Retina CS Users Guide

June 10, 2013

User Guide

Release 4.5.1

Revision/Update Information: June 10, 2013

Software Version: Retina CS 4.5.1

Revision Number: 1

COPYRIGHTNOTICE

Copyright © 2013 BeyondTrust Software, Inc. All rights reserved. Use of this software and/or document, as and when applicable, is

also subject to the terms and conditions of the license between the licensee and BeyondTrust Software, Inc. (“BeyondTrust”) or

BeyondTrust’s authorized remarketer, if and when applicable.

TRADE SECRETNOTICE

This software and/or documentation, as and when applicable, and the information and know-how they contain constitute the

proprietary, confidential and valuable trade secret information of BeyondTrust and/or of the respective manufacturer or author, and

may not be disclosed to others without the prior written permission of BeyondTrust. This software and/or documentation, as and when

applicable, have been provided pursuant to an agreement that contains prohibitions against and/or restrictions on copying,

modification and use.

DISCLAIMER

BeyondTrust makes no representations or warranties with respect to the contents hereof. Other than, any limited warranties expressly

provided pursuant to a license agreement, NO OTHER WARRANTY IS EXPRESSED AND NONE SHALL BE IMPLIED,

INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE OR FOR A

PARTICULAR PURPOSE.

LIMITED RIGHTS FARS NOTICE (If Applicable)

If provided pursuant to FARS, this software and/or documentation, as and when applicable, are submitted with limited rights. This

software and/or documentation, as and when applicable, may be reproduced and used by the Government with the express limitation

that it will not, without the permission of BeyondTrust, be used outside the Government for the following purposes: manufacture,

duplication, distribution or disclosure. (FAR 52.227.14(g)(2)(Alternate II))

LIMITED RIGHTS DFARS NOTICE (If Applicable)

If provided pursuant to DFARS, use, duplication, or disclosure of this software and/or documentation by the Government is subject to

limited rights and other restrictions, as set forth in the Rights in Technical Data – Noncommercial Items clause at DFARS 252.227-

7013.

TRADEMARK NOTICES

PowerBroker, PowerPassword, and PowerKeeper are registered trademarks of BeyondTrust. PowerSeries, PowerADvantage,

PowerBroker Password Safe, PowerBroker Directory Integrator, PowerBroker Management Console, PowerBroker Virtualization,

PowerBroker Express, PowerBroker Databases, PowerBroker Windows Servers, PowerBroker Windows Desktops, and PowerBroker

Identity Services are trademarks of BeyondTrust.

Retina, Retina® CS, Iris, Blink, Retina® Web, and REM are registered trademarks of BeyondTrust. SecureIIS and Enterprise Update

Server are trademarks of BeyondTrust.

Windows® is a registered trademark of Microsoft Corporation

FICTITIOUS USE OFNAMES

All names of persons mentioned in this document are used fictitiously. Any resemblance to actual persons, living or dead is entirely

coincidental.

Retina CS User Guide

BeyondTrust® June 10, 2013 2

Contents

I. Retina CS Management Console i

Retina CS Overview 1

Retina CS Architectural Overview 2Retina CS Components 3

Retina Network Security Scanner (RNSS agent) 3Retina Protection Agent (RP agent) 3eEye Manager Service 3AppBus (Application Bus) 3Events Client 3Central Policy Server 4Enterprise Update Server 4Third Party Patch Service 4Scheduling Service 4Shared Services Engine 4

How a Scan Works 5How Job Scheduling Works 6Access Retina CS 8Access the Client Portal 9

Retina CS Tools 10

Overview 11Working with Smart Rules 11

Understanding Smart Rule Filters 12Smart Rule Filters 13Predefined Smart Groups 14Creating an Asset Smart Rule 16Creating a Vulnerabilities Smart Rule 17Cloning a Smart Rule 19Marking a Smart Group as Inactive 20

Creating an Address Group 20Creating a Smart Rule based on an Address Group 22

Creating an Active Directory Query 22Working with Attributes 23Working with Tickets 25

Creating a Ticket 25Managing Ticket Details 26Marking a Ticket as Inactive 27Tracking Open Tickets Using a Smart Rule 27

Reports and Scan Templates 30

Running a Report on Existing Scan Data 31Creating Scheduled Reports 32

Retina CS User Guide Contents

BeyondTrust® June 10, 2013 i

Viewing Scheduled Reports in the Calendar View 32Reviewing Report Results 33

Creating a Report 34Creating a Report Category 34

Viewing and Downloading Reports 35Managing Report Templates 36

Setting Report Output Options 36Configuring Scan Settings 38

Working with Audit Groups 41Working with Port Groups 42

Creating a Custom Audit 43Report Templates and Audit Groups 46

Report Templates 46Audit Groups 54Regulatory Reporting Pack Audit Groups 54

Asset Management 55

Interpreting Scan Results on the Dashboard 56Reviewing Asset Details 57

Risk Scores 57Changing Asset Properties 58

Changing the Display 58Setting Display Preferences 59Filtering Records 60

Managing Jobs 61Reviewing Job Details 61Reviewing Scheduled Job Details 62Viewing Scheduled Scans in the Calendar View 63Viewing Scan Event Details 64Aborting or Pausing a Job 64Changing Job Page Settings 65

Mobility Scanning 67

Overview 67Configuring a BlackBerry Connector 67Configuring an Android Connector 69

Deploying the Application to Android Devices 70Configuring Settings on Android Devices 70

Configuring an ActiveSync Connector 71Reviewing Mobility Scan Results 72Creating Custom Audits for Mobile Devices 72

Cloud Scanning 74

Requirements 74Amazon EC2 Requirements 74VMWare VCenter Requirements 74


BeyondTrust® June 10, 2013 ii

Configuring a Cloud Connector 75Scanning Paused or Offline VMWare Images 76

Multi Tenant 78

Overview 78Smart Rules Manager and Browser Pane 79Working with Scan Credentials 79Quick Rules 80Organization Filters 80Patch Management Module 80Mobility Connectors 81Retina Protection Agents 81

Setting Up Organizations 82Step 1 Creating a Workgroup 82Step 2 Adding an Organization 83Step 3 Creating a User Group for a Tenant 84

Managing Users 85

Creating User Groups 85User Group Permissions 87Access Levels 90Permissions Required for Configuration Options 90

Creating User Accounts 91Reset Retina CS Account Password 92Auditing Retina CS Users 92Adding Credentials 93

Creating an SSH Credential 93Creating Oracle Credentials 94Adding Credentials for Active Directory Access 95

Setting Retina CS Options 96

Account Lockout Options 96Account Password Options 97Auto Update Options 97Display Options 98Email Notifications 98Maintenance Options 98Proxy Settings 100Refresh Settings 100

Maintenance 102

Viewing Status for Scanners and Agents 102Determining if a Retina Agent is Available 102Removing Retina Agent Files 103Configuring a Failover Agent 104


BeyondTrust® June 10, 2013 iii

Creating a Support Package 104Diagnostics 106

Monitoring Services 106

II. BeyondTrust Modules 108

Retina Scanner Agents 109

Discovery Scanning 110Running a Discovery Scan 110Discovering Assets Using a Smart Group 111Discovering Assets Manually 111

Running a Vulnerability Scan 112Reviewing Vulnerability Scan Results 115

Creating a Quick Rule 116Excluding Vulnerabilities 117Malware Toolkit Vulnerabilities 118

Remediating Vulnerabilities 119Setting CVSS Metrics 119Setting CVSS Environmental Metrics 120Setting Base and Temporal Metrics 120

Reviewing Asset Risks on the Network Map 122Configuring Retina Agent Scan Options 123

Performance Settings 123Timeout Values 123Event Routing 124Setting Restrictions on Scan Times 125Configuring General Scan Options 125

Scanner Pooling 127

PowerBroker for Windows 129

Overview 129Creating a Smart Group 130Creating PowerBroker Rules 131

Including Arguments in a Rule 133Marking Events to Exclude 133Deploying and Managing Policies Using Retina CS 134

Deploying Policies 135Reviewing Policies 135

Session Monitoring 135Viewing Events on the Session Viewer 136Saving Session Data 138

Patch Management Module 139

Overview 140How Patching with WSUS Works 140How a Patch Deployment Works 141


BeyondTrust® June 10, 2013 iv

Connecting to a WSUS Server 143Requirements 143Adding a Connection 144Connecting to a Downstream Server 145Installing the WSUS Administration Console 145

Registering Smart Rules 146Redeploying Configuration 148

Approving Patch Updates 148Reviewing Patch Details 150

Deleting Patches 151Third-Party Patching 151

Generating a Certificate 152Subscribing to Vendor Patch Updates 152List of Supported Vendors 154

System Center Configuration Manager 155

Overview 155Requirements 155Creating a Connection to a SCCM Site Server 155Deploying a Package to a Collection 156SCCM and 3rd Party Patching 157

Using Group Policy to Configure SCCM Assets for 3rd Party Patches 158

Retina Protection Agents 161

Overview 162How RP Agent Deployments Work 162

Downloading Retina Protection Agents 163Configuring a Default Policy 163Preparing Target Assets 164

Using the 3rd Party Deployment Tool 165Updating RPA Licenses 166Deploying the Protection Policies 166

Storing Retina Protection Agent Serial Numbers 167Reviewing Details about Protection Agents 168Removing Protection Agents 169

Configuring Protection Policies 170Working with Rules and Rule Groups 170Creating a Rule Group and Setting Rules 171Creating a Protection Policy 172Creating a Dynamic Policy 172Organizing Your Policies 176

Rules Reference 177System Wide Firewall Rules 177Application Firewall Rules 179IPS Signature Rules 181Trusted and Banned IPs 184


BeyondTrust® June 10, 2013 v

Registry Protection Rules 185Execution Protection Rules 186File Integrity Rules 188Windows Events Rules 193Source Names 193Trusted List Options 195Miscellaneous Options 195

PowerBroker Servers for Unix & Linux 197

Overview 197Retina CS and PowerBroker Servers Architecture 197

Managing PowerBroker Servers Events 199Creating a Smart Group 199Using pbreplay to Play the Logged Events 199Searching the I/O Logs 200

Search Parameters 201

PasswordSafe 207

Overview 207Configuring PasswordSafe 207

Creating a Connection to Your Appliance 208Creating User Groups 208Adding a Managed System 210

Managing Passwords 212Requesting a Password 212Approving a Password 214Retrieving a Password 215

Regulatory Reports Pack 216

Compliance Scans 217Healthcare Pack Compliance Scans 217Finance Pack Compliance Scans 217Government Pack Compliance Scans 217

Running a Compliance Scan 218Reviewing Compliance Scan Results 219

Configuration Compliance Pack 220

Setting Permissions for Configuration Compliance 220Managing Benchmarks 221

Importing Benchmarks 221Setting OVAL Tests Option 222

Appendix A: Preparing Your Database Application for Scans 223

Preparing Your MySQL Database 223


BeyondTrust® June 10, 2013 vi

Appendix B: BMC Remedy 224

Creating a Connector to your BMC Remedy Server 224Creating a Smart Group 226Exporting the Data 226


BeyondTrust® June 10, 2013 vii

I. Retina CS Management Console

Retina CS Overview

Retina CS Tools

Reports and Scan Templates

Asset Management

Mobility Scanning

Cloud Scanning

Multi Tenant

Managing Users

Setting Retina CS Options

Maintenance

Retina CS User Guide I. Retina CS Management Console

BeyondTrust® June 10, 2013 i

Retina CS OverviewIn this section,

Retina CS Architectural Overview

Retina CS Components

How a Scan Works

How Job Scheduling Works

Accessing Retina CS

Retina CS User Guide Retina CS Overview


Retina CS Architectural OverviewRetina CS architecture follows a top-down, tiered approach to compliance

and security management throughout your organization.

Retina Network Security Scanners run vulnerability assessments, and Retina

Protection Agents can perform endpoint host security. All communication

between agents and Retina CS is encrypted and stored in a SQL Server

database.

Multiple Retina CS Servers can replicate data to produce a tiered architecture

and all management control and results are available through an Internet-

enabled application.

Retina CS Architecture



Retina CS ComponentsThis section provides information on each of the components that Retina CS

relies on in running scans, protecting assets, etc.

Retina Network Security Scanner (RNSS agent)

The Retina Network Security Scanner is the scan engine responsible for

scanning the assets in your environment. The RNSS agent receives

instructions from the Central Policy service.

A security certificate is required by the Events Client to communicate with

the agent. This certificate can be created during the Retina CS installation.

Retina Protection Agent (RP agent)

The agent designed to protect your assets. The Retina Protection agent

provides layers of protection, including: virus and spyware, firewall,

intrusion prevention, system protection, and vulnerability assessment.

A security certificate is required by the Events Client to communicate with

the agent. This certificate can be created during the Retina CS installation.

eEye Manager Service

This component is the Retina CS web interface.

The eEye Manager Service also acts as a background service that gathers

information from the Events Client (which retrieves information from the

agents). The events are then encrypted and sent to the database.

AppBus (Application Bus)

Provides communications between BeyondTrust components and receives

events to insert in the Retina CS database. This function can also be done by

a dedicated Event Server for scalability.

Events Client

The Events Client is responsible for forwarding information gathered by the

RNSS agent and RP agent.

The Events Client sends the information to the eEye Manager Service. The

Events Client is installed when an RNSS agent or RP agent is installed.

Events Client CertificateGenerate security certificates to ensure secure transmission of data between

clients and Retina CS. Use the Retina CS Configuration Tool to generate

certificates. For more information, refer to the Retina CS Installation Guide.



Central Policy Server

Central Policy is a service that sends RNSS agents and RP agents their

settings. Central Policy is the component responsible for sending the agents

job information.

For example, the RNSS agent needs to know the targets and the audits to

run against those targets. This information is selected in the Retina CS

management console. When the scan starts, the Central Policy kicks the job

information to the agent.

The same for the RP agent policies. The protection policy needs to know

the policy to push out to the selected protected assets. Policies are defined

in the Retina CS management console, and when the policy is deployed, the

Central Policy kicks out the job information to the RP agent to apply to the

target asset.

Enterprise Update Server

Using the Enterprise Update Server, you can centrally manage updates for

your BeyondTrust applications, receive updates automatically or manually

and distribute updates to client systems on your network.

You can schedule automatic updates to ensure that your assets are protected

by the latest vulnerability audits.

Third Party Patch Service

Gathers third party patches and makes them available for distribution using

WSUS.

Scheduling Service

Responsible for contacting the Update server and downloading the latest

product updates and audit updates.

Shared Services Engine

Receives Retina Protection agent deployment details from the AppBus and

sends those details to the assets where the RP agent is being deployed.



How a Scan WorksThis section provides the communication workflow between Retina CS and

the agents.

For a list of ports that Retina CS uses, see Ports Used by Retina CS.

uCreate the scan job in Retina CS Management Console. The scan job

includes details such as the IP addresses to be targeted, scan

template, and scheduling information.

�The Central Policy service notifies the RNSS agent with the

instructions for the scan job.

�The RNSS agent goes out to the assets as provided in the scan job

details and gathers the data based on the selected scan template.

�Gathered information from the RNSS agent is passed through the

Events Client to the Retina CS Event Server. The data sent is in

.mmf format.

�The Retina CS Event Server passes the information to the SQL

Server. The gathered info is normalized.



