.
b. Resource Path
– Registry Key Path – Enter the registry path.
– Match Type – Select a matching type. See Caller Path page
details for descriptions.
c. Caller Path
– Caller Path – Enter the path.
– Match Type – Select a matching type.
Exact – Matches only the exact path. This is the fastest matching.
Partial – Matches if the pattern is found anywhere in the path.
This is the second fastest matching.
Wildcard – Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
Regex – Creates the most complex matching rules. This can be
the slowest and should be used with care.
– MD5 Validation
Do not use caller MD5
Auto-calculate caller MD5 – Calculates MD5 if access to the file
is provided on disk.
User specified caller MD5 – Enter a hex MD5 caller.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 187
The MD5 algorithm is a method for signing and verifying a file
and its contents mathematically. At run-time, Retina CS
compares this MD5 checksum to the checksum of the
application that is requesting network access. There is an implicit
OR between the two types of matching, such as location and
MD5 checksum. If either matches, the rule is triggered.
d. Specify an Action
The Execute check box is selected and cannot be changed.
– Allow – Traffic that matches the rule can pass through the
firewall. This is the default.
– Deny – Traffic that matches the rule cannot pass through the
firewall.
– Log – Select to create an event log when the rule is matched.
e. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
File Integrity Rules
There are three types of integrity rules:
• Protected files – Folders and files that you want to monitor for changes.
• Authorized applications – Applications which are allowed to modify any
file.
• Custom rules – Exceptions to any other rules. Custom rules are
processed first.
A file protection rule activates when the protected file is changed, renamed,
or deleted.
Add a Protected File RuleA protected file rule applies PowerBroker EPP protection on the file.
To create a file integrity rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 188
4. Select the File Integrity rule category and select the Protected Files
subcategory to display the associated rules.
5. Select Create New Rule.
6. Complete the following pages.
a. Specify File/Folder Path
– Protect a file
Enter the file that you want to protect.
– Protect files inside a directory
Enter folder that you want to protect.
Enter a list of file extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all
folders in the directory.
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Add an Authorized Application RuleAn authorized application rule allows an application to access protected files.
To create a file integrity rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
4. Select the File Integrity rule category and select the Authorized
Applications subcategory to display the associated rules.
5. Select Create New Rule.
6. Complete the following pages.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 189
a. Specify Authorized Application Path
Enter the caller attributes:
– File Path – Browse to the executable location for the caller, and
then select the matching type:
– Exact – Matches only the exact registry key. This is the fastest
matching.
– Contains – Matches if the pattern is found anywhere in the key.
This is the second fastest matching.
– Not Contains – Matches when the pattern is not found.
– Wildcard – Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
– Regex – Creates the most complex matching rules. This can be
the slowest matching.
– Process Arguments – Add process arguments to filter the
scope of the rule.
For example, if the file path is
c:\Windows\System32\svchost.exe, then an argument might be
-k tapisvr. The rule then only applies to the TapiSvr service.
– MD5 or SHA1 – Enter a hex MD5 or SH1 caller. The MD5 or
SHA1 checksum algorithm is a method for creating a file content
checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended
over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use
MD5 or SHA1 when you can access the file and you are certain
the file does not normally change (for example, due to user
changes or software updates).
– File Size – Enter the file size.
– Executable is packed – Select True to pack the executable.
– File Location – Select from: Hard drive, USB, CD ROM and
Network.
– Product Name, Product Description, Company – Enter the
product information.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 190
– Digital Signature Name, Digital Signature Validity – Select
the signature parameters.
– Process Owner – Enter the name of the user account running
the executable.
Alternatively, enter the SID for the process owner.
– User Group – Enter one or more user groups. If the user
running the executable belongs to one of the listed groups, the
property will match.
Alternatively, enter the SID for the user group.
b. Specify an action
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
c. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Add a Custom RuleA custom rule applies protection on a folder (all files in the folder are
protected regardless of the file type). Files and folders included in the rule
are not included in the scheduled scan.
To create a custom rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
4. Select the File Integrity rule category and select the Custom
subcategory to display the associated rules.
5. Select Create New Rule.
6. Complete the following pages.
a. Specify File/Folder Path
– Protect a file – Enter the file that you want to protect.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 191
– Protect files inside a directory – Enter folder that you want to
protect. Enter a list of file extensions that you want to protect.
Select the Also Protect Subfolders check box to protect all
folders in the directory.
b. Specify Authorized Application Path
Enter the caller attributes:
– File Path – Browse to the executable location for the caller, and
then select the matching type:
– Exact – Matches only the exact registry key. This is the fastest
matching.
– Contains – Matches if the pattern is found anywhere in the key.
This is the second fastest matching.
– Not Contains – Matches when the pattern is not found.
– Wildcard – Creates more complex rules that use * for any
sequence of characters, # for any single numerical character and ?
for any single alpha character.
– Regex – Creates the most complex matching rules. This can be
the slowest matching.
– Process Arguments – Add process arguments to filter the
scope of the rule.
For example, if the file path is
c:\Windows\System32\svchost.exe, then an argument might be
-k tapisvr. The rule then only applies to the TapiSvr service.
– MD5 or SHA1 – Enter a hex MD5 or SH1 caller. The MD5 or
SHA1 checksum algorithm is a method for creating a file content
checksum and verifying the content has not changed.
SHA1 is a more secure hashing algorithm and is recommended
over MD5.
PBEPP can detect the type of hash used (MD5 or SHA1). Use
MD5 or SHA1 when you can access the file and you are certain
the file does not normally change (for example, due to user
changes or software updates).
– File Size – Enter the file size.
– Executable is packed – Select True to pack the executable.
– File Location – Select from: Hard drive, USB, CD ROM and
Network.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 192
– Product Name, Product Description, Company – Enter the
product information.
– Digital Signature Name, Digital Signature Validity – Select
the signature parameters.
– Process Owner – Enter the name of the user account running
the executable.
Alternatively, enter the SID for the process owner.
– User Group – Enter one or more user groups. If the user
running the executable belongs to one of the listed groups, the
property will match.
Alternatively, enter the SID for the user group.
c. Specify an action
Select the action to take when the rule is matched: Allow or Deny.
Select the Log check box to track the rule activities.
Set the rule severity. The severity level is included in the event log.
The default value is 1.
You can also create a category to organize rules.
d. Rule Summary
– Click Finish.
Enter a name and description for the rule.
Place at the top of the rule list – select to run the rule first.
Windows Events Rules
You can create a rule that tracks Windows Event logs, including:
Application, System, and Security.
Source Names
The source name is the name of the Windows event.
The source name that you enter depends on the operating system that is
forwarding the events.
Windows XP
Windows 2003
Use the name in the Windows Event Viewer Source
column.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 193
Vista
Windows 7
Windows 2008
Use System-Provider[EventSourceName] on the Details
tab of the event, if available. Otherwise, use [Name].
To create a Windows event rule:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the text box to search for, display, and select
that Rule Group.
4. Expand Windows Events, and then select: Application, System, or
Security.
– Enabled - Select the check box to activate the rule.
One or more Windows event sources must be provided to activate
the rule. Events are only forwarded when a source is provided.
– Severity - Select the severity level from the list: Only Errors, Errors
and Warnings, All.
Note that All includes Information events.
– Add - Click to provide the following information about the event log
you want to track:
– Source name – The name of the application that issued the
event. See Source Names.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 194
You can enter the source name without providing Event IDs. All
events from the source will be forwarded.
– Include – Enter the Event IDs to forward to Retina CS.
– Exclude – Enter the Event IDs to exclude.
Note that the excluded list overrides the included list.
The following example shows a range of event IDs to include and two IDs
in that range to exclude.
5. Click Save.
Trusted List Options
The Trusted List displays trusted malware by name and category.
To access Trusted List rules:
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can also type the
name of the rule group in the box to search for a rule group.
4. Select the Trusted List rule category.
5. Click Create New Rule to start the wizard.
6. Select a malware name check box and click Save.
7. Click Save.
8. Click Update.
Miscellaneous Options
Miscellaneous options allow you to set rules for Retina CS operations.
To access miscellaneous options:
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 195
1. Select the Dashboard tab and click Protect; or select the Assets tab
and click Protect.
2. Click Manage Rule Groups.
3. Select a rule group from the Rule Groups pane. You can type the name
of the rule group in the text box to search for the rule group.
4. Expand Misc. Options and select a subcategory:
– Virus and Spyware
– General
– System Protection
– Scheduler
– Auto-Updater
– Vulnerability Assessment
– Intrusion Prevention
– IIS Protection
– Firewall
– Events
For more information, refer to the Retina Protection Agent User Guide.
5. After you change the properties for a subcategory, click Update.
Retina CS User Guide Retina Protection Agents
BeyondTrust® June 10, 2013 196
PowerBroker Servers for Unix & LinuxOverview
Managing PowerBroker Servers Events
Creating a Smart Group for PowerBroker Servers Assets
Using pbreplay to Play the Logged Events
Searching the I/O Logs
Search Parameters
For detailed information about PowerBroker Servers for Unix and Linux
features, refer to the PowerBroker Servers product documentation.