Ports Used by Retina CS

Function Components Port

Database

connectivity

CS to SQL Server,

Retina Insight to SQL

Server

1433

Event Client RNSS and RPA to

Retina CS

21690

RPA Central

Policy

Endpoint to Retina CS Version 1 – 2000

Version 2 – 443

RNSS Central

Policy

RNSS to Retina CS Version 1 – 10001

Version 2 – 443

Update Servers SyncIt or EUS to

BeyondTrust

443 or 80

Client Browser User to Retina CS or

Retina Insight

443 or 80

PowerBroker

Mobile

Connector to PBM 443

Android Mobile

Connector

Android agents to

Retina CS

21691

Retina CS

replication

CS to CS for Enterprise

tiering

21692

How Job Scheduling WorksThe following job scheduling overview assumes multiple scanners are used.

u Create a Smart Rule, includes setting:

l List of scanners

l Choosing the asset distribution algorithm

l Choosing the targets

� Targets are determined by:

l Assets that are in the database (Assets are already discovered).

Assets will be discovered if the following are included in the Smart

Rule:

l Address groups



l Cloud assets

l LDAP queries

�Asset distribution algorithm assigns scanners to assets.

For round robin assignments, targets are assigned first if their IP

address is known. Then targets are assigned to scanners by the name

of the target if it is known.

After this assignment occurs, scanners are always associated with

assigned assets.

� Two .xml files are sent to the Retina scanner agent:

l a file that contains job scheduling information

l a file that lists the targets assigned to the scanner

Round robin assignment



Access Retina CSWhen working in Retina CS, note that times displayed match the web

browser on the local computer (unless stated otherwise).

To log on Retina CS:

1. Select Start > All Programs > eEye Digital Security > Retina CS >

Retina CS.

You can also log on to Retina CS using the URL provided to you by your

Security Administrator.

2. Enter your username and password.

The default username is Administrator and the password is the

Administrator Password you set in the Retina CS Configuration wizard.

3. Click Login.

If you forget your password, click Forgot your Password? Enter your

username to have a new password sent to your registered email address.



Access the Client PortalYou can access product downloads, license keys, product documentation,

and technical support, including knowledge base articles using the client

portal. You will need your username and password provided in your product

confirmation email.

To access the client portal:

1. Using your web browser, log on to www.eEye.com/clients. The Client

Portal is displayed.

2. Type your username and password from your product confirmation

email, then click Sign In.

3. Select from one of the following options:

– Product Downloads. You can access and download the most

current versions of your licensed software.

– Product Licensing. You can access and manage your product

licenses.

– Documentation. You can access documentation for each product as

well as additional guides, technical bulletins and knowledge base

articles, as needed. Typically the documentation set consists of

Installation Guides, User’s Guides and online help systems.

– Technical Support. You can access knowledge base articles,

support request forms and release notes. In addition, you can view

and update your support tickets.



http://www.eeye.com/clients

Retina CS ToolsIn this section,

Overview

Working with Smart Rules

Understanding Smart Rule Filters

Predefined Smart Groups

Creating an Asset Smart Rule

Creating a Vulnerability Smart Rule

Cloning a Smart Rule

Marking a Smart Group as Inactive

Creating an Address Group

Creating an Always Address Group

Creating a Smart Group Based on an Address Group

Creating an Active Directory Query

Working with Attributes

Working with Tickets

Creating a Ticket

Managing Ticket Details

Marking a Ticket as Inactive

Tracking Open Tickets Using a Smart Rule

Retina CS User Guide Retina CS Tools


OverviewRetina CS provides a set of tools to help you organize assets for scanning.

Depending on the number of assets that you want to scan, or the critical

nature of some of your assets, consider organizing the assets using address

groups or Active Directory queries which can be part of a Smart Rule.

The following list provides examples on ways you can use these tools:

l Create an IP address group that organizes assets by a range of IP

addresses, including CIDR notation and named hosts.

l Use an Active Directory query that will organize assets by organizational

unit. Create a Smart Rule and use the query as your asset selection

criteria.

l Change the properties for assets (after a scan runs), then use the

attributes as the selection criteria in the Smart Rule. For more

information, see Changing Asset Properties.

Scans can return a lot of information. To help you review scan results, you

can create filters and set preferences on the Assets page to easily review scan

results. For more information, see Changing the Display.

Working with Smart RulesA Smart Rule is a filter that you can use to organize assets. You can organize

the assets using one of the following Smart Rules types:

• Asset Smart Groups – Organizes the assets based on the filters selected.

• Vulnerability Smart Groups – Organizes the vulnerabilities based on the

vulnerabilities filter selected.

The user must be a member of the Administrators group, or be granted the

Asset Management permission to work with Smart Rules.

Note: When a non-administrator user creates a Smart Group, that Smart

Group will automatically be associated with:

– Read permissions to all user groups that the user is a member of.

– Write permissions to all user groups the user is a member of and

also has the Asset Management permission. The Asset

Management permission allows the user to create a Smart Rule.

Use a Smart Rule to register assets as Smart Groups to:

• Run vulnerability scans against

• Apply protection policies to

• Register for Patch updates

• Monitor and view



A Smart Rule updates results automatically, ensuring that assets that match

the criteria in the rule are current.

For example, a simple filter on assets might be finding all assets in the

domain EMEA, as shown:

If an asset can no longer be contacted or no longer meets the criteria in the

rule, the rule dynamically updates. At any time when you select the Smart

Rule for a scan (for example), you can be sure the list of assets is current.

Understanding Smart Rule Filters

There are many filters available to you to create Smart Rules. For example,

you can filter on such properties as Asset fields, Installed Software,

Assigned Attributes, or Operating System.

You can create address groups or an Active Directory query to use as filters.

You can create these filters in the Smart Rule Manager or from the Configure

tab. For more information, see Creating an Address Group and Creating an

Active Directory Query.

You can use more than one filter to refine or extend the scope of assets in

the Smart Rule. Filters can be joined with 'and' (Match All Criteria) or 'or'

(Match Any Criteria) conditions.

• If you select Match All Criteria, then every indented filter under it must

be true for an asset to be included.

• If you select Match Any Criteria, then only one of the indented filter

items under it must be true for an asset to be included.

The following filter example will include all assets in the EMEA domain that

are either servers or workstations.



Smart Rule Filters

Review the following tables for more information about available Smart Rule

filters.

Table 1. Asset Smart Rule Filters

Active Directory

Query

Create an LDAP query to include or exclude

assets in the selected domain.

For more information, see Creating an Active

Directory Query.

Address Group

Create a group of IP addresses.

For more information, see Creating an Address

Group.

Asset Fields

Group the Smart Group by asset fields, such as,

asset name, device ID, domain or DNS, risk, and

kind.

You can include more than one asset field filter in

the Smart Rule to refine the results.

Assets with Open

Tickets

For ticket tracking, create a Smart Rule that filters

on open tickets. The Smart Rule filter can be set

to include overdue tickets.

Assigned Attributes

Create a filter based on an attribute.

If the attribute is unassigned on a particular asset,

you can choose to include or exclude the asset

from the rule.

AttacksFilter assets based on attack. Select attacks from a

list, or filter on attack name or ID.

Child Smart Rule

You can reuse a Smart Rule to save time when

creating new Smart Rules. This is especially useful

if the Smart Rule is a complicated set of filters.

Reusing a Smart Rule further refines the assets

that will be a part of the Smart Group.

Cloud Assets Filter assets on the cloud connector.

Installed Software Filter on any combination of installed software.

MAC Address Filter by MAC address of assets.

MalwareFilter assets based on malware. Select malware

from a list, or filter on malware name or ID.



Operating System

Filter on any combination of OS. Operating

systems included in the list are those detected in

your network.

Assets with no OS detected, can be included or

excluded from the rule.

Ports

Filter by port group. Assets with open ports in the

port group can be included or excluded from the

rule.

Processes Filter on any combination of processes.

Protection Agents Filter by protection agents.

Services Filter by any combination of service.

VulnerabilitiesFilter by vulnerability, CVSS score or vector, PCI

severity,

Vulnerability ScannersFilter by Retina scan agent. Can filter for

responsive or unresponsive scan agents.

Windows Events

Filter by Windows events that are available in the

Windows Event Viewer (for example,

Application, Security, or System).

Workgroup Filter by workgroup.

Table 2. Vulnerabilities Smart Rule Filters

Child Smart Rule Filter the vulnerabilities by child Smart Rules.

Vulnerability fields Filter by the name of the vulnerability.

Vulnerability has

mitigation patch

Filter by patch updates that are available to

remediate the vulnerability.

Vulnerability in audit

group

Filter by audit group. For example, All Audits,

Zero Day, or any of the compliance audit groups

available.

Vulnerability severityFilter by severity level: low, information, medium,

high.

Zero day

vulnerabilities

Filter on zero day vulnerabilities. Include or

exclude the vulnerabilities from the Smart Group.

Predefined Smart Groups

By default there are Smart Groups already defined and created.



Predefined Smart Groups cannot be changed or deleted. However,

predefined Smart Groups can be marked as inactive (except for the All

Assets Smart Group) to improve performance on large databases. For more

information, see Marking a Smart Group as Inactive.

The predefined Smart Groups are displayed in the Smart Groups browser

pane and are organized in the following categories.

Table 3. Predefined Smart Groups for Assets

Agents and ScannersDetects assets where protection agents and Retina

scanners are deployed.

Assets and DevicesIncludes default Smart Groups for all assets and all

assets labeled as workstations.

Intelligent Alerts

Includes Smart Groups that detect assets added

since yesterday, and mobile assets with critical

vulnerabilities. Intelligent Alerts are inactive by

default.

Servers

Includes Smart Groups that detect assets that are

mail servers, web servers, database servers,

domain controllers, and SCADA. Only the Web

Servers Smart Group is marked as active.

Virtualized Devices

Includes Smart Groups for virtual environments,

including Microsoft Hyper-V and Parallels.

Assets detected as virtual environments are part

of these Smart Groups.

This default category also includes two Smart

Groups, Virtual Servers and Virtual

Workstations. Assets that are servers or

workstations might not be detected, and

therefore, not included in the Smart Group. For

example, the asset might be a router or unknown

and will not be part of the Smart Group.

Table 4. Predefined Smart Groups for Vulnerabilities

All VulnerabilitiesIncludes all assets where there are vulnerabilities

detected.

Zero Day

Vulnerabilities

Includes all assets where zero day vulnerabilities

are detected.



Creating an Asset Smart Rule

You can configure an asset Smart Rule to:

• Create Smart Groups

• Send email alerts with a list of assets

• Set attributes on assets

• Create a ticket with a list of assets

• Enable for Patch management

• Set environmental metrics for CVSS scoring

• Set scanner pooling

To create a Smart Rule:

1. Select the Assets tab.

2. Click Manage Smart Rules.

The Smart Rules Manager displays existing Smart Rules.

3. Select Asset based smart rules from the Smart Rule type list.

4. Click New Rule.

5. Enter a name and description.

6. The Active check box is selected by default. The Smart Rule is always

available for processing when Active is selected. Clear the check box so

the rule is not processed.

7. Enter a category name or select a category from the list. Use categories

to organize your Smart Rules in the Smart Groups browser pane.

8. Select the filters in the Asset Selection Criteria section of the manager.

9. From the Perform Actions section of the manager, select one of the

following:

– Show asset as Smart Group - When selected, the rule is displayed

in the Smart Groups pane as a Smart Group. You can select the

Smart Group to filter the list of assets in the Smart Groups pane.



You can also select the default view to display on the Assets page

when the Smart Group is selected.

Smart Groups are also used for running scans, applying protection

policies, and registering for patch updates.

– Send an email with a list of assets - Select and enter the email

addresses for notification when the rule criteria is matched.

Emails are only sent if the list of assets that match the rule is

changed from the last time the rule was processed.

– Set attributes on each asset - Select the attribute type from the list

and then select the attribute.

– Create Ticket - Select tickets parameters, including ticket

assignment, severity, and email alert. For more information, see

Creating a Ticket.

– Enable for Patch Management - Select to create a Smart Group

for managing patch updates to assets. For more information, see

Registering Smart Rules.

– Set Environmental CVSS Metrics - Select environmental metrics

for CVSS. For more information, see Setting CVSS Metrics.

– Set Scanner Properties - Select one or more Retina scanner agents

to lock to the Smart Group. See Scanner Pooling.

– Export Data - Select to manage a Smart Group for the BMC

Remedy connector.

– Mark each asset inactive - Assets detected as inactive will no

longer be displayed on the Assets page or in reports.

– Deploy PBW Policy – Select to deploy PowerBroker for Windows

policies to the assets that match the criteria selected in the Smart

Rule.

10. Click Save.

Creating a Vulnerabilities Smart Rule

You can configure a vulnerabilities Smart Rule to:

• Manage vulnerabilities

• Use as filters in grids and reports



To create a vulnerabilities Smart Rule:



The Smart Rules Manager displays existing Smart Rules.

3. Select Vulnerability based smart rules from the Smart Rule type list.

4. Click New Rule.


6. The Active check box is selected by default. The Smart Rule is always

available for processing when Active is selected. Clear the check box so

the rule is not processed.

7. Enter a category name or select a category from the list. Use categories

to organize your Smart Rules in the Smart Rules Manager.

8. Select the filters in the Asset Selection Criteria section of the manager.

9. From the Perform Actions section of the manager, select one of the

following:

– Show vulnerability as Smart Group – When selected, the rule is

displayed on the Vulnerabilities page as a filter for the list of assets

selected in the Smart Groups browser pane.

– Create vulnerability audit group – To create a read-only audit

group.

10. Click Save.



Cloning a Smart Rule

You can clone your custom Smart Rules or the predefined Smart Rules.

An example scenario: you created a Smart Rule where the 'discover assets'

option is selected and you run the rule once a month. You can clone the

Smart Rule, turn off 'discover assets', and configure the new Smart Rule to

run more frequently. This saves you time in recreating the filters in the

initial Smart Rule.

To clone a Smart Rule:



Select the Smart Rule, and then click the clone icon.

If you are using the Multi Tenant feature, select the organization from

the list, and then click OK.

3. On the Smart Rules Manager page, edit the Smart Rule filters as needed.

4. Click Save.

The Smart Rule is active only after you click Save.



Marking a Smart Group as Inactive

You cannot delete predefined Smart Groups. However, if you have a lot of

Smart Groups, you can save on processing time if you mark unused Smart

Groups as inactive.

An inactive Smart Group is no longer displayed in the Smart Group browser

pane (until marked active again).

Creating an Address Group

Not supported in Retina CS Community.

Create an address group then use the address group as an IP address filter

when creating a Smart Rule.

An address group can contain included or excluded IP addresses. IP

addresses are entered as an IP range, named host, or as a CIDR block.

To work with address groups, the Retina CS user must be a member of the

Administrators group, or be assigned the Asset Management permission. See

Creating User Groups.

Creating an Always Address GroupYou can create an address group and name it Always. The Retina scanner

agent is designed to recognize this address group name and includes the

group in every scan (regardless if the group is selected in the scan job).The

address group can include and exclude IP addresses.

The next time a scan runs, the address group is synchronized with the Retina

scanner agent. The IP addresses, whether included or omitted are considered

part of the scan that is running.



For example, the Always address group is configured with the following:

10.10.10.60 and buffett-laptop (omitted). A scan tries to scan 10.10.10.50

and buffett-laptop. The results:

• 10.10.10.60 is included in the scan since that IP address is added to the

Always address group

• buffett-laptop is excluded from the scan since that asset is explicitly

omitted in the Always address group

• 10.10.10.50 is scanned as usual

Note that if an asset was scanned and then later added to the Always address

group as Omit, the asset is not scanned but might still be displayed in the

report. This only occurs with some reports.

To create an address group:

1. Click the Configure tab, and then click Address Groups.

2. Click + in the Address Group pane.

3. Enter a name for the address group.

4. Select the address group and then click + in the Type/Entry pane.

5. To create an Address Group filter:

– Click New to open the New Address Group dialog box. Enter IP

addresses to include or exclude, and then click Save.