OverviewUse Retina CS to manage PowerBroker Servers event log records. Configure
Retina CS and PowerBroker Servers to work together to send the event logs
to the Retina CS management console.
After the event log records are sent to the Retina CS database, you can run
reports to analyze your Unix and Linux assets. You can create Smart Groups
based on the argument types to track the event types in the I/O logs.
The event information is used as the source information to determine the
heartbeat of your assets. For example, is the asset running.
Event Types
The event types forwarded to Retina CS, include: Accept and Reject.
Accept and Reject events can help you determine if your assets are sending
events (indicating that the asset is up and running successfully).
Retina CS and PowerBroker Servers Architecture
The following diagram shows how Retina CS and PowerBroker Servers send
information between their respective components.
Secure Retina CS certificates are deployed to the PowerBroker Servers
assets. Apache Solr software is used to index PBUL I/O logs. The indexed
results are forwarded to Retina CS where they can be sorted and viewed.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 197
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 198
Managing PowerBroker Servers EventsOn the Assets page, you can review the run arguments and I/O logs
captured for an asset.
PowerBroker Servers events are tied to runhost events. Create your Smart
Groups using runhost as a filter.
You can run reports on PowerBroker Servers assets using Retina Insight.
Creating a Smart GroupYou can create a Smart Group to organize your PowerBroker Servers assets.
You can set filters based on the PowerBroker Servers assets and the event
types, including user name, command, exit status, and run arguments.
For detailed instructions on Smart Groups, see Working with Smart Rules.
Purge EventsPowerBroker Servers events are purged after 30 days. You can configure the
number of days events remain in the database before purging. See
Maintenance Options.
Using pbreplay to Play the Logged EventsUse pbreplay, a tool available in PowerBroker Servers for Unix & Linux, to
replay the events logged to that point in time.
You can access pbreplay in two ways from Retina CS:
• From the Search results page on the Assets page
• From the Event Details page
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 199
To run pbreplay:
1. On the PowerBroker Servers page, select the i for an asset to review
collected arguments and I/O logs.
2. Click the arrow for an I/O log to start pbreplay.
Searching the I/O LogsYou can search the index of the PowerBroker Servers I/O logs.
For information about search commands, see Search Parameters.
To search the index of the I/O logs:
1. Log on to Retina CS.
2. Select the Assets tab.
3. Select the Smart Group where the PowerBroker Servers assets reside.
4. Select PowerBroker for Unix & Linux, and then select the Search
tab.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 200
5. Select the Solr host your I/O Logs were indexed on from the drop-down
menu "Search Hosts".
Note: In order to allow the Search Window to securely connect to the Solr
Servers, you will need to import the SSL Certificates and Certificate
Authorities correctly on the RCS side. The instructions for
importing the certificates are in the PowerBrokers Servers Install
Guide, under "Post-Install" section of "Solr Installation".
Search Parameters
A query is broken up into terms and operators. There are two types of
terms:Single terms and Phrases. A Single Term is a single word such as "test"
or "hello".
A Phrase is a group of words surrounded by double quotes such as "hello
dolly".
Multiple terms can be combined together with Boolean operators to form a
more complex query (see below).
PowerBroker Servers I/O Log files are indexed on the content of the I/O
Log, as well as the following fields: user, runuser, runcommand, runargy.
You can search any field by typing the field name followed by a colon ":" and
then the term you are looking for.
Examples of search on the event log variables in the I/O Logs:
Table 18. Basic and Compound Searching
Search Pattern Finds...runuser:root all documents where the runuser was 'root'
user:oracle AND
runcommand:bash
'all documents where the user was 'oracle'
and the runcommand was 'bash'
If you have added custom policy variables to the list of indexed variables
(using the setting 'solrvariables <var>_pbul'in PowerBroker Servers
pb.settings file), you can also search on those variables using the following
syntax in the "Search" field.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 201
For example, if you had a policy variable called 'ticketnum_pbul' and added
it to solrvariables to be indexed, you can search on it using the syntax:
Search Pattern Finds...ticketnum_
pbul:1523XA5
all documents where the 'ticketnum_pbul'
is set to 1523XA5
You can combine the above queries for eventlogs variables in the query to
search the content of the I/O Logs. For example:
Search Pattern Finds...runuser:root AND rm all documents where the runuser was root
and the word 'rm' was found in the I/O
Log file
You can also narrow down your search using the Start and End time fields.