To exclude IP addresses, enter the IP addresses, and then select the

Omit this entry check box.

– Click Import to import a .txt file with a list of IP addresses to

include and exclude. The list depends on your particular needs. The

list can include all IP addresses to exclude if that is how you want to

create your filter.

To exclude IP addresses, use the format: 192.x.x.x (1)

The following shows an example of how a CIDR block, an excluded

IP address, and excluded named hosts are displayed after importing:



Creating a Smart Rule based on an Address Group

When you are configuring an address group you can choose to create a Smart

Group based on the address group.

Create the address group and add IP addresses as described earlier. Click the

arrow as shown:

The address group Smart Group is displayed in the Smart Groups browser

pane:

Creating an Active Directory Query


Create an Active Directory query to retrieve information from Active

Directory to populate a Smart Rule. For example, create a query that uses

computer names for a selected domain.

To work with Active Directory queries, the Retina CS user must be a

member of the Administrators group, or be assigned the Asset Management

permission. See Creating User Groups.

To create an Active Directory query:

1. Click the Configure tab, and then click Active Directory Queries.

2. Click New.

3. Enter a name for the query.

4. Enter a path name or click Browse to search for a path.

On the Select Active Directory Path dialog box, the forest is

automatically detected. The Domain list is populated with the domains

in the forest. Select a container and click OK to close the dialog box.



5. Select a scope to apply to the container: This Object and All Child

Objects, Immediate Children Only.

6. Enter a name and description for the filter.

7. Click Advanced and enter the LDAP query details.

8. Click Credentials and provide credentials (optional).

Minimum permissions assigned for the credentials must be Read on the

computer assets that you are enumerating.

9. Click Test to ensure the query returns expected results.

10. Click Save.

Working with Attributes


You can use attributes to label assets. Set an attribute on each asset in a

group using a Smart Rule.

You can then select the attribute as a filter when you create a Smart Rule.

Select an attribute from the Assigned Attributes list in the Asset Selection

Criteria section. For more information, see Creating a Smart Rule.



Retina CS ships with attributes already created. You can also add attribute

types and attributes that meet your particular requirements.

You can use the Criticality attribute to weight the importance of an asset in

your environment. Assign the criticality attribute using a Smart Rule or on

the Asset Details page for an asset (see Changing Asset Properties).

To add an attribute type and attribute:

1. Click the Configure tab, and then click Attributes.

2. Click + and then select Attribute Type.

3. Type an attribute name.

4. To add an attribute, select an attribute type.

5. Click + and then select Attribute.

6. Type an attribute name.



Working with Tickets


In this section,

Creating a Ticket



Use the ticket system to assign tickets to members of your security team.

The team can review, remediate, and resolve vulnerabilities and attacks on

protected assets.

You can create tickets to manage the remediation of vulnerabilities, attacks,

and malware.

Ensure your user groups have the correct ticket permissions assigned. For

more information, see User Group Permissions.

Note: You can create an Active Directory user group and assign the group

ticket permissions.

The users that are members in the Active Directory group must log

on to Retina CS at least once before the user name is displayed in the

Assigned to list. Logging on also activates the email notification for

the user.

Creating a Ticket

Using the ticket system, you can create tickets for managing the life cycle of

vulnerabilities, attacks, and malware.

You can create a ticket from the following pages:

• Assets

• Attacks

• Vulnerabilities

• Malware

To create a ticket:

1. Select the arrow for a vulnerability, and then select Create Ticket.

2. Enter the details for the ticket.



A ticket ID is automatically generated after you save the details for the

ticket.

3. Click Save.

A Smart Rule is autogenerated when a ticket is saved. This Smart Rule is

intended to help you keep track of assets affected by the vulnerability,

attack or malware. No intervention is required by you.

The next time the Smart Rule is processed, affected assets where

solutions are applied will no longer be part of the Smart Rule. When all

assets have the solution applied, the Smart Rule autogenerated ticket is

removed from the Smart Rules Manager.

The autogenerated tickets are not displayed in the Smart Rules browser

pane.


To change the details for a ticket:

1. Select the Assets tab, and then select Tickets.

2. Select i.

3. On the Ticket Details dialog box, change the ticket properties as needed.

If you select the Close status, the ticket is no longer displayed on the

Tickets pane.

4. If available, click the x revisions link to view details about activity on

the ticket.



5. Click Back to Ticket Details.

6. Click Save.

Marking a Ticket as Inactive

If a ticket is accidentally created or no longer needed, your security team

member can mark the ticket as inactive. An inactive ticket is essentially a

ticket that is deleted.

An inactive ticket is no longer displayed on the Tickets page. However, the

Retina CS administrator can always see the tickets (active or inactive).

You can mark a ticket as inactive on the Ticket Details page or from the

Smart Rules Manager.

To mark a ticket as inactive:

1. Select the Assets tab, and then select the Tickets tab.

2. Select the ticket and then click i.

3. Clear the Active check box.

4. Click Save.

The ticket is no longer displayed on the Tickets page. The inactive

ticket cannot be selected.


Use Smart Rules to track open tickets and tickets that are overdue.

To create a Smart Rule:

1. Select the Assets tab, and then click the Manage Smart Rules button.

2. Click New Rule.

3. Enter a rule name and description.

4. Select the criteria and actions as shown.



5. Select the Auto-close Ticket check box to close and remove the Smart

Group from the Smart Rules Manager. The ticket is only closed after all

assets are remediated.

6. Click Save.

Later, you can run the Tickets report to view a current list of open

tickets. Select the ticket Smart Group and any other relevant parameters.



Reports and Scan TemplatesIn this section,

Running a Report on Existing Scan Data

Reviewing Report Results

Creating a Report

Creating a Report Category

Viewing Reports

Managing Report Templates

Setting Report Output Options

Configuring Scan Settings

Working with Audit Groups

Working with Port Groups

Creating a Custom Audit

Reports and Scan Templates

There are two report template types available:

Scanning only. For more information, see Managing Scan Report Templates.

Scanning and running reports on existing data. For more information, see

Running a Report on Existing Scan Data.

Retina CS User Guide Reports and Scan Templates


Running a Report on Existing Scan Data


You can run reports on scan information that is stored in the Retina CS

database.

You cannot run reports on existing data using the Protection reports.

Checkpoint

– Create a Smart Group to scope the assets to include in the report.

For more information, see Creating a Smart Rule.

Reports will open in a new window. Ensure pop-up blockers are disabled for

the Retina CS web site.

To run a report on existing data:


2. Select the assets, and then click Scan.

3. Select the report, and then click Report.

4. Select the report parameters:

Note that the NONE export type provides a snapshot of the data and

produces results faster than selecting PDF output.

By default, the All check box is selected. Be sure to clear the All check

box if you want to use specific parameters for your report. Selecting All

uses all criteria available for that parameter.

5. Click Run Report.



Creating Scheduled Reports

To schedule a report:

1. Set the report parameters as described in the preceding procedure (To

run a report on existing data).

2. Click Subscription, and then set the following:

– Notify when complete - Select the check box and enter email

addresses. Separate entries using a comma.

Alternatively, click + and select users or user groups.

Email notification is sent when the scan and report are complete.

– Email report to - Select the check box and enter email addresses.

Separate entries using a comma.


The reports will be emailed to the users entered.

– Schedule Type - Select One Time or Recurring.

If you select Recurring, select the frequency of the schedule run

times.

3. Click Save after you enter the scheduling information.

Viewing Scheduled Reports in the Calendar View

You can review the scheduled reports in a calendar that shows a summary of

the reports scheduled for the month.

To view the scheduled reports for the month:

1. Click the Jobs tab, and then click Scheduled in the Reports section.

2. Click Toggle Calendar.

3. Click the Report icon to open the report for a completed report.



Reviewing Report Results

Expand the document map to view the list of vulnerabilities.

Click the link for the vulnerability in the document map list or in the main

report. You can review more information about the vulnerability such as:

description, fix information, references, and CVSS score.

If you export the report to PDF output, the list of vulnerabilities in the

document map is displayed as bookmarks in the PDF.



Creating a ReportYou can create a report template based on an existing report template.

A report template consists of:

• Report output settings – Select options to determine how information is

presented in the report output. Includes report sections that present the

information collected from the scan

• Scan settings – Select options to determine the data to collect from

assets. Includes audits, ports, and additional scan options that make up

the scan

Report templates are organized using report categories.

To create a report:

1. Click the Reports tab, and then click Manage Report Templates.

2. Click New Report.

3. Select a template and click Create.

4. Select a section and then drag section parts into the section pane.

You can enter the name of the section part in the text box to select.

Section parts vary based on the report template selected.

5. Select the Shared check box if this report template can be used by other

Retina CS users.

6. Click Save.

7. Enter the name of the report and the report category.

8. Click Save.

Creating a Report Category

A report category is a container that helps to organize similar reports. Every

report that you create must be assigned to a category.

To create a report category:

1. Click the Reports tab then click Manage Report Templates.

2. Click New Report Category.

3. Enter a name for the report category and click Create.

4. Drag an existing report from another category to populate the new

category.



Viewing and Downloading ReportsOn the Reports tab, you can:

• View reports

• Download a report to PDF format

• Access the Manage Report Templates page. For more information, see

Managing Report Templates.

To view and download a report:

1. Click the Reports tab.

2. Select one of the following:

– Double-click a report to view. Or, select a report, and then click i.

– Click the download button and then click Save File to save the

report in PDF format. Enter the report name, or use the default, and

then click Save.

– Click the delete button to delete the report.



Managing Report TemplatesYou can customize template settings, including sections in the report output

and scan settings.

To access a report template:

Click the Reports tab, and then click Manage Report Templates.

Select the report template and click the arrow to select a menu item.

– Edit Report. See Setting Report Output Options.

– Duplicate Report. Create a copy of the selected report. Select Edit

or Rename from the menu to continue.

– Rename Report. Enter the new name when prompted.

– Delete Report. Confirm the deletion when prompted.

– Edit Scan Settings. See Configuring Scan Settings.

Setting Report Output Options

You can select the sections to include in the report, such as cover page and

report content.

To change the report output:

1. Click the Reports tab.

2. Select a report and click the arrow to display the menu.

3. Select Edit Report.

4. Select a report section.

For some reports, you can edit parameters on the Header section. Click

the pencil icon to display and select the parameters.



5. The Section Parts pane displays the sections that you can use. Drag a

section part into the middle pane. You can also enter the name of the

Section Parts in the Search box.

6. To remove a section from the report, select the section and select the

garbage can.

7. Click Save.

8. Enter a name for the report and the report category.

9. Click Save.



Configuring Scan SettingsThe following scan settings can be set when you are configuring an audit

scan:

• Audits. An audit contains the vulnerabilities and risks that you want to

search for on your selected assets. The audit information is organized in

audit groups.

The audit groups provided are industry standard and include: SANS20

(All), SANS20(Windows), and Zero-day. For a complete list, see Audit

Groups.

• Ports. Select the port or port group ranges that you want to include in

the scan.

• Options. Select scan policy options, advanced options, and remote

agent settings.

To configure an audit scan:

1. Click the Reports tab, and then the click Manage Report Templates.

2. Select the report and click the arrow to display the menu.

3. Select Edit Scan Settings.

4. Select Audits, and then drag an audit group to the scan settings pane.

To search for an audit group, type the audit group name in the Search

box. For more information, see Audit Groups.

5. Select Ports, and then drag port groups to the scan settings pane.

To search for a port group, type the port group name in the Search box.

For more information, see Port Groups.

6. Select Options.



7. Expand Scan Policy Options and select the scan options:

– Perform OS Detection - Determines the operating system for the

target.

– Get Reverse DNS - Scans for reverse Domain Name System

(rDNS) and retrieves the domain name for the target IP address.

– Get NetBIOS Name - Scans for a Network Basic Input/Output

System.

– Get MAC Address - Scans for the Media Access Control address or

unique hardware number.

– Perform Traceroute - Determines packet routes across an IP

network.

– Enumerate [parameter] Via NetBIOS - Uses the NetBIOS protocol

to determine and list audits specified in the Audit Group.

The parameters include registry, users, shares, files, hotfixes, named

pipes, machine information, audit policy, per-user registry settings,

groups, processes, user and group privileges and software.

– Maximum Number of Users to Enumerate - Sets a maximum

number of users for providing detailed descriptions.

All users are enumerated if you set the value to 0.

– Hardware - Determines the hardware for the target.

– Perform Web Scanning - Scans remote web servers and audits

installed applications.

– Web Scan Depth - Sets the number of links to follow from the

home page.

– Perform Database Scanning - Scans remote database instances.

8. Expand the Advanced Options and select the scan options:

Note: Performance issues may be experienced when running a Connect

Scan, Force Scan, and UDP Scan simultaneously. These instruct

Retina to negotiate a full connection to each port on each device.

On a Class B network, you could be waiting for 65,535 devices

to time-out on a minimum of 65,535 connections each. In

addition, stack changes in Windows XP SP2 cause connect scans

to slow greatly due to the 10 incomplete connection limit.

– Enable Connect Scan Mode - Run if other methods, such as a

slow dial-up, are unreliable.

The operating system is negotiating a full connection to each device.

Because multiple port scanning methods are not used, Retina cannot

determine a number of items, such as operating system.



– Enable Force Scan - Run if the targeted devices are not going to

answer SYN or ICMP scanning.

Forces Retina to run protocol discovery on each port of each device

to determine the protocol.

Only use in a highly locked down network where the standard port

scanning methods will be filtered or blocked. Force Scan should not

be used in IP ranges.

– Extended UDP Scan - Runs a complete scan on all User Datagram

Protocol (UDP) frames without timing out.

Forces Retina to expect an answer. The IP will eventually timeout.

– Disable Tarpit Detection - Stops tarpit detection.

A TCP tarpit program intentionally reduces the size of data packets

to slow communication transmissions. This can cause incorrect scan

results.

To scan systems running tarpits, set the tarpit to allow unimpeded

connections from the Retina scanner.

– Detailed Audit Status - Retrieves data on the port, operating

system and protocol scanned and details the vulnerabilities open,

fixed and not verified.

– Randomized Target List - Uses a random list of target assets to

scan rather than a sequential list of IP addresses.

This load balances the target IP list across the network by

distributing the target list across subnets rather than running all the

targets in a subnet at the same time sequentially.

9. Expand Retina Local Scan Service Options to set the following:

– Perform Local Scanning - Deploys a remote Retina scanner agent

to target assets during a scan. Deploy a remote Retina agent to run

WMI and remote registry scans.

After the scan runs, the deployed remote agent is removed from the

asset.

– Enumerate Ports via Local Scan Service - Enumerates local ports

using netstat, including active connections and the program or

service using the port. OFF by default.

– Enable WMI Service - Starts (and then stops) the WMI service.

The service is only active during the scan. OFF by default.

– Enable Remote Registry Service - Starts (and then stops) the

remote registry on a target. The service is only active during the

scan. OFF by default.

10. Click Update.



Working with Audit Groups

Retina CS ships with audit groups that are populated with audits. Each audit

group has a preconfigured set of audits.

On the Scan settings page for an audit group, you can:

• Change the audits in the audit group

• Create an audit group

• Copy an audit group

• Create an audit. For more information, see Creating a Custom Audit.

• Revert the settings to the default values

Note that you cannot delete an audit group that ships with Retina CS.

To manage audit groups:

1. Click the Reports tab and then the click Manage Report Templates.

2. Select a report and click the arrow to display the menu.


4. Select Audits in the Settings pane.

To search for an audit group, type the name in the Search box.