These dates are in the local time zone of browser (where Retina CS is
accesssed).
Note: These are the date and time where the I/O Log files (sessions) were
created and completed. These are not the date and time when a
secured task was executed by PowerBroker Servers. To search using
the date and time within the I/O Log sessions, refer to Proximity
Search below.
Simple Search Example
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 202
Compound Search Example
Boolean operators allow terms to be combined through logic operators.
Supported Booleans are AND, OR, and NOT as Boolean operators (Note:
Boolean operators must be ALL CAPS).
The OR operator is the default conjunction operator. This means that if
there is no Boolean operator between two terms, the OR operator is used.
The OR operator links two terms and finds a matching document if either of
the terms exist in a document. This is equivalent to a union using sets.
To search for documents that contain either "cat/etc/passwd" or just
"passwd" user the query: "cat/etc/passwd" OR passwd.
Table 19. Wildcard matching
Search Pattern Finds...grep* any word that starts with "grep" in the title
field.
grep*someFile any word that starts with "grep" and ends
with someFile in the title field.
*:* Everything. All indexed documents
returned.
rm* any word that starts with "rm" in the title
field.
rm *someFile any word that starts with "rm" and ends
with someFile in the title field.
P?sswd any word that start with P followed by any
one letter and ends with 'asswd'
Note: Lucene does not support using * and ? as the first character of a
search.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 203
Range SearchedRange Queries allow one to match documents whose field(s) values are
between the lower and upper bound specified by the Range Query. Range
Queries can be inclusive or exclusive of the upper and lower bounds.
Sorting is done lexicographically.
Search Pattern Finds...runuser:[Aida TO
Carmen]
all documents whose runuser are between
Aida and Carmen, including Aida and
Carmen
runuser:{Aida TO
Carmen}
all documents whose runuser are between
Aida and Carmen, but not including Aida
and Carmen
Inclusive range queries are denoted by square brackets. Exclusive range
queries are denoted by curly brackets.
ANDThe AND operator matches documents where both terms exist anywhere in
the text of a single document. This is equivalent to an intersection using
sets.
To search for documents that contain "cat services" and rm passwd" use the
query:"cat services" AND "rm passwd"
NOTThe NOT operator excludes documents that contain the term after NOT.
This is equivalent to a difference using sets.
To search for documents that contain "rm passwd" but not "cat services" use
the query: "rm passwd" NOT "cat services"
Note: The NOT operator cannot be used with just one term. For example,
the following search will return no results:
NOT "cat services"
GroupingUse parentheses to group clauses to form sub queries. This can be very
useful if you want to control the boolean logic for a query.
To search for either "rm" or "cat" and "passwd" use the query:
(rm OR cat) AND passwd
Field GroupingUse parentheses to group multiple clauses to a single field.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 204
To search for a runargv that contains both the word "rm" and the phrase "-rf"
use the query:
runargv:(rm AND "-rf")
Escaping Special CharactersEscaping special characters that are part of the query syntax is supported.
The current list special characters are
+- &&||!( ) { } [ ] ^ " ~ * ? : \
To escape these character use the \ before the character. For example to
search for (1+1):2 use the query:
\(1\+1\)\:2
To search for /etc/passwd use \/etc\/passwd
Proximity SearchThe proximity search finds words that are within a specific distance away
from each other. For proximity searches, use a tilde (~) at the end of the
phrase.
Table 20. Proximity matching
Search Pattern Finds..."grep someFile"~4 "grep someFile" within 4 words from each
other.
For proximity searches, exact matches are
proximity 0, and word transpositions
(someFile grep) are proximity 1.
By default, PowerBroker Servers indexes a timestamp in the
following format: "2013 04 23 22:10"
This time-stamp appears in the output every time a CR is in stdin.
"2013 04 26 09:20
rm"~100
for “rm” near today at 09:20 (using Solr's
proximity syntax).
"2013 04 26 rm"~100 expands the search to today.
"2013 04 rm"~100 expands the search to April.
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 205
Proximity Search Example
Retina CS User Guide PowerBroker Servers for Unix & Linux
BeyondTrust® June 10, 2013 206
PasswordSafeOverview
Configuring PasswordSafe
Creating a Connection to Your Appliance
Creating User Groups
Adding a Managed System
Managing Passwords
Requesting a Password
Approving a Password
Retrieving a Password
For detailed information about PowerBroker PasswordSafe features, refer to
the PowerBroker PasswordSafe product documentation.
OverviewPasswordSafe integrates with BeyondTrust's PowerBroker PasswordSafe.
PowerBroker PasswordSafe is a hardened appliance that creates and secures
privileged accounts through automated password management, encryption,
secure storage of credentials, and a sealed operating system.
Configure PasswordSafe to monitor and manage passwords.
Email notification is configured from the PowerBroker Safe appliance.
Emails are sent during the request and approval process.
Configuring PasswordSafeTo configure PasswordSafe, you must:
• Create a connection to your PowerBroker PasswordSafe appliance.
• Create user groups that are assigned roles to manage password releases.
Always use Retina CS to edit or delete the following
PasswordSafe items created in Retina CS: users, user
groups, managed systems, collections.
Using the PasswordSafe appliance to manage these items
can result in unrecoverable configuration or synchronization
errors.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 207
Creating a Connection to Your Appliance
You must create a connection between Retina CS and your PowerBroker
PasswordSafe appliance.
Note: You can only create one connection.
After you create a connection to an appliance, the PasswordSafe tab is
available on the Retina CS page.
To create a connection:
1. In Retina CS, click the Configure tab.
2. Click the PasswordSafe Connections tab, and then click New.
3. Provide the following information for the appliance:
– Title – Enter a name for the appliance.
– Appliance IP – Enter the IP address for the appliance.
– CLI User – The CLI user is generated from the appliance and cannot
be changed.
– Key – The key is generated on the appliance.
4. After you enter the information, click Test to ensure the connection is
established to the appliance.
5. Click Save.
Creating User Groups
In the PasswordSafe password release process, there must be user groups
created to manage the following tasks in the process:
• Requestor – Assign this role to users that can request a password.
• Approver – Assign this role to your users that will approve password
releases.
• Requestor/Approver – Assign this role to user that can approve and
request password releases. Note that if you are assigned this role, you
cannot approve your requests.
• Information Security Administrator – This role is responsible for setting
up managed systems and accounts.
• Auditor – Assign the Auditor role to run reports in Retina Insight. The
Auditor role can be assigned in combination with other roles available.
• No Roles – Assign this role to remove any previously assigned roles to a
user group.
Note that you cannot assign roles to the Retina CS administrator.
Roles are only available to PasswordSafe features.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 208
Note: All changes to PasswordSafe user accounts (users with PasswordSafe
roles assigned) must be managed by the Retina CS Administrator
account.
To create a PasswordSafe user group:
1. Click the Configure tab, and then click the Accounts tab.
2. Click +, and then Group or Active Directory Group.
3. Create the group information as usual. See Creating User Groups.
4. Select a Smart Rule where the PasswordSafe assets will be added.
5. Select the role to assign, and then click Save.
The role changes are synchronized with the PasswordSafe appliance.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 209
Adding a Managed System
Note: Only a user group assigned the Information Security Administrator
role can add an asset to PasswordSafe.
You must configure system and connection settings when you add a system
to PasswordSafe. These settings are similar to the PowerBroker
PasswordSafe appliance settings.
To configure system settings:
1. Right-click the asset on the Asset page, and then click Add to
PasswordSafe.
2. Enter the system settings:
– System Name – Enter a name for the managed system.
– Platform – Select the platform of the system that you want to
manage.
– Network Address – Enter the IP address of the managed system.
– Default Password Rule – Select a password rule. The rule
determines the password requirements (for example, complexity
rules).
Create a password rule in PowerBroker PasswordSafe. Ensure any
password rules that you create are similar to the password rules that
are in place for the platform. You want PasswordSafe rules to be
compliant with the native password rules.
– Default Maximum Release Duration – Set the length of time
before a released password expires.
– Description – (Optional). Enter information about the system.
– Contact E-mail – Enter an email account for email notifications.
– Enable Automatic Password Management – Select the check
box to activate password management with PasswordSafe.
To configure the connection settings:
1. After you configure the system settings, click the Connection tab.
2. Enter the connection information for the appliance:
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 210
– Platform Name – The platform of the system.
– Network Address – Enter the IP address of the managed system.
– NetBIOS – If the platform is Windows, then enter the NetBIOS
domain name.
– Account Type, Account Name, Password – Enter the account
credntials used to access the managed system.
– Connection Timeout – Enter the length of time that passes before
a connection to a managed system times out. Increase the timeout if
connections to the managed systems take longer than usual.
To configure management settings:
1. After you configure the connection settings, click the Management
tab.
2. Select the management settings:
– Check Password – Select to check the managed account passwords
daily. The stored password is compared to the current password on
the managed system.
– Reset Password on Mismatch – Select this check box if the
comparison detected differences in the passwords.