5. Click Manage in the Audit Groups pane to:

– Edit an audit – Select the audit and click the pencil icon. You cannot

change all audits. Select All Editable Audits from the Show list to

display all audits that you can change.

– Create an audit group – Click + at the bottom of the Audit Groups

pane. Enter the name of the new audit group.



– Copy an audit group – Click . Enter a name and click Copy.

– Edit an audit group – Select the audit group from the Audit Groups

pane. You can also type the name of the audit group in the box to

search for the audit group.

6. Select the Automatically enable new audits in this group check box

to add all the new audits selected when created.

7. Click Revert to revert to either the last saved version of the selected

audit group or the default value.

8. Click Update.

Working with Port Groups

Port groups contain the list of ports to scan. You can change the ports

assigned in a port group, add port groups that will be available to all audit

scans, and delete port groups.

Retina CS ships with port groups already configured with a range of ports

(for example, HTTP Ports and Discovery Ports). Note that you cannot

delete a port group that ships with Retina CS.

To change port groups:

1. Click the Reports tab and then click Manage Report Templates.



4. Select Ports in the Settings pane.

5. Click Manage in the Port Groups pane to:

Use the Grid Size slider to adjust the view.

– Add a port group – Click + on the Port Groups pane. Enter the

name of the port group and click Create.

– Edit a port group – Select the port group from the Port Groups pane.

You can also type the name of the port group in the box to search for

and display the port group.

– Remove a port from a group – Select the port, and then select Clear

from the Protocol menu.

– Add a port or group of ports – Select the ports, and then select the

protocol from the list: Both, TCP, UDP. The grid is updated with

the corresponding color of the protocol.

To select multiple ports, drag and click on the range. Alternatively,

enter the port number or port number range in the Select Ports box

and click the arrow.

6. Click Revert to cancel your changes.

7. Click Update.



Creating a Custom AuditYou can create an audit that addresses particular risks or vulnerabilities that

you want to protect your assets from.

You can select the rule category, risk level associated with the rule, audit

type and details. For example, you can create the following audit: ensure the

latest service pack and particular hotfix has been installed for Windows 2003

OS 32-bit/64-bit.

To create customized audit scan settings:

1. Click the Reports tab, and then the click Manage Report Templates.



4. Select Audits in the Settings pane.

5. Click Manage in the Audit Groups pane.

6. Click +New Audit to start the Audit wizard.

7. Click Next.

8. On the Audit Description page:

a Type the audit name.

b. Select the audit category, such as Database, Mail Servers,

Miscellaneous, or Windows.

c. From the Risk Level list, select the severity level that

corresponds to the severity of the vulnerability:

– High - Risks that allow a non-trusted user to take control of a

susceptible host.

Vulnerabilities that severely impact the overall safety and

usability of the network.

– Medium - Risks that are serious security threats and would

allow a trusted but non-privileged user to complete control of a

host or would permit a non-trusted user to disrupt service or gain

access to sensitive information.

– Low - Risks associated with specific or unlikely circumstances.

These vulnerabilities can provide an attacker with information

that could be combined with higher-risk vulnerabilities to

compromise the host or users.

– Information - Host information that does not necessarily

represent a security threat, but can be useful to the administrator

to assess the security. These alerts are displayed with the list of

vulnerabilities.

d. Describe the vulnerability.

e. Describe how to remediate, investigate or mitigate the

vulnerability.



9. On the Audit Type page, select the type of audit:

– Banner - Determines vulnerabilities in the banner information, such

as firewall name, IP addresses and server name.

– CGI Script - Determines vulnerabilities in the common gateway

interface that passes a Web user's request to an application program

and to receive data back to forward to the user.

– Registry - Detects vulnerabilities by scanning registry entries and

values.

– Hotfix - Determines vulnerabilities by scanning service packs,

hotfixes and patches.

– File Version - Determines if a file exists. The audit can check if the

file exists or not.

– File Checksum - Determines vulnerabilities based on file checksum

comparisons.

Supported values include: MD5, SHA1, SHA256.

Network performance issues might occur if you use this feature. Use

this feature with caution.

– Remote Check - Verifies if a specific Unix program or patch is

installed on an operating system.

– Mobile Software - Determines if software exists for mobile devices.

– BlackBerry Device - Determines vulnerabilities based on

BlackBerry device specifications.

– Share - Determines if a share is accessed by unauthorized users.

The Audit Details page displays parameters based on the audit type that

you select in step 9.

10. Enter the information for the audit type, and then click Next.

– Banner audit details - Select the banner protocol, and then type the

banner name.

– CGI Script audit details - Type the URL path to the script name.

– Registry - Select Path, Key, or Value from the menu. Select the

operating systems that the vulnerability affects.

Note that the registry path cannot contain the selected Hive value.

– Service Pack – Hotfix - Determines vulnerabilities by scanning

service packs, hotfixes and patches.

– File Version - Verifies the software version.



Enter the file name, set file version information (optional), and select

operating systems to check.

– File Checksum - Select the file checksum from the list.

Enter a file name, checksum value, and file version. Use an asterisk

(*) to compare all file versions.

– Remote Check - Verifies if a specific Unix program or patch is

installed on an operating system.

– Mobile Software - Enter the name of the software, and set if software

exists. Can also audit on the version number.

– BlackBerry Device - Enter model, serial number, device ID,

platform version, and OS version.

– Share - Select user account access on the share, type of access on the

share, and OS version. Optionally, list the accounts by SID.

11. On the Vulnerability Details page, enter the BugTraq and CVE details, as

needed.

– BugTraq - A security portal dedicated to issues about computer

security, such as vulnerabilities, methods of exploitation and

remediation.

– CVE - Common Vulnerabilities and Exposures is a dictionary of

publicly known information security vulnerabilities and exposures.

CVE’s common identifiers enable data exchange between security

products and provide a baseline index point for evaluating coverage

of tools and services.

12. On the Audit Wizard Summary page, click the pencil to change the audit

information.

13. Click Finish.



Report Templates and Audit GroupsNot all report templates or audit groups are supported in Retina CS

Community.

The following tables list the report templates and audit groups available with

Retina CS.

You can run reports on existing scan information that is stored in the Retina

CS database.

You can run all reports from Retina Insight. For more information, refer to

the Retina Insight User Guide.

Report TemplatesTable 5. Vulnerabilities

Report Name Description

Access Lists targets that are inaccessible and includes a

reason. For example, the target does not exist on

the network, or administrative rights were not

provided.

All Audits Scan Lists all vulnerabilities found.

Drill down by vulnerability to review more

information, such as fixes, references, exploits and

affected assets.

Discovery Scan Lists the targets found on the network, including:

workstations, routers, laptops, printers.

Credentials are not required for a discovery scan.

PCI Compliance

Report

Details the vulnerability results of PCI security

scans.

Payment Card Industry Data Security Standard (PCI

DSS) specifies security requirements for merchants

and service providers that store, process, or

transmit cardholder data. PCI Security scans are

conducted over the Internet by an Approved

Scanning Vendor (ASV).

The Retail Report pack is required for this report.




Vulnerabilities by

Reference

Lists vulnerabilities by CVE reference ID.

Drill down into an ID for more information, such as

assets affected and potential fixes.

Vulnerabilities

Delta

Provides the vulnerability differences between two

scans.

Vulnerabilities Lists vulnerabilities grouped by assets.

The report details the vulnerabilities with criticality,

descriptions, fix information and references. The

references provide a link to the CVE web site. You

can run custom or standard reports to review the

system, users and security issues.

Vulnerability

Exclusions

Lists vulnerabilities that are set to exclude. Includes

the expiry date and reason properties.

Vulnerability Export Provides a tabular list of all vulnerabilities

discovered and their associated details.

The Attacks report uses information gathered by Retina Protection Agents.

Table 6. Attacks


Attack Displays the total number of attacks, attacks per

asset, assets attacked, attacker IP address, a list of

the top x attacks, criticality and trends over time.

Drill down into each attack for more information,

such as action, port, protocol, and attacker.

Malware Displays the total number of malware attacks, a list

of the top x malware attacks, trends over time, and

assets affected.

Drill down into each malware attack for more

information, such as location of the malware, asset

and IP address, etc.

Delta reports are useful for comparing changes such as add/remove of user

accounts, software, OS upgrades.



Table 7. Assets

Report Name DescriptionAsset Export Displays assets in a selected scan in a .csv format.

Information includes: the asset name, IP address,

DNS, domain and operating system.

Assets Provides asset and risk information by hardware,

MAC address, operating system, port, process,

services, share and user account.

OS Delta Displays the differences in operating systems

between two scans.

OS Lists top 100 and bottom 100 discovered operating

systems.

Assets are grouped by OS. IP address, asset name,

DNS name and risk.

Port Delta Displays the port differences between two scans.

Port Lists top 100 and bottom 100 discovered ports for

the assets included in the scan.

Assets are grouped by port. IP address, asset, DNS

and risk level are included.

Click an asset to drill down to more information:

vulnerabilities, MAC address, ports, processes, and

more.

Protection Agent

Configuration

Displays the policies applied on an asset.

Retina Protection Agent module.

Service Delta Details the service differences between two scans.

Service Lists top 100 and bottom 100 discovered services

for the assets included in the scan.

Assets are grouped by service. IP address, asset

name, DNS name, and risk level are included.



more.

Share Delta Displays the shares differences between two scans.




Share Provides a summary of top and bottom shares and a

breakdown by IP address, asset name, DNS name,

operating system and criticality.

Software Lists top 100 and bottom 100 discovered software

for the assets included in the scan.

Assets are grouped by software. IP address, asset

name, DNS name, and risk level are included.



more.

Software Delta Displays the software differences between two

scans.

User Delta Lists the number of new, unchanged and removed

users.

Drill down by asset to review a summary of the user

updates.

User Lists top 100 and bottom 100 discovered users for

the assets included in the scan.

Assets are grouped by user. IP address, asset name,

DNS name, and risk level are included.

Windows Event

Report

Lists Windows event types based on your selection:

Application, System, Security.

Retina Protection Agent module required.

Table 8. Executive Overview


Executive Summary Provides an overview summary of assets and trends,

such as audits by machine and audits by severity.

Table 9. Patches


Patches Lists the assets included in the scan and the number

of patches that need to be applied to each asset.




Lists each patch available and includes a link to more

information for the patch. Each patch also provides

the name of the violated audit.

Table 10. Hardware


Hardware Delta Lists a summary of hardware differences between

two scans.

Drill down by asset to review differences.

Hardware Lists the hardware discovered on each asset included

in the scan.

Table 11. Regulatory Compliance


COBiT

Compliance

Provides a report that ensures your environment

satisfies the framework identified in the COBiT

framework.

Additional components: Any report pack.

FERC-NERC Maps monitored controls to NERC requirements.

Additional components: Government report pack.

GLBA Compliance Provides security risk assessments that satisfy the

requirements in the GLBA.

Additional components: Financial report pack.

HIPAA

Compliance

Maps configuration, patch and zero-day

vulnerabilities to HIPAA security rules.

Running a scan using the default scan settings

ensures compliance to Section 164.308

Administrative safeguards, (a)(8) Standard:

Evaluation.

Additional components: Healthcare report pack.



Report Name DescriptionHITRUST

Compliance

Displays vulnerabilities mapped to HITRUST

regulatory compliance standards. Supported sections

from the standard and vulnerability counts are

displayed.

ISO-27002

Compliance

Maps configuration, patch and zero-day vulnerabilities

to satisfy ISO-27002.


ITIL Compliance Maps compliance violations and vulnerabilities back

to ITIL best categories.


MASS 201 Maps configuration, patch and zero-day

vulnerabilities to MASS 201.


NIST 800-53 Maps configuration, patch and zero-day

vulnerabilities to NIST 800-53 standard used to

support FISMA compliance.


SOX Compliance Maps configuration, patch and zero-day

vulnerabilities to defined SOX requirements.

Additional components: Retail or Healthcare report pack.

Table 12. Protection

Report Name DescriptionProtection Policy

Differences Report

Provides a summary of differences in a protection

policy.

You cannot run reports on existing data for the

Protection reports. This report is intended to provide

configuration information for your Retina Protection

agent policies.

Table 13. Configuration Compliance


Benchmark

Compliance

Runs a benchmark scan based on a selected

benchmark template and policy.




Benchmark Export Provides a summary of differences in a benchmark

policy.

Additional components: Configuration Compliance module

Table 14. Patch Management


Approved Patches Lists assets where patches are approved.

Installed Patches Lists installed patches.

Required Patches Lists required patches.

Additional components: Patch Management module

Table 15. Tickets


Ticket Displays details such as Status (Open, New, Closed),

Severity, Assigned user, due date, ID, and ticket

title.

Table 16. Mobility


Mobile Assets Lists mobile assets discovered.

Mobile

Vulnerabilities

Lists vulnerabilities associated with mobile assets.

Table 17. PowerBroker Windows

Report Name DescriptionApplication ActiveX

Details

Displays information about installation events for

ActiveX controls in Internet Explorer.

Applications by

Computer

Displays information about application usage on a

client.

Applications By

Hash

Displays information about all applications under

management tracked by hash code.

Details include, hash code of the binary file,

application name, file version, product name, and

certificate publisher, etc.



Report Name DescriptionApplications By

Path

Displays information about all applications under

management tracked by launch path.

Dashboard Report Displays charts about the applications most

frequently launched, requiring elevation, triggering

User Account Control (UAC), launched by Shell

rule.

Also, charts about ActiveX controls, rules applied,

local administrators, and the ratio of administrator

users to standard users.

File Integrity by

Asset

Displays the assets managed using PowerBroker for

Windows File Integrity rules.

File Integrity by

Rule

Displays the assets organized by the PowerBroker for

Windows rules.

Shell Rule

Executions

Displays information about all applications that run

based on a shell-rule.



Audit Groups

Access Scan All Audits

Android ActiveSync

BlackbBerry

Databases Database Servers

Domain Controllers

FDCC-Windows XP FDCC-Windows Vista

Mail Servers

SANS20 (All) Secure Audits Configuration

SANS20 (Unix) SCADA

SANS20 (Windows)

Third Party Patch Assessment

Virtualization Web Applications

Zero-Day

Regulatory Reporting Pack Audit Groups

COBiT Compliance GLBA Compliance

HIPAA Compliance HITRUST

ITIL Compliance ISO-27002 Compliance

NERC/FERC Compliance Mass 201 CMR 17 Compliance

PCI Compliance NIST 800-53 Compliance

SOX Compliance



Asset ManagementIn this section,

Interpreting Scan Results on the Dashboard

Reviewing Asset Details

Risk Scores

Changing Asset Properties

Changing the Display

Setting Display Preferences

Filtering Records

Managing Jobs

Reviewing Job Details

Reviewing Scheduled Job Details

Viewing Scan Event Details

Aborting or Pausing a Job

Changing Job Page Settings

Retina CS User Guide Asset Management


Interpreting Scan Results on the DashboardTo review scan results:

1. Log on to Retina CS.

2. Select a date tab to update the view with metrics for the selected date

range.

3. Select the Custom dates tab and click the arrow to select a date range.

The middle pane displays the following information:

– Overall Threat Level – Plots attacks and vulnerabilities over time

by severity. Change the Counts to display the results by type. Click

on the graph to expand the display.

– Anomalies – Displays higher frequency

malware/virus/spyware/attack/vulnerability occurrences, assets

with higher risk, ports/software with lower frequency, expired

reports, expired scans, and long scans.

– Asset Risk – Displays the risk for all assets in the environment.

Hover over the pie chart to display the percent call out. The values

on the chart are calculated every 4 hours. For more information on

risk scores, see Risk Scores.

The lower pane displays the following information:

– Critical Alerts – The event date and description.