If email is configured and this check box is not selected, then an
email notification is sent when a mismatch is detected.
– Change Frequency – Select how frequently you want to reset a
password.
– Change Time – Select the time of day to change a password.
– Change password after any release – Select to automatically reset
a password after the password is released.
– Default duration of ISA releases of password – Set the length of
time that occurs between the ISA retrieval of the password and the
automatic reset of the password.
Add managed accounts from the managed systems. Add administrator
accounts (such as root or Administrator).
To configure accounts:
1. On the Managed Systems Settings page, click the Accounts tab, and
then click Add.
2. Provide the following information for the managed account:
– System Name – Provide the name of the managed system where
the account resides.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 211
– Account Name, Current Password – Enter the credentials for the
account.
– Password Rule – Select the password rule. Password rules are
configured on your appliance.
– Change password for Windows Services started by this
account – Select this check box to update Windows services that
the account runs. For example, if the account you are configuring
here is an Administrator account that runs system services and you
want the services to continue to run uninterrupted with the
password change.
– Use this account's current password to change the password –
Select this check box for managed systems using Windows XP or
Windows Server 2003 operating systems. Security applied to the
operating systems rely on authentication certificates stored for the
account.
– Approvals Required – Enter the number of approvals before the
password is released.
– Send Release Notification Email to – Enter the email address for
the approvers.
– Maximum Release Duration – Select the maximum length of time
that a requestor can choose for the password release duration.
– Enable Automatic Password Changing/Testing – Select the
check box to override the system settings. Password changes are
then managed at the account level.
3. Click Save.
Managing PasswordsThere are three stages in the password release process:
• Requesting a password
• Approving a password
• Retrieving a password
Requesting a Password
You must be assigned the Requestor role in Retina CS to request a password
release.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 212
The Ticket System is managed from the appliance. PowerBroker Safe does
not interact with a ticket system. The ticket information is added for
reference only to track password requests related to a ticket. For more
information, refer to the PowerBroker Safe Administration Guide.
To request a password release:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Click the Request Password tab.
3. Provide the request information, and the click Request Password.
A message is displayed indicating that your request is in the approval
queue. At this point, you can view all of your requests or create a new
request.
An email notification will be sent to you confirming the password
request.
You can review all of your password requests on the Request Password
page. Select the tabs to filter the password requests.
The All filter displays all password requests including pending, expired,
and active.
An Active password is a password that is approved and checked out.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 213
Approving a Password
You must be assigned the Approver role to approve password releases.
There might be more than one approver required depending on how the
managed systems are configured.
To approve a password request:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Click the Approve Requests tab.
3. Select a request in the list.
The Approval History displays the number of approvals required and if
any approvals are applied.
4. Click Approve.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 214
The Retrieve Password button is now available to the original requestor
in the Approval History section of the Approve Request page.
Click Check-in Password at any time to expire the released password.
The password is then no longer available to use.
Retrieving a Password
To retrieve a password:
1. Log on to the PasswordSafe website using your Retina CS credentials.
2. Select the Request Password tab, and then select an account.
3. Click Retrieve Password.
4. Click Highlight Password, and then Ctrl+C to copy the password the
Clipboard.
Retina CS User Guide PasswordSafe
BeyondTrust® June 10, 2013 215
Regulatory Reports PackThe Regulatory Reporting packs require a license to activate the feature
set. Contact your BeyondTrust representative.
Not supported in Retina CS Community.
In this section,
Compliance Scans
Healthcare Pack
Finance Pack
Government Pack
Running a Compliance Scan
Reviewing Compliance Scan Results
You can run regulatory reports to ensure that your assets are in compliance.
Review the following sections to learn more about the compliance scan
templates available, compliance coverage, running a scan, and reviewing scan
results.
Retina CS User Guide Regulatory Reports Pack
BeyondTrust® June 10, 2013 216
Compliance ScansBy default the following scan templates are available.
Healthcare, Finance, and Government packs need an updated license key.
ISO-27002 Scans
Compliance
AreaSection 12.6.1 Control of technical vulnerabilities
COBiT Scans
Compliance
Area
Section DS11.6 Security Requirements for Data
Management
Healthcare Pack Compliance Scans
The Healthcare Pack includes a HIPAA scan template.
Contact BeyondTrust for a license key to activate the compliance pack.
HIPAA Scans
Compliance
AreaSection 164.308 Administrative safeguards, (a)(8)
Standard: Evaluation.
Finance Pack Compliance Scans
The Finance Pack includes a SOX and GLBA scan template.