– Operational Status – Information about scheduled scans.

– Completed Reports – The reports that ran.



1. Click Show Status to display status detail, including the names of scans.

Hover over the job icon to see more details.

2. Click the refresh button to update the information on the dashboard.

Reviewing Asset DetailsOn the Assets tab you can review your protected assets and determine if

there are vulnerabilities, attacks, or malware compromising your assets.

To review asset information:

1. Select the Assets tab, and then select a Smart Group.

Click and to expand the assets pane.

2. Select an asset, and then click i.

You can change properties for an asset. Click Edit. For more

information, see Changing Asset Properties.

On the Assets Details pane, select an item to review more information:

Risk Scores

The risk score indicates the potential for an asset to be attacked. You can

use the risk score to determine which assets need the most urgent attention.

The asset risk score is calculated using factors such as: vulnerability, number

of attacks, exposure (open ports, number of users, shares, for example), and

overall threat level.

Risk scores range from 0 to 9.99:

• 0 indicates a low risk or there is no data available to determine a

potential risk.

• 9.99 indicates the highest risk. Asset is most vulnerable to an attack.



An asset risk score is displayed in the following areas:

• Pie chart on the Dashboard page

• On the Assets tab

• Details page for each asset

Changing Asset Properties

You can use the Asset wizard to change the following asset properties:

owner, active, and asset attributes such as business unit.

Assign or change attributes to help organize and identify assets. For more

information about attributes, see Working with Attributes.

Run a discovery scan to populate the Assets pane.

To change the details for an asset:


2. Select an asset, and then click the i.

Alternatively, double-click the asset to open the asset details pane.

3. On the Asset Details pane, click Edit.

4. Click Next on the Welcome page of the Asset wizard.

5. On the Edit Asset Details page, select the asset properties.

6. On the Edit Asset Attributes page, select the attribute values and then

click Next.

The default attributes that you can apply are: Geography, Business Unit,

Criticality, and Manufacturer.

7. Review the settings, and then click Finish.

Changing the DisplayYou can change the information displayed on Retina CS pages, including:

• Columns

• Number of records displayed at one time



• Create filters to display records that meet the filter criteria

Setting Display Preferences

You can set display preferences on the following pages:

• Assets page

• Vulnerabilities page

• Agents page

• Jobs page

• User Audits page

Note that you can display a Domain and filter by Domain. If the domain

name is not known or the asset is not part of a domain, then the field is

blank. The Domain filter is not displayed by default.

To set display preferences:


2. Click the preferences button.

3. On the Preferences dialog box, set the following:

– Columns to Show - Select the check boxes for the columns that

you want to display.

– Show Filter - Select to always display the filtering text boxes and

lists.

For more information, see Filtering Records.

– Records Per Page - Select the number of records to display at one

time.

4. Click OK to close the Preferences dialog box.

5. Click to open the Save Preferences dialog box.

6. Select display settings, and then click Save Preferences.



Filtering Records

Create a filter to match certain records that you want to view on the page.

To set filtering on assets:


2. Select the show filter button to display the filter options.

3. Enter filter criteria and click .



Managing JobsOn the Jobs page, you can review:

• Active, scheduled, and completed scan jobs

• Active and completed Retina Protection agent deployments

• Active, scheduled, and completed reports

• View scheduled scans and scheduled reports in a calendar view

• SCCM package deployment status

• Windows event details

Reviewing Job Details

You can review job details for a scan (running or complete).

On the Job Details page, you can review the number of assets scanned, the

number of processes successfully scanned, credentials used for the scan, and

a drill-down to the assets scanned.

A target is defined in a scan as a combination of: a single IP address, a

computer name, a list of IP addresses, a list of computer names, an IP range,

and cloud devices.

An asset is a device that is discovered from the range of targets defined in

the scan. For example, the scan properties include these IP addresses in a

range: 10.100.10.20 and 10.100.10.21. During the scan, there might not be a

device attached to 10.100.10.20. That will be reflected in the number

shown in the Targets and Assets displayed on the job details page.

The agent name indicates if the scanner is in a scanner pool. For more

information, see Scanner Pooling.

To review job details:

1. Select the Jobs tab.

2. Select the Active tab for the Scans section.

3. Double-click a job to open the Job Details pane.

In the following example, you can review the job details while the job is

in progress.



Reviewing Scheduled Job Details

You can change the following settings for a scheduled job:

• Job name

• Smart Rule

• Credentials

• Schedule

The Last Refresh Date indicates the date when the Smart Rule was

processed. Assets added or removed after the Last Refresh Date are not

reflected in the Smart Rule.

The Smart Rules are processed every 6 hours. Depending on the schedule

and how frequently assets change in your environment, you might want to

change the refresh rate. Otherwise, assets might not be included in the scan

as you expect. For more information, see Refresh Settings.



Viewing Scheduled Scans in the Calendar View

You can review the scheduled scans in a calendar that shows a summary of

the scans scheduled for the month.

To view the scheduled scans for the month:

1. Click the Jobs tab, and then click Scheduled in the Scans section.

2. Click Toggle Calendar.

3. Click the Report icon to open the report for a completed scan.



Viewing Scan Event Details

You can review a summary of the gathered scan events.

Aborting or Pausing a Job



Changing Job Page Settings

Click the Job Page settings icon to change display settings.

On the Job Grid Settings dialog box, you can configure the default job type,

refresh intervals, and the maximum number of assets displayed on the page.



Mobility ScanningIn this section,

Overview

Configuring a BlackBerry Connector

Configuring an Android Connector

Deploying the Application to Android Devices

Configuring Settings on Android Devices

Configuring an ActiveSync Connector

Configuring a PowerBroker Mobile Connector

Reviewing Mobility Scan Results

Creating Custom Audits for Mobile Devices

OverviewA mobility scan scans mobile devices against scan templates to determine if

there are any vulnerabilities.

You can use the predefined scan templates that ship with Retina CS or create

a custom scan template. Create a custom template to scan for particular

device software and hardware versions, for example.

Running a mobility scan also retrieves information such as device ID, model,

and serial number on BlackBerry, Android, and mobile devices on

ActiveSync server.

After you create a mobility connector, a Smart Group is created. The Smart

Group name is the same as the connector name. The Smart Group is

populated with the devices that are detected when a scan runs.

Configuring a BlackBerry ConnectorThe BES connector, which uses RIM API technology, establishes a

connection to the BlackBerry Admin service to retrieve the device

information.

Mobility scans run on the Retina CS server, and do not use a scanning agent.

To configure a BlackBerry connector:

1. Click the Configure tab.

2. Click the Mobile tab.

3. Click + in the Mobility Connectors pane, and select BlackBerry.

Retina CS User Guide Mobility Scanning


– General - Enter a name and description for the connector.

– Connection Details - Enter the information for the BES host.

Use the port number where BES is configured to listen. Confirm the

port number in your BlackBerry Admin service configuration.

– Scan Options - Select an audit group.

– Synchronization - Select a synchronization schedule.

During a synchronization, all BlackBerry devices connected to the BES

host are detected, including software versions and any vulnerabilities

found based on the audit group selected.

4. Click Update.

5. To run the scan now, click Scan Now.

Scan Now is only available after you click Update.

A Smart Group is populated with the devices that are detected when the

connector is created. Go to the Assets page to see the new Smart Group.



Configuring an Android ConnectorTo configure a connection to an Android mobile device:

• Create connection details on the Configure tab.

• Create a configuration file that you can email to your mobile device

users.

When a valid connection is established the audits will be downloaded to the

mobile device. Scan results are then uploaded to the Retina CS server.

To configure an Android connector:



3. Click + in the Mobility Connectors pane, and select Android.


– Connection Details - Enter the authentication key for the Android

connector.

Note that this connector opens the 21691 port to communicate to

Android devices. Ensure this port is available.



– Distribution - Click Prepare Configuration File to generate a file

that contains the server information for the connector.

The device user needs the password to run the configuration file.

Select the check box to allow Android devices that are using the

configuration file to communicate to the server using an untrusted SSL

certificate.

Although this option is available, it is recommended to use a trusted SSL

certificate.

4. Click Update.



After you create a connector, an Android connector Smart Group is

displayed in the Assets pane.

If you using a configuration file, you can distribute the file now using email.

Be sure to provide the configuration file password using another method so

the Retina CS Server information in the configuration file remains secure.

Deploying the Application to Android Devices

BeyondTrust Scanner for Android is available on Google Play.

If you do not want to install the BeyondTrustScanner using Google Play,

you can download the Android Package (APK) file from the Android

Connector page. To install the BeyondTrustScanner APK on an Android

Device, you must enable the Unknown Sources setting.

You can manually deploy the app in the following ways:

• Email

– Ensure your Android devices are configured to receive email.

– Email the APK file to the user's email address.

– Select the attachment to start the installation. The Android

application installation dialog box is displayed.

• USB

– Connect the Android device to your workstation. If prompted,

enable USB File Sharing and Mass Storage modes.

– After your workstation recognizes the device, copy the APK file.

– Using a file management app from the Android Market (such as

EStrongs File Manager or Linda), open the APK file to start the

installation. The Android app installation dialog is displayed.

– After the application has been manually installed on the device,

disable the Unknown Sources setting.

Configuring Settings on Android Devices

After the BeyondTrustScanner is installed on the device, the device user can

run the configuration file. The user must enter the configuration file

password before the BeyondTrustScanner is automatically configured with

the Server information in the file.

If you chose not to distribute the configuration file to your users, you can

manually configure each mobile device using the BeyondTrustScanner

Application’s Settings.



Note that after the mobile device is configured to communicate with a

Retina CS Server, the Scan Time is dictated by the Android Connector. Any

Scan Time values that have been previously configured in the

BeyondTrustScanner Application will be ignored.

To manually configure the Android application:

1. Tap the BeyondTrustScanner application.

2. Set the following on each device:

– Notifications - Tap to turn on notifications.

Updates on the status of scans are displayed to the user.

– Asset Name - Tap to enter the name for the asset.

This is the name that will be displayed on the Asset Details pane in

Retina CS. By default, this is the user’s Google account name.

– Allow Untrusted SSL - Tap to allow untrusted SSL.

– Authentication Code - Enter the authentication code that you

entered when configuring the connection in Retina CS.

– Server - Enter the IP address and port for the Retina CS server.

Enter the default port (21691) that is opened when a connector is

created.

3. Click Synchronize.

If your server settings are correct and your server is accessible, a list of

Android Connectors that match the Authentication Code are displayed.

4. To register the device with the Retina CS Server, select an Android

Connector from the list.

Configuring an ActiveSync ConnectorCreate a connector to an ActiveSync server to scan all mobile devices

associated with the server.

Note that currently, Retina CS supports Windows Phone 7, iPhones, and

Android mobile devices. While other mobile device types will be detected

and scanned, some information might not be displayed (such as device type,

model, OS).

To configure an ActiveSync connector:



3. Click + in the Mobility Connectors pane, and select ActiveSync.




– Connection Details - Click the Browse button to select the forest

and domain where the Exchange Server resides.

– Credentials - Enter the credentials that can access the Exchange

Server.



4. Click Update.

After you create a connector, an ActiveSync Smart Group is displayed in the

Assets pane. The Smart Group will be populated with assets after a scan

runs.

Reviewing Mobility Scan ResultsYou can review scan results on the Mobile tab.

Double-click a device to open the details page:

Creating Custom Audits for Mobile DevicesYou can create a custom audit for your mobile devices.



The procedure to create a custom audit is the same as in Creating a Custom

Audit.

You can review the following table for details on audit types and audit

details that are specific to mobile devices.

Audit Type Audit Details

Mobile SoftwareProvide information, including: software, if the

software exists, operating systems and versions.

BlackBerry

Device

Provide attributes for BlackBerry devices: model,

serial number, device ID, version, and operating

systems.

ActiveSync

DeviceProvide a list of device types and operating systems.

Android DeviceChoose from a list of Android attributes, including:

model, manufacturer, release



Cloud ScanningIn this section,

Requirements

Amazon EC2 Requirements

VMWare VCenter Requirements

Configuring a Cloud Connector

Scanning Paused or Offline VMWare Images

You can run scans on the following cloud types: Amazon EC2, VMWare

vCenter, GoGrid, Rackspace, and IBM SmartCloud.

RequirementsBefore you create a cloud connector, ensure the following requirements are

in place.

Amazon EC2 Requirements

To use the Amazon EC2 connector, you must adhere to the following

recommendations from Amazon:

• User accounts must have minimal permissions assigned (for example,

describe instances)

• Small or Micro instances cannot be scanned.

The following minimum permissions are required to successfully enumerate

a list of targets and run a scan:

• ec2:DescribeInstances

• ec2:DescribeInstanceStatus

• ec2:StartInstances

• ec2:StopInstances

• ec2:DescribeImages

VMWare VCenter Requirements

You can scan VMWare virtual machines.

Ensure the following requirements are in place before you configure the

VMWare connector in Retina CS.

• Retina 5.17 or later

Retina CS User Guide Cloud Scanning


• Retina CS 3.5 or later

• VMWare Tools must be installed on the targets that you want to scan.

– Log on to the VMWare web site and download the Virtual Disk

Development Kit (VDDK):

http://www.vmware.com/support/developer/vddk/

– Retina only supports version 5.1 of the VDDK. Ensure you copy the

following file: VMware-vix-disklib-5.1.0-774844.i386.exe

– Run the VDDK installer on the Retina computer using local

Administrator credentials.

• Retina CS needs access to https://<VMWare server>/sdk through port

443.

Configuring a Cloud ConnectorYou can configure a cloud connector in one of the following ways:

• On the Configure tab.

• On-the-fly when you are creating a cloud connector Smart Group.

To configure a cloud connector and Smart Group:

1. Select the Assets tab, and then click Manage Smart Rules.

2. Click New Rule, and then enter the name, description, and category.

3. Select Cloud Assets from the Asset Selection Criteria section.

4. Click the browse button to open the Manage Cloud Connections dialog

box.

5. Click New.

6. Enter a title, and then select the provider: Amazon E2, VMWare

VCenter, GoGrid, Rackspace, or IBM SmartCloud.

7. On the New Connection dialog box, enter the connector information:

– Amazon - For Amazon cloud connections, you must enter the

region, access key ID, and secret access key.

Instances associated with the region are displayed in the Connection

Test Results section.

– VMWare vCenter - For VMWare cloud connections, enter the

VMWare server name and credentials.

Click Advanced to set a network for a VM if that VM needs to be

turned on.

If you scan snapshots, the results are displayed as attributes on the

details pane for the VM.

– GoGrid - Select the account type, enter the user name and API key.



– Rackspace - Select the account type, enter the user name and API

key.

– IBM SmartCloud - Select the region, enter the user name and

password.

After you configure the connector, click Test to ensure the connector

works.

8. Click Save.

9. In the Perform Actions area of the Smart Rules Manager, select Show

asset as Smart Group, and then click Save.

After you create a cloud connector, you can run a scan and review the results

to determine if any cloud assets are vulnerable.

Scanning Paused or Offline VMWare Images

By default, paused or offline VMs are turned on during a scan. After the scan

runs, the VMs are reverted to the paused or offline state. To scan offline

VMs, see Scanning VMDK Files.

If you suspect that a VM is suspicious, you can turn on the VM in another

secure network where other VMs will not be under potential threat. The

scan runs as usual, then the VM is reverted to the paused or offline state.

When creating the connector click the Advanced button. You can configure

each host that is a member of the vCenter instance.

The option that you select applies to all VMs on the host.

Note: The advanced options dialog box varies depending on your vCenter

configuration. The list of available options includes all other

networks configured for your vCenter instance or on your ESX

server.