Contact BeyondTrust for a license key to activate the compliance pack.
GLBA Scans
Compliance
Area
Section 6801 Protection of nonpublic personal
information.
SOX Scans
Compliance
Area
Section 404 Management Assessment of Internal
Controls.
Government Pack Compliance Scans
The Government Pack includes the FERC-NERC, NIST 800-53 and MASS
201 scan templates.
Retina CS User Guide Regulatory Reports Pack
BeyondTrust® June 10, 2013 217
Contact BeyondTrust for a license key to activate the compliance pack.
Compliance
AreaCIP-005-3 R4 Cyber Vulnerability Assessment
NIST-800-53 Scans
Compliance
Area
SA System and Services Acquisition; SA-10 Developer
Configuration management
MASS 201 Scans
Compliance
AreaSection 17.03(2)(b)(3) Duty to Protect and Standards for
Protecting Personal Information - Detect and Prevent
Security Systems Failures
Running a Compliance ScanThe following procedure is an overview on running a scan. For detailed
information on scan options, see Scanning.
To run a compliance scan:
1. Select the asset group and then select Scan.
2. Select the scan template and click Scan.
Ensure the correct license key is applied to activate the compliance
scans.
3. Click Scan.
4. Select the scan options, and then click Start Scan.
Retina CS User Guide Regulatory Reports Pack
BeyondTrust® June 10, 2013 218
Reviewing Compliance Scan ResultsThe following shows report information from the HIPAA Compliance scan.
The summary of the vulnerability details breaks down the vulnerability by
severity.
Scroll through the list of vulnerabilities provided in the report. You can
review remediation fixes, CVSS scores, and additional information for the
vulnerability as shown in the following example from a report.
Retina CS User Guide Regulatory Reports Pack
BeyondTrust® June 10, 2013 219
Configuration Compliance PackThe Configuration Compliance module requires a license to activate the
feature set. Contact your BeyondTrust representative.
Not supported in Retina CS Community.
In this section,
Setting Permissions for Configuration Compliance
Managing Benchmarks
Importing Benchmarks
Setting OVAL Tests Option
The following tools are available to run benchmark scans:
l XCCDF audit groups. The Secure Configuration Audits audit group
ships with the Configuration Compliance module. Use this audit group
to run your scan.
l Benchmark configuration. Import benchmark templates, synchronize
templates, and review versions of benchmark templates that ship with
Retina CS.
l Configuration Compliance reports. Includes two reports: Benchmark
Compliance and Benchmark Export.
For information about running a scan, see Running a Scan.
Setting Permissions for Configuration ComplianceYou must create a user group and set permissions for the user group to run
configuration compliance scans.
To create a group and set the permission:
1. Click the Configure tab, and then click Accounts.
2. Click + in the User Groups pane to create a group.
3. Enter a group name and description.
4. Select the Read and Write check boxes for the Benchmark
Compliance permission.
5. Add an IP range for the group.
Retina CS User Guide Configuration Compliance Pack
BeyondTrust® June 10, 2013 220
6. Select attributes (optional).
7. Click Update.
Add your configuration compliance users to the group. See User Accounts.
Managing BenchmarksRetina CS ships with a default set of benchmark templates. You can import
additional or updated benchmarks, and synchronize benchmarks.
If you are working with your benchmark profiles outside Retina CS, then
you can synchronize the templates using the Retina CS Configuration tool.
To download an editor to change your benchmarks, click the Download
Editor button.
To manage benchmarks:
1. Click the Configure tab.
2. Click the Benchmark Management tab.
3. Expand a benchmark to review more detail.
Policies included with benchmark templates can be inactivated if they do
not apply. Clear policies as needed.
4. To import templates, click Import New Benchmark, navigate to the
file and click Open. To overwrite an existing template click Yes.
Importing Benchmarks
You can import .cab or .zip files that include the following:
• For Windows 7:
– CIS_Windows_7_Benchmark_v1.1.0_oval.xml
– CIS_Windows_7_Benchmark_v1.1.0.xml
– Windows-7-cpe-oval.xml
– Windows-7-cpe-dictionary.xml
• For Windows Server 2008:
– CIS_Windows_2008_Server_Benchmark_v1.1.0_oval.xml
Retina CS User Guide Configuration Compliance Pack
BeyondTrust® June 10, 2013 221
– CIS_Windows_2008_Server_Benchmark_v1.1.0.xml
– Windows-2008-cpe-oval.xml
– Windows-2008-cpe-dictionary.xml
Setting OVAL Tests OptionYou can store OVAL XML data to the Retina CS database.