Scanning VMDK FilesYou can scan a VMDK file rather than turning on a VM. Ensure the check

box is selected as shown.

Scan times are faster when VMs remain powered off. However, scan results

might differ from scan results for VMs powered on (for example, open ports

and running processes might not be detected for VMs powered off).



Multi Tenant


Overview

Smart Rules Manager

Working with Credentials

Quick Rules

Organization Filters

Patch Management Module

Mobility Connectors

Retina Protection Agents

Setting Up Organizations

Step 1 Creating a Workgroup

Step 2 Adding an Organization

Step 3 Creating a User Group for a Tenant

OverviewThe Multi Tenant feature in Retina CS allows you to define multiple

organizations (or tenants) where each organization’s asset data is kept

isolated from all other organizations. Only Smart Rules marked as Global can

combine asset data across multiple organizations.

Most Retina CS features are available with Multi Tenant, including:

• Smart Rules

• Patch management module

• Mobility connectors

Features not available, include: exclusions, tickets, and report templates.

Retina CS User Guide Multi Tenant


Smart Rules Manager and Browser Pane

All of the pre-packaged Smart Rules are part of the Global rules. When a pre-

packaged Smart Rule is turned on, then the Smart Rule applies to all assets in

every organization. You can select the Global rules from the Smart Groups

browser pane.

When you initially create an organization:

l The Default Organization is provisioned with an All Assets Smart Rule.

l The new organization is provisioned with an All Assets Smart Rule.

Create Smart Rules in the usual way. For more information, see Creating a

Smart Rule.

You can easily switch between tenants on the Smart Groups browser pane

and on the Smart Rules Manager page.

Working with Scan Credentials

You can create credentials when running a scan. However, when using the

multi-tenant feature, you can create global credentials or credentials for an

organization.

All users can see global credentials. Correct permissions are needed to see

tenant-specific credentials.

It is recommended to create credentials specific to each tenant.

In the following scenario, while XYZ Financial is the organization selected,

you can choose to create credentials only for XYZ or select the Set as Global

check box.



For more information about credentials, see Adding Credentials.

Quick Rules

When you create a quick rule from the Vulnerabilities page or the Attack

page the rule applies to whichever organization is selected in the Smart

Groups browser pane.

When you create a quick rule from the Address Group, you can select the

organization.

Organization Filters

When working with more than one customer, use the Organization filters to

see only assets, Retina scan agents, or Retina protection agents associated

with a particular customer.

The Organization filter is only displayed if more than one active organization

is available to the currently logged-on user.

Additionally, when managing your user groups, you can filter Smart Rules by

organization.


If you are using Multi Tenant, note the following when using the Patch

Management Module:

• For each WSUS server connection, you must select an organization.

• When creating a Smart Rule, the credentials displayed are only for the

selected organization.

• Credentials created when you create the Smart Rule are only associated

to that organization.

• The list of available WSUS servers includes all global connections plus

any specific to the organization.



For more information, see Patch Management Module.

Mobility Connectors

You can associate an organization with any of the mobility connectors.

Select the organization when creating the connector.

For more information, see Mobility Scanning.


A workgroup is required when deploying Retina protection agents in a Multi

Tenant environment.

For more detailed information about deployment, see Deploying the

Protection Policies.

Selecting a WorkgroupFor unknown assets (assets not scanned by Retina CS), you must select a

workgroup associated with the organization. Assets might be unknown when

using the settings:

• Single IP address

• IP range

• CIDR notation

• Named Hosts

For known assets (assets detected and in the Retina CS database), a

workgroup does not need to be selected. The assets are already associated

with a workgroup. Assets are known when using the settings:

• Currently selected Smart Group

• Currently selected Assets

Creating a WorkgroupWhen an organization is selected in the Smart Groups browser pane, then

you can enter a workgroup name if one is not already created for the

organization.

The workgroup name must be unique across all organizations. If you enter a

name that exists, an error message is displayed.

Note that you cannot enter a workgroup name when Global is selected in

the Smart Groups browser pane.



Viewing the Workgroups AvailableThe workgroups displayed depend on the item selected in the Smart Groups

browser pane.

• Global - All workgroups are displayed. The organization is in

parentheses.

• Organization - Only workgroups associated with the organization are

displayed.

Setting Up OrganizationsKey steps in setting up the organization

• Create a workgroup

• Create an organization

• Create a User Group

Step 1 Creating a Workgroup

Permissions: Users Accounts Management permission needed to assign

workgroups to an organization.

Every Retina scanner agent or Retina protection agent must be assigned a

workgroup. A workgroup is typically created when the agent is initially

deployed.



You can add and delete workgroups. However, you cannot rename

workgroups.

You can only delete a workgroup if it is not associated with an organization,

mobility connector, Retina scanner or Protection agents.

Use the REM Client Configuration tool to create a workgroup.

To create the workgroup:

1. Log on to the asset where the agent resides.

2. Start the REM Client Configuration Tool.

3. Select the Enabled Application tab, and select the check box for the

agent.

4. Select the Workgroup tab and enter a name and description.

5. Click OK.

Step 2 Adding an Organization

An organization is automatically populated with an All Assets Smart Group.

To create an organization and associate with a workgroup:

1. Click the Configure tab, and then click the Organizations tab.

2. Click the Create New Organization button.

3. Enter the name of the organization.



The Active check box is selected by default and must be selected to

successfully run scans on the tenant's assets.

4. Click the Create button.

5. Scroll to the Workgroups tab.

6. Click the edit icon for the organization, and then select the organization.

7. Click the check mark to save the changes.

Step 3 Creating a User Group for a Tenant

You can create a user group for a tenant. The users in the group can then log

on to Retina Insight and run reports. When creating the user group, ensure

that you assign the Retina Insight permission. Additionally, assign Read

permissions to the tenant's Smart Rules. The users can then run reports

based on the Smart Rules.

Creating a user group for a tenant is optional and only required if your client

wants to run reports from Retina Insight. For more information, see

Managing Users.

As a security measure, a tenant cannot log on to Retina CS.



Managing Users


In this section,

Creating User Groups

User Group Permissions

Access Levels

Creating User Accounts

Reset Retina CS Account Password

Auditing Retina CS Users

Create user groups and user accounts so that your Retina CS administrators

can log on to Retina CS.

You can delegate Retina CS administrator responsibilities by explicitly

assigning certain Read and Write permissions to a user group. After a user

group is created, create and add user accounts to the group.

Creating User GroupsYou can create a user group based on the delegation model you designed for

your Retina CS administrators.

Alternatively, you can add an Active Directory group. Members in that

group can log on to Retina CS and perform tasks based on the permissions

assigned to the group.

An Administrators user group is created by default. The permissions

assigned to the group cannot be changed. The user account you created

when you configured Retina CS is a member in the group.

For a complete list of the Read and Write permissions available, see User

Group Permissions.

When a user is added to a group, the user is assigned the permissions that are

assigned to the group.

To create a user group:

1. Select the Configure tab then select the Accounts tab.

Select the button to change the view between all users and all groups.

Retina CS User Guide Managing Users


2. To create a user group, click + in the User Groups pane.

3. Select Group or Active Directory Group from the list.

4. Enter a name and description for the user group or Forest and Domain

for Active Directory group. These fields are required.

If you select Active Directory Group, then the Select Active Directory

dialog box is displayed. If the Retina CS server is a member of a domain,

the Forest name is automatically populated. Note, however, that you

might need to click Credentials if the Retina CS application pool

identity does not have sufficient rights to query Active Directory.

If the Retina CS server is not a member of a domain, you need to set

proper credentials first (click Credentials) and then enter a valid Forest

name and click Go. Next, select a domain from the drop-down menu. A

list of Security Groups in the selected domain is displayed.

For performance reasons, a maximum of 250 groups from Active

Directory is retrieved. If the selected domain contains more than 250

security groups, you can use the Group Filter field to shorten the

displayed list. The default filter is an asterisk (*) which is a wildcard filter

that returns all groups. Some examples of other filters are:

a* (returns all group names that start with a)

*d (returns all group names that end with d)

*sql* (returns all groups that contain 'sql' in the name)

5. Select the Active check box to activate the user group. Otherwise, clear

the check box and activate later.

6. Select the permissions and access levels.

7. Select the Smart Rules and access levels to the rules.

8. Click Create.

9. Create and add user accounts.



User Group Permissions

Permissions in Retina CS must be assigned cumulatively. For example, if you

want a Retina CS administrator to manage only Configuration Compliance

scans, then you must assign Read and Write for the following permissions:

Asset Management, Benchmark Compliance, Reports Management, Scan -

Job Management, Scan Management.

The following table provides information on the permissions that you can

assign to your user groups.



Permission Name Apply Read and Write to…

Asset Management Create Smart Rules; edit or delete on the

Asset Details window; create Active

Directory queries; create address groups

Attribute Management Add, rename, delete attributes when

managing user groups.

Benchmark Compliance Configure and run benchmark compliance

scans.

Credential Management Add and change credentials when running

scans and deploying policies.

Deployment Activate the Deploy button.

File Integrity Monitoring Work with File Integrity rules.

Manual Range Entry Allows the user to manually enter ranges for

Scans and Deployment rather than being

restricted to Smart Groups.

The specified ranges must be within the

selected Smart Group.

Option Management Change the application options settings

(such as, account lockout and account

password settings).

Patch Management Use Patch Management module.

PowerBroker for Unix &

Linux

Use the PowerBroker Servers module

PowerBroker for Windows Activates access to the PowerBroker for

Windows features, including PBW asset

details and the exclusions page on the

Configure tab.

Protection Policy

Management

Activate the protection policy feature.

User groups can deploy policies, and manage

protection policies on the Configure tab.

Reports Management Run scans, create reports, create report

category.

Retina CS Login Access the Retina CS management console.



Permission Name Apply Read and Write to…

Retina Insight Sign in to Retina Insight, generate reports,

and subscribe to reports.

After you create a user group for Retina

Insight, go to the Configure tab in Insight

and run the process daily cube job.

Data between Retina CS and the Insight

cube must be synchronized.

Scan - Audit Groups Create, delete, update and revert Audit

Group settings.

Scan - Job Management Activate Scan and Start Scan buttons.

Activates Abort, Resume, Pause and Delete

on the Job Details page.

Scan - Policy Manager Activate the settings on the Edit Scan

Settings view.

Scan - Port Groups Create, delete, update and revert Port Group

settings.

Scan Management Delete, edit, duplicate, and rename reports

on the Manage Report Templates.

Activate New Report and New Report

Category.

Activate Update button on the Edit Scan

Settings view.

Session Monitoring Use the Session Monitoring features.

Ticket System View and use the ticket system.

Ticket System Management Mark a ticket as Inactive. The ticket no

longer exists when Inactive is selected.

User Accounts

Management

Add, delete, or change user groups and user

accounts.

User Audits View audit details for Retina CS users.

Configure tab, User Audits window.



Access Levels

Access Level Description

No Access Neither Read nor Write check boxes are selected.

Users can only view the dashboard and corresponding

views.

Read Users can view selected areas, but cannot change

information.

Read and Write Users can view and change information for the

selected area.

Permissions Required for Configuration Options

Configure tab option Permission

Accounts Everyone can access.

Users without User Account

Management permission can only

edit their user record.

Active Directory Queries Asset Management

Address Groups Asset Management

Attributes Asset Management

Benchmark Management Benchmark Compliance

Cloud Connections Asset Management

Mobile Asset Management

Organization User Accounts Management

Patch Management Patch Management

SCCM Patch Management

Protection Policies Everyone can access

Scan Options Scan Management

Services Member of the build-in RCS

Administrators group

User Audits User Audits

Workgroups User Accounts Management



Creating User AccountsUser accounts create the user identity that Retina CS uses to authenticate

and authorize access to specific system resources.

When you delete a user account or group that is assigned tickets, a dialog

box is displayed where you can reassign the ticket to another user or group.

A user account must be a member in a user group.

Checkpoint

You must create a user group before you can create a user account. For more

information, see Creating User Groups.

To create a user account:

1. Select the Configure tab, and then select the Accounts tab.

2. From the Groups/Users button select the Groups view.

3. Select a user group.

4. Click + in the Users pane.

To edit a user, select the user account. The User Details pane is

displayed.

5. Complete the First Name, Email Address, User Name, Password, and

Confirm Password. These fields are required.

Note: If you are changing the password, see Reset Retina CS Account

Password.

6. Enter the user’s phone numbers (optional).

7. Select an Activation Date and an Expiration Date for the user account.

8. Select the User Active check box to activate the user account.

9. Select the Account Locked check box to lock the account.

10. Select one or more user groups from the list and click Add.

11. Click Create.



Later, after you create a user, you can change the group membership. Change

the view to the Users view. Select a user account and change the group

membership.

Reset Retina CS Account PasswordYou can change the password for a Retina CS user account.

To reset a user password:

1. Select the Configure tab then select the Accounts tab.

2. Select the user name from the Users pane.

3. Click Reset Password.

4. Enter the new password.

5. Click Update.

Auditing Retina CS UsersYou can track the activities of your Retina CS administrators.

You can review:

• Logon and log off times

• IP address where the admin logged on from

• Any actions taken. For example, configure user settings.

If there are a lot of audit activities, you can use the search feature to display

only those that are relevant. You can also configure display preferences and

filters to refine the information displayed. For more information, see

Changing the Display.



The following example shows that the Administrator added and then

removed an address group.

Adding CredentialsYou can create the following credential types:

• SSH. See Creating an SSH Credential.

• Windows

• MySQL

• Microsoft SQL Server

• Oracle. See Creating Oracle Credentials.

Retina scanner agent version 5.14 (or later) is required to support this

feature.

To add a credential:

1. On the Set Scan Options page, expand Credentials Management and

click the pencil icon.

2. Click Add.

3. Select a credential type from the list: Any, Windows, MySQL, MS SQL

Server.

4. Enter the user account information: domain, user name, password, and

key.

5. If you are creating Microsoft SQL Server credentials, select the

authentication type.

6. If you are creating more than one credential, you can use the same

confirmation key for all credentials. Select the Use the same key for all

check box, and then enter the key.

7. Click Save.

Creating an SSH Credential

You can create Public Key Encryption credentials to connect to SSH-

configured targets. You can select a credential that contains a public/private

key pair used for SSH connections.

DSA and RSA key formats are supported.



Optionally, when configuring SSH, you can select to elevate the credential:

• Use sudo. Using sudo, you can access scan targets that are not

configured to allow root accounts to log on remotely. You can log on as

a normal user and sudo to a more privileged account. Additionally, you

can use sudo to elevate the same account to get more permissions.

• Use pbrun. Using pbrun, you can elevate the credential when working

with PowerBroker Servers for Unix & Linux target assets.

To create an SSH credential:



2. Click Add.

3. From the Type list, select SSH.

4. Enter a description and user name.

5. Select an authentication type from the list:

– Password - Enter a password.

– Public Key - Enter the private key file name and passphrase. Click

Browse to navigate to the file.

A public key is generated based on the contents of the private key.

6. Enter a description and key.

7. To elevate credentials, select one of the following from the Elevation

list:

Elevating credentials is optional.

– sudo – Enter a sudo user name and password. You can use the user

name provided in the Username box and leave the sudo username

blank.

– pbrun – Enter the pbrunuser user name.

8. Click Save.

Creating Oracle Credentials

If you are scanning Oracle databases, you can create Oracle credentials.

The tsanames.ora file is updated automatically after you create an Oracle

credential.

To create Oracle credentials:



2. Click Add.

3. From the Type list, select Oracle.

4. Provide a user name, description, and password.



5. Select an access level from the list: Standard, SYSDBA, or SYSOPER.

6. Select additional connection options:

– Connect To - Select from: Database SID, Named Service.

– Database SID - Enter the database SID.

– Protocol - Select a protocol: TCP, TCPS, NMP.

– Host - Enter the host name where the Oracle database resides.

– Port Number - Enter a port number.

7. Enter a key.

8. Click Save.

Adding Credentials for Active Directory Access

You can add credentials to access a particular Active Directory domain. Add

credentials for each forest/domain combination.

To add Active Directory credentials:

1. Click the Configure tab then select the Accounts tab.

2. Click + and select Active Directory Group.

3. Click Credentials.

4. Click Add.

5. Enter the forest name, domain name, user name, and password.

Enter the user name using the format: <domain name>\user name.

Otherwise, the domain you enter in the Domain box is used.

6. Click Test.

Success is displayed when the credentials provided can successfully

contact the domain.

7. Click OK.



Setting Retina CS OptionsIn this section,

Account Lockout Options

Account Password Options

Auto Update Options

Display Options

Email Notification Options

Maintenance Options

Proxy Settings

Refresh Settings

Account Lockout Options


You can set lockout options, such as lockout threshold and duration.

To set account lockout parameters:

1. Select Options.

2. On the Application Options dialog box, expand Account Lockout

Options.

3. Set the following account lockout options:

– Account Lockout Duration - Sets the number of minutes the user

is locked out.

– Account Lockout Threshold - Sets the number of times a user can

try their password before the account is locked out.

– Account Lockout Reset Interval - Sets the number of

unsuccessful password entry attempts before generating a reset

notification.

– Unlock Account upon Password Reset Notification - Select the

Yes check box to email a new password and unlock the account

when Forgot Your Password is selected.

If not selected, an email is sent with a new password but the account

is not unlocked.

4. Click Update.

Retina CS User Guide Setting Retina CS Options


Account Password Options


You can set account password parameters, such as a complexity requirement

and password length.

To set account password parameters:

1. Select Options.

2. On the Application Options dialog box, expand Account Password

Options.

3. Set the following password options:

– Password Must Meet Complexity Req. - Requires users to adhere

to complex password rules when creating a password.

– Enforce Password History - Enter the number of passwords a user

must create before an old password can be reused.

Enter 0 to not enforce a password history. There are no restrictions

on using past passwords when 0 is entered.

– Minimum Password Length - Enter the minimum number of

characters for the password.

– Maximum Password Age - Enter the maximum number of days

before a password must be changed.

– Minimum Password Age - Enter the minimum number of days

that a password must be used before it can be changed.

4. Click Update.

Auto Update OptionsRetina CS contacts the Update Server to retrieve the latest product and audit

updates. Downloading updates ensures your assets are secure against the

latest vulnerabilities.

By default, Auto Update is turned on.

To activate Auto Update:

1. Select Options.

2. On the Application Options dialog box, expand Auto-Update Options.

3. Select the Yes check box.

4. Click Update.



Display OptionsYou can turn on auto-expansion and set the number of items to display per

page.

To set display options:

1. Select Options.

2. On the Application Options dialog box, expand Display Options.

3. Select the Yes check box to open the report in a new window.

This feature is available only with reporting on existing data.

4. Enter the number of items to display per page.

5. Select the Yes check box to turn on auto-expansion.

6. Click Update.

Email NotificationsThe email notification sends an email when an error occurs while running

reports.

The email address is stored in the Retina CS database.

Note: Email settings are initially set in the Retina CS configuration tool.

Ensure that you use the same information here.

To add an email address for notification:

1. Select Options.

2. On the Application Options dialog box, expand Email Notification

Options.

3. Enter an email address in the From Email Address box.

4. Verify the SMTP server name and port.

5. Enter the username and password.

6. Click Update.

Maintenance OptionsYou can remove collected data from the Retina CS database. Configure the

number of days to retain data.

Not all maintenance options are supported in Retina CS

Community.

To specify the maintenance options:

1. Select Options.

2. On the Application Options dialog box, expand Maintenance Options.

3. Enter the number of days that pass before data is purged.



– Purge General Events Older Than - Purges the raw information

sent by the protection agents and Retina agents. The default number

of days is 7.

– Purge Vulnerabilities Older Than - The vulnerabilities are

displayed in the Vulnerabilities module until fixed or purged.

Recommended: 90 days. However, this can vary for different

environments. Once the data is purged, the vulnerabilities are

removed from the database.

– Purge Attacks Older Than - Attacks are discovered by the

protection agent.

Recommended: 90 days.

– Purge Assets Older Than - This covers assets that were

discovered once, but are never discovered again (the asset might be

inactive or removed). Recommended: 30 days.

– Purge Audit Data Older Than - Purges audit data.

– Purge Retina Agent Jobs every N days - Purges jobs. The default

value is every 30 days.

Enter 0 if you do not want to purge the jobs.

– Purge Chart Data Older Than - Purges chart data. The default

value is 90 days.

– Purge Application Events Older Than - Purges the application

events sent by the protection agent and Retina agents. The default

value is 7.

– Purge Application Log Files Older Than - Purges the raw

information sent by the protection agents. The default value is 30.

– Purge Asset Attributes Older Than - Purges the raw information

sent by the protection agents and Retina agents. Recommended: 7

days.

– Purge Scans Older Than - Purges the raw information sent by the

protection agents and Retina agents. Recommended: 7 days.

– Purge Scans Events Older Than - Purges the raw information

sent by the protection agents and Retina agents. Recommended: 7

days.

– Purge Attack Events Older Than - Purges the raw information

sent by the protection agents. Recommended: 7 days.

– Purge Windows Events Older Than - Purges the information sent

by the protection agents. The default value is 90 days.



– Purge Closed Tickets Older Than - Enter the number of days

before closed or inactive tickets are deleted.

The calculation for purging ensures the ticket is closed and uses the

date the ticket was last updated, not the due date.

For example, a ticket has a due date 60 days in the future but the

ticket was closed and not edited for over a week. If the purge setting

is set to 7, then the ticket is purged even though the due date is in

the future.

– Server Localization - en-US. Reserved for future use.

– Purge PBW Events Older Than - Purges the PowerBroker for

Windows events.

– Purge PBUL Events Older Than - Purges the events sent by

PowerBroker Servers.

– Purge FIM Events Older Than - Purges the File Integrity events

captured by PowerBroker for Windows.

4. Click Update.

Proxy SettingsYou can configure a proxy server if the Retina CS server does not have

direct Internet access.

To set up a proxy server:

1. Select Options.

2. On the Application Options dialog box, expand Proxy Settings.

3. Select the Yes check box.

4. In the Address box, enter the IP address or domain name of the proxy

server.

5. Enter the user name and password for the proxy server.

6. To override any local proxies, select the Yes check box.

7. Click Update.

Refresh SettingsYou can set refresh intervals for scan jobs and Smart Rules.

Scans can run more efficiently when Smart Rules are set to refresh at longer

intervals.

To set refresh settings:

1. Select Options.

2. On the Application Options dialog box, expand Refresh Settings.



– Maximum job refresh frequency (minutes) - Retina CS jobs are

refreshed at the interval entered here. When the refresh occurs,

updates to schedules, scanners, and Smart Rules will be updated for

the job.

The default value is 360 minutes (6 hours).

– Maximum Smart Rule Refresh Frequency for asset updates

(minutes) - Set the number of minutes for the refresh interval for

Smart Rules.

Asset changes (assets added or removed from the Smart Rule) that

occur between the refresh interval are reflected in the rule.

The default value is 60 minutes.



MaintenanceViewing Status for Scanners and Agents

Determining if a Retina Agent is Available

Removing Retina Agent Files

Configuring a Failover Agent

Diagnostics

Monitoring Services

Creating a Support Package

Viewing Status for Scanners and AgentsYou can review details about your deployed Retina scanners and protection

agents.

Use the Agent Details page to determine if scanners or agents are out of

date.

To view asset details:


2. Select Agents.

3. Click the i button to review additional information.

The Agent Details page displays the following: IP address, computer

name, OS, workgroup, domain, and agent name and versions.

Note that you can change viewing preferences for the Agents page. You

can select preferences and create filters to determine the list of agents

and scanners that are displayed. For more information, see Changing the

Display.

Determining if a Retina Agent is AvailableA Retina scanner agent might lose connectivity to Central Policy. You can

determine connectivity in the following places:

• When you are setting up a scan, there is a warning icon next to an agent

name.

Retina CS User Guide Maintenance


• On the Agents page for Vulnerability Scanners, there is a warning icon in

the Retina Last Updated column.

The agent might not be able to accept the job request.

Ensure the computer hosting the Retina agent is online.

Removing Retina Agent FilesClean Retina CS records for scheduled, queued, and completed jobs.

Ensure your Retina CS administrators are assigned the Scan Management

permission. For more information, see Creating User Groups.

To clean Retina agent files:

1. Select the Assets tab, and then select the Agents tab.

2. Select the agent in the list, and then click i.

3. Click Agent Maintenance.

– Clean Retina Files - Deletes files from the following directory:

C:\Program Files (x86)\eEye Digital Security\Retina 5\Scans

– Clean RCS Files - Removes all jobs for the selected agent,

including scheduled, queued, and completed jobs.

– Reschedule existing scheduled jobs - When the Clean RCS Files

check box is selected, you can select this check box to reschedule

jobs automatically.

4. Click OK to save the settings.

5. Click Reset Engine to restart the Retina CS services.



Configuring a Failover Agent


You can configure a backup agent to provide redundancy in case an agent

fails.

To configure a failover agent:

1. Click the Assets tab.

2. Expand Agents and Scanners, and then click Vulnerability Scanners.

3. Click the Agents tab.

4. Select an agent, and then click i.

5. On the Agent Details pane, click Configure Failover Agent.

6. Select an agent. The Failover Agent field displays the name of the agent

that you select.

7. Click OK.

You can configure a failover agent timeout on the Configure tab. The default

timeout is 15 minutes.

Creating a Support PackageCreate a support package that can be used by Beyond Trust Technical

Support. The package includes,

• All logs in the Retina CS Logs folder.

• Storage size statistics on the Retina CS database.



• Certain database tables that contain information on Retina Protection

agents and Retina scanner agents and their jobs.

To generate the package:

1. Select Help > Generate Support Package.

2. Click Generate Support Package.

3. Click Save File.

4. Save the .zip file and email to your Technical Support representative.



Diagnostics


In this section,

Monitoring Services

Monitoring Services

On the Services page, you can:

• Turn on debug logging

• View the log files

• See the status of the service (Running, Stopped, Paused)

• Change credentials for the service

To review Retina CS services:

1. Select the Configure tab.

2. Select the Services tab.

3. Click View to open and review details in the log.

4. Click Email to send the log to selected email addresses.

To turn on debug logging:



3. To turn on debug logging, click Enable Debug Logging.

All Retina CS services are restarted if you turn on debug logging.



Turn off debug logging after you finish troubleshooting Retina CS to

improve performance.

To change the credentials for the service:



3. Click the button as shown:

4. Enter the credentials, and then click OK.



II. BeyondTrust ModulesRetina Scanner Agents

PowerBroker for Windows


System Center Configuration Manager


PowerBroker Servers for Unix & Linux

PasswordSafe

Regulatory Reports Pack

Configuration Compliance Pack

Retina CS User Guide II. BeyondTrust Modules


Retina Scanner AgentsDiscovery Scanning

Running a Discovery Scan

Discovering Assets Using a Smart Group

Discovery Assets Manually

Running a Vulnerability Scan

Reviewing Vulnerability Scan Results

Creating a Quick Rule

Excluding Vulnerabilities

Remediating Vulnerabilities

Setting CVSS Metrics

Setting CVSS Environmental Metrics

Setting Base and Temporal Metrics

Configuring Retina Agent Scan Options

Performance Settings

Timeout Values

Event Routing

Setting Restrictions on Scan Times

Configuring General Scan Options

Scanner Pooling

Retina CS User Guide Retina Scanner Agents


Discovery Scanning

Run a discovery scan to locate network assets, such as workstations, routers,

laptops, and printers. A discovery scan also determines if an IP address is

active.

You can periodically repeat the discovery scans to verify the status of

devices and programs and the delta between the current and previous scan.

Note that discovered assets do not count toward your license.

Running a Discovery Scan

You run a discovery scan in the same way as a vulnerability scan. See

Running a Vulnerability Scan for a step-by-step procedure.

Review the following recommended Discovery scan settings:

• On the Set Scan Options page, setting credentials is not required.

Typically, setting credentials for other types of scan templates is

recommended. However, for a discovery scan, you want to ensure that

all types of systems are detected and credentials are not necessary.

After assets are detected, you can run audit scans using credentials to

ensure more thorough scan results.

• On the Scan Policy Options page, here are some recommended settings:

Perform OS

DetectionSelect this check box.

Perform

TracerouteSelect this check box.

Enumerate * Clear all enumerate check boxes.

Randomize Target

ListSelect this check box.

Change the settings on the Edit Scan Settings page. See Configuring Scan

Settings.

• Discovery ports. The default TCP discovery port list: 21,22,23,25,80,

110,139,443,445,554,1433,3389

Use more than one scanner to distribute the coverage across the network.



Discovering Assets Using a Smart Group

You can discover assets when the Smart Group filter is an address group,

Active Directory query, or Cloud connector.

Any assets online since the Smart Group was last processed are detected

when the Use to discover new check box is selected.

The scan results on the Assets page reflects the number of assets found.

If you create an address group that includes /19 CIDR block, that

range includes 8190 potential assets (the discovery scan will

always try to discover that many assets). Keep this in mind when

you are reviewing scan results.

Key steps:

• Create an address group or Active Directory query that includes the IP

address range or domain. See the step-by-step procedures: Creating an

Active Directory Query or Creating an Address Group.

Alternatively, you can create the address group or query on-the-fly when

you are creating the Smart Group.

• Create a Smart Group that includes the address group or query as the

filter. Ensure the discover assets check box is selected.

Note that you can use the Discover New assets check box on any scan.

However, the scan is slower when this option is selected.

It is recommended that you run a discovery scan at a regular interval (for

example, monthly or weekly schedule). Full vulnerability scans can then run

only on known targets.

Discovering Assets Manually

You can discover assets manually by entering a host name, IP address or

address range when running a discovery scan.



Running a Vulnerability ScanBefore setting up your scan settings, ensure the following is in place:

• When you run a scan in Retina CS, you must select a report template to

determine the scope of the scanning. For a complete list of report

templates, see Reports Templates and Audit Groups.

• Determine the assets to include in the scan. For example, you can create

Smart Groups, enter IP address ranges, or list named hosts.

Note that on the Assets page, you can individually select the assets to scan.

Tip: Ad hoc Scanning

You can enter any combination of IP address, IP address

range, and CIDR notation in the Named Hosts box. Separate

the entries using a comma.

For example, 10.10.10.20, 10.10.10.4-10.10.10.8,

192.168.1.0/24

Note, however, if an IP address is invalid no error message

indicates the address is invalid and will not be scanned.

To run a scan:

1. Select the Dashboard tab and click Assess; or select the Assets tab

and click Scan.

2. Select a report and click Scan.

3. Expand Scan and select one of the following:

Currently selected Smart Group, Currently selected Assets, a Single IP,

an IP Range, a CIDR Notation, or Named Hosts for the assets selected.

You can enter more than one named host. Separate the entries using a

comma.

If you select Currently selected assets and select a schedule other

than Immediate, then Retina CS automatically updates the scheduled job

on the agent with the list of assets in the selected Smart Group as they

change.



4. Benchmark scans only. Expand Benchmark Compliance Profile and

select a scan profile.