If selected, OVAL values used to determine if a rule was compliant are
parsed from OVAL output files and stored in the Retina CS database.
To store OVAL tests in Benchmark reports:
1. Select Options.
2. On the Application Options dialog box, expand Benchmark
Compliance.
3. Select the Yes check box to store OVAL tests.
4. Click Update.
Retina CS User Guide Configuration Compliance Pack
BeyondTrust® June 10, 2013 222
Appendix A: Preparing Your Database Applicationfor Scans
Not supported in Retina CS Community.
You can set your database applications as targets for scanning.
To ensure that your database can be successfully scanned by Retina, review
the following section on MySQL to prepare your database.
Preparing Your MySQL DatabaseReview your MySQL settings and ensure the following is in place:
• Verify the latest GA release of MySQL ODBC driver is installed on the
scanner system.
– Go to Administrator tools.
– Run Data Sources (ODBC).
– Select the Drivers tab.
– Search for the MySQL driver.
– If no driver is found, then download and install the latest GA
released MySQL driver from the MySQL website.
• Ensure a remote connection can be established to the target database
using the ‘mysql’ tool provided with the MySQL database installation.
Retina CS User Guide Appendix A: Preparing Your Database
BeyondTrust® June 10, 2013 223
Appendix B: BMC RemedyYou can export asset and vulnerability data from Retina CS to your BMC
Remedy server.
To configure Retina CS, you must:
• Create a connector to Remedy.
• Create a Smart Group. The parameters configured in the Smart Group
include the assets (and data) that will be exported to the Remedy system.
Your Remedy system must already have forms created to accept asset and
vulnerability information.
Creating a Connector to your BMC Remedy ServerSettings from your Remedy WSDL file are required to create the connector.
Sample data from a WSDL file:
Note: Remedy web service endpoints expect a sortable date format. For
example, 2009-06-15T13:45:30.
However, you can override the default format in the registry with a
valid .NET date format string:
HKEY_LOCAL_MACHINE\SOF-
TWARE\eEye\RetinaCS\RemedyExportDateFormatString
View examples of standard date format strings here:
http://msdn.microsoft.com/en-us/library/az4se3k1.aspx
To create a connector:
1. Click the Configure tab, then click the Export Connectors tab.
2. Click +, then click BMC Remedy Connector.
3. Enter a connector name, and a Remedy user name and password.
The connector name can be any name.
Retina CS User Guide Appendix B: BMC Remedy
BeyondTrust® June 10, 2013 224
The credentials for the Remedy system must provide access to the web
service and be able to create requests.
The Active check box is selected by default. Data is only exported when
the check box is selected.
4. Select the check boxes depending on the data that you want to export:
Export Assets, Export Vulnerabilities. You can select both.
5. For the export options, enter the following information:
– Web Service URL - defines the location where data will be exported.
– Target Namespace - Enter the target namespace from the WSDL file.
– SOAP Action - Enter the action as defined in the WSDL file.
– Field Mappings - Enter the fields that you want to include in the
export data.
The order of the fields must match the order of the fields in the
WSDL file. Use the arrows to change the order.
6. After you provide the information, click Test to ensure a connection is
established to your Remedy system. Note that the test creates a record in
the Remedy system.
7. Click Update.
Retina CS User Guide Appendix B: BMC Remedy
BeyondTrust® June 10, 2013 225
Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.
To configure the Remedy Smart Group:
1. Configure the Smart Group as usual. See Creating a Smart Rule.
2. In the Perform Actions area, select Export Data.
3. Select the name of the Remedy connector.
4. Select an audit group from the list.
Only vulnerabilities in the selected audit group will be exported. All
vulnerabilities for all assets will be exported if no audit group is selected.
5. Enter the expiration period, in days.
Assets and vulnerabilities (depending on what is defined in the collector
details) are only exported once in the defined expiration period.
However, an item (asset or vulnerability) might be exported more than
once. This might occur if, for any reason, the item is not included in the
Smart Group but then is included again later.
After the expiration period passes, the item is exported again if it remains
in the Smart Group.
6. Click Save.
Exporting the DataAfter the Smart Group is created, the data is set to be collected and exported
every hour on the hour.
You can change the default export time in the RemManagerSvc.exe.config
file located in the Retina CS install directory.
View export results in your Remedy system.
Export results or alerts on progress are not shown in Retina CS.
To stop exporting data, clear the Active check box on the Remedy
Connector Details page.
Retina CS User Guide Appendix B: BMC Remedy
BeyondTrust® June 10, 2013 226