5. Expand Credentials Management and enter the credentials.

Click Test Credential to ensure the correct credentials are entered. You

can use Active Directory credentials or Retina CS web server

credentials. The test only applies to Windows credentials. Note that the

test is not to ensure access to target assets.

You can store credentials to reuse later. For more information, see

Adding Credentials.

a. To add credentials, click the pencil.

b. Click Add.

c. Enter the password, description, and key.

d. If you are creating more than one credential, you can use

the same confirmation key for all credentials. Select the

Use the same key for all check box, and then enter the

key.

e. Click Save.

f. Select the new credential and click OK.

6. Expand Report Delivery to select the report delivery options.

– Export type - Select a report format: PDF, DOC, XLS, NONE.

The export types available depend on the report selected.

– Do not create a report for this vulnerability scan - Select this

option if you want to only scan and collect the results. No report will

be generated.

– Notify when complete - Select the check box and enter email

addresses. Separate entries using a comma.


Email notification is sent when the scan and report are complete.

– Email report to - Select the check box and enter email addresses.

Separate entries using a comma.


The report will be emailed to the users entered.

7. Expand Advanced to select the agent to run the scan.

– Job Name - Type a job name. Otherwise, the default job name is

used.

– Agent - Select the computer where the scan engine resides.



– Use job-specific Scan Restrictions - Select the check box to

display a scheduling grid. Click the squares to set the restricted time

frame. Scans will not run during those times.

If scans are scheduled to run during a scan restriction, the scan can

be aborted when the restriction window starts. Select the check box

to apply this setting.

For more information, see Setting Restrictions on Scan Times.

– Benchmark Scans only.Store OVAL Test in database - Select the

check box to store OVAL test results to the Retina CS database.

8. Expand Schedule to select a schedule:

Note: If the server and client computers are located in different time

zones, the scan runs during the server time zone. This applies to

one-time scans and recurring schedules.

– Immediate - Select to run the job now.

– One Time - Select to schedule jobs to run one time. Select the start

time and date.

– Recurring - Select one of the following:

– Daily – schedules jobs for weekdays, or every x number of days.

Enter the number of days.

– Weekly – schedules jobs every week selected (1-52), starting on

the day of the week selected.

– Monthly – schedules jobs for the day of the month selected for

every month selected. Options include the

first/second/third/fourth and last day of the month selected.

You can delete or change the recurring scan job later on the Jobs

page. See Managing Jobs.

9. Select Abort the scan if it takes longer than and enter the time in

minutes to restrict the length of time the scan runs.

10. Click Start Scan.

11. Click Show Status to view the progress of the scan. You can also view

the progress on the dashboard or through the Jobs page.



Reviewing Vulnerability Scan ResultsAfter you run vulnerability scans you can review the results to determine the

assets that are vulnerable and require remediation.

You can view vulnerabilities that can be exploited. For any vulnerability with

a CVE-ID, exploit information associated with the CVE-ID is also

displayed. In some cases, exploits are displayed that are not associated with a

CVE-ID.

The Microsoft Exploitability Index is also included in the Exploits

information. The index values correspond to the values that are provided in

security bulletins issued from Microsoft. For more information on

interpreting the index values, refer to Microsoft documentation.

You can set display preferences and create filters to change the information

displayed on the Vulnerabilities page. For more information, see Changing

the Display.

To review the results:


2. Select Vulnerabilities.

Click and to expand the vulnerabilities pane.

You can create Smart Rules based on vulnerabilities. Using this tool can

provide additional filtering selected assets.

3. Click i to view more information about a vulnerability.

4. On the Vulnerabilities Details pane, select the following to review more

information:

– Exploit Count - The number indicates the exploits on the

vulnerability.

Click the button to review the database, module, and module URL.

– Assets - The number indicates the assets affected by the

vulnerability.



Click the button to expand the details pane and review the asset

information.

– References - The number indicates the available resources for

remediation of the vulnerability.

Click the button to expand the details pane. Select a web site to find

out more information on the vulnerability.

– Patches - The number indicates the patches that can fix the

vulnerability.

Click the button to review more information about the patches.

For more information, see Managing Patch Updates.

– STIGs - The number indicates the STIGs associated with the

vulnerability.

Click i to open the STIG Details window. You can review the

following information: MACs, IA Controls, References, Systems

Affected.

– More Information - Click to open the Vulnerability Details window

to view a description of the vulnerability, solution, PCI severity,

references, and CVSS score.

You can also set or remove an exclusion property on the

vulnerability. For more information, see Excluding Vulnerabilities.

Creating a Quick Rule

After you run a scan, you can organize assets linked to a specific

vulnerability, attack, or malware by creating a Quick Rule.

In the Attacks, Vulnerabilities, or Malware view, you can click the arrow to

create a Quick Rule that instantly creates a grouping of assets in the Smart

Groups pane.



Excluding Vulnerabilities

You can exclude vulnerabilities from the display and only view those that

require remediation to satisfy regulatory compliance.

Depending on your environment, accepted vulnerabilities (a false positive)

might be reported in the scan. For example, if Anonymous FTP is

configured on your network, vulnerabilities will be reported in your scan

results. Since this type of vulnerability does not require remediation (patch

or compliance updates), you can ignore these scan results.

Records for exclusions reside in the database. During an audit, you can

remove the exclusion on the record.

You can run the Vulnerability Exclusions report to keep track of the

exclusions. The report includes the reason for the exclusion and the expiry

date.

Note: Vulnerability exclusions do not apply to the parent Smart Group

when the exclusion is set at a child Smart Group.

To set or remove the exclusion property on a vulnerability:


2. Select the Vulnerabilities tab.



3. Click the Exclusions check box for a vulnerability.

4. On the Manage Vulnerability Exclusion dialog box, select the options:

– Action - Select to set or remove the exclusion.

– Exclude Vulnerability - Select the Smart Group where you want to

apply the exclusion.

You can also select Globally. The exclusion applies to all assets.

– Reason/Note - Provide a detailed description on why the

vulnerability is excluded.

For example, you might want to note that the vulnerability is an

accepted false positive.

The reason is required and is displayed in the Vulnerability

Exclusions report to help you keep track of the exclusions.

– Expiration Date - Select the expiration date on the exclusion.

5. Click Save.

Malware Toolkit Vulnerabilities

A malware toolkit can be detected if there is one associated with a

vulnerability.

To see if a vulnerability belongs to a malware toolkit:


2. Select the Vulnerabilities tab.

3. Select a vulnerability and click the i.



A red T indicates that the vulnerability is associated with a malware

toolkit.

4. Click View Toolkits.

Review more information about the malware toolkit and the recommended

mitigation action.

Remediating VulnerabilitiesYou can remediate vulnerabilities by viewing solutions on the Vulnerability

Details page.

You can use the ticket system to assign a vulnerability or attack to a member

of your security team. See Working with Tickets.

1. Select the Assets tab, and then click Vulnerabilities.

2. Click i for a vulnerability.

A description and solution are displayed.

The Mitigation column provides information on action to take to remediate

the vulnerability.

Setting CVSS Metrics

Depending on your security plan, you might want to change CVSS scores.

Changing the score indicates to your security team the urgency to remediate

a vulnerability.



You can change the base and temporal values to change the CVSS score

(depending on the weight of the vulnerability and the urgent nature to

remediate the vulnerability).

You can configure:

• Environmental scores using the Smart Rules Manager.

• Base and temporal scores using the Vulnerability Details page.

You must be familiar with CVSS scoring definitions and concepts. Refer to

the CVSS Scoring Guide.

Setting CVSS Environmental Metrics

The environmental metrics are based on your security plans. Determine the

level of impact a vulnerability has on your assets and assign environmental

metrics accordingly.

You can create a Smart Group that includes the assets where you want to

assign the environmental metrics.

To set the environmental metrics on assets:



3. Click New Rule.

4. Enter a name and description, and set the Smart Rule criteria that

determines the scope of the assets.

5. In the Perform Actions area, select Set Environmental CVSS Metrics.

6. Select the metrics from the corresponding lists.

7. Click Save.

Later when you edit the Smart Group, the Show asset as Smart Group list is

also displayed, as shown:

Setting Base and Temporal Metrics

After you create a Smart Group that contains the assets with the preferred

environmental metrics, you can update CVSS scores on the Vulnerabilities

page.



http://www.first.org/cvss/cvss-guide.html



To change the CVSS metrics for a vulnerability:


2. Select the Smart Group with the environment metrics configured.

3. Click Vulnerabilities.

4. Select a vulnerability, and then click i.

5. Click the pencil.

6. Change the base and temporal values.

The CVSS score and CVSS vector change as you change the base and

temporal metrics.

Click the vector link to go to the National Vulnerability Database CVSS

v.2 Calculator web site.

7. Click Save.



Reviewing Asset Risks on the Network MapOn the network map you can review the assets at risk in your environment.

The network map requires Sun Java 5.0 SE Update (or later) to display

correctly.

To review assets using the network map:


2. Click Map.

The network map might disappear when you select other menu items or

options on the window. Click Home to display the network map again.

3. Click the nodes on the map.

4. Hover on the items to display vulnerability information.

5. To filter the information displayed in the network map, select a Smart

Group and view only those vulnerabilities you are interested in.



Configuring Retina Agent Scan Options


You can configure Retina scan options to improve performance and

reliability.

Performance Settings

The number of scan targets can affect server performance and scan quality.

The result is an unresponsive or slow server or poor scan quality, such as

known services not being found or known open ports not being identified.

To improve performance, you can:

• Reduce the number of targets

• Adjust the scan speed downward

• Override the TCP connection limit to increase the scan speed

If you override the TCP connection limit, the TCP incomplete connections

limits are removed for all applications during the scan.

Timeout Values

Configure ping and data timeout values to compensate for network latency.

If pings are not returning in time for Retina to detect them, increase the ping

timeout value.

To configure scan options:


2. Click the Scan Options tab.

3. Click the Scanner tab.

4. In the Performance area, configure the following settings:

– Number of Simultaneous scan targets - Set the number of

targets to scan simultaneously.

The maximum is 128 targets.

– Adaptive Scan Speed - Set the delay between bursts of packets

sent during a SYN scan.

1 = longest delay

5 = almost no delay

– Enable TCP connection limit override - Select the check box to

override the TCP connection limit.



Note: The TCP Connection Limit Override is available on

Windows XP SP2 and later and Windows 2003 SP1 only.

This is not available for Windows NT or Windows 2000.

5. In the Reliability area, configure the following settings:

– Ping Timeout - Enter the number of seconds.

– Data Timeout - If the Retina agent is not receiving complete data

from assets or hosts when services are under heavy load, increase the

timeout value.

6. Click Save.

Event Routing

Turn on event logging to send scan data to Retina CS, including:

• Port information

• Services

• General scan information

To turn on event routing:



3. Click the Event Routing tab.

4. Select the Enable Event Logging check box.

5. Select the risk level of the audits to include in routing to Retina CS.

Audits include a risk level that corresponds to the severity of the

vulnerability detected.

– Information - Details host information that does not necessarily

represent a security threat, but can be useful to the administrator to

assess the security.

– Low - Defines risks associated with specific or unlikely

circumstances.

– Medium - Describes serious security threats that would allow a

trusted but non-privileged user to gain access to sensitive

information.

– High - Indicates vulnerabilities that severely impact the overall

safety and usability of the network.

6. Click Save.



Setting Restrictions on Scan Times

You can set a scan restriction so that scans will not run during the restricted

time frame.

Apply scan restrictions on:

• One scan only. Configure the restricted scan time when you are

configuring the scan.

• Global. Configure the restricted scan time on the Configure tab.

To set a scan restriction on all scans:


2. Select the Scan Options tab.

3. From the Agent list, select an agent or select Global.

If you select an agent, you might want to override scan restrictions

already set for that agent. Select the Use Global Scan Restrictions

check box to apply the global settings.

4. Click the squares to set the restricted time frame.

5. Select the Abort in progress scans check box to stop all scans that are

running when the scan restriction window starts, otherwise running

scans are paused and then resume when the scan restriction ends.

Configuring General Scan Options

To configure general scan options:



3. Click the General tab.

4. To turn on logging, select the logging check box.

5. To automatically check for updates, configure the following settings:

– Check for updates to a schedule - Select a start time and

frequency.



– Check for updates when launching Retina - Select the check box

to check for updates when you start Retina.

– Number of seconds to prompt before launching - Enter the

number of seconds to wait before starting the updater.

6. Set a timeout value for a failover agent. To configure a failover agent, see

Configuring a Failover Agent.

7. Set maintenance options to purge Retina information.

8. Set the minutes that pass before Retina checks for updates from the

Central Policy server. The default value is 15 minutes.

9. Click Save.



Scanner PoolingYou can use scanner pooling to select more than one scanner agent when

scanning a large number of assets. When more than one scanner is selected

for a scan job, the list of target assets is divided among the selected scanners

in a round-robin style, evenly distributing the target scan range.

To use scanner pooling, select more than one scan agent when running a

scan, or use the "Set Scanner" action in a Smart Rule to lock a set of

scanners to that Smart Group.

Note that when using scanner pooling, you cannot automatically generate a

report when a scan finishes.

To lock a scanner agent to a Smart Group:

1. Select the Assets tab, and then click Manage Smart Rules.

2. Click New Rule.


4. From the Perform Actions area, select Show asset as Smart Group.

5. Click the +, and then select Set Scanner.

6. Click the browse button to select the scanners to associate with the

Smart Group.

7. Select the distribution algorithm.

– Round Robin Asset Distribution - Targets are assigned to scanners

one-by-one. This method balances the distribution of scan targets.



– Rule Locked Asset Distribution - The Rule Locked distribution

algorithm is designed and recommended for multiple scanner jobs

where child Smart Rules are defined in a parent Smart Rule.

Each child Smart Rule will always use the scanner assigned in the

child Smart Rule when this distribution algorithm is used.

This ensures that scanners assigned in child Smart Rules will not

scan across other child targets.

8. Click Save.

Note that on the Job Details page, the agent name indicates if the scanner is

part of a pool.



PowerBroker for WindowsUsing Retina CS and PowerBroker for Windows together, you can:

• Collect privilege-related event log data from assets.

This data includes information about the applications being used, the

privileges they require, and how they are launched, and information

about which users have administrator privileges.

• Deploy PowerBroker for Windows policies to your assets.

Create your PowerBroker for Windows rules and policies as usual using

PowerBroker for Windows. Upload the policies to Retina CS and using

the Central Policy technology, deploy the rules to your managed assets.

• Create File Integrity rules in PowerBroker for Windows and manage the

results in Retina CS.

• Sort and filter data into useful reports and generate PowerBroker rules

for applications based on user needs for privilege elevation. This is a best

practice approach for discovering applications and the construction of

quick and concise rules for any user or computer.

• Configure Session Monitoring in PowerBroker for Windows and review

the events in the Retina CS console.

Note: Before you can use the Application Discovery functions of

PowerBroker to create rules, install Retina CS on a compatible host

with the proper prerequisites or install an appliance with the solution

from BeyondTrust.

For more information about the PowerBroker reports available in Retina CS,

see PowerBroker for Windows Reports.

Overview

u

PowerBroker for Windows (PBW) is designed to integrate directly

into your corporate Active Directory (AD) structure without

modifying your existing schema.

An administrator loads a Group Policy Option (GPO) snap-in onto

an asset that uses the Microsoft Management Console (MMC).

�An administrator can then create policies and rules that are stored in

the AD domain.

Retina CS User Guide PowerBroker for Windows


�An administrator can also access the Retina CS management console

through a web interface to run reports or create additional rules

based on collected events from the environment.

�

As domain assets log on (servers, workstations, or remote clients

labeled “4”) they receive policy from the domain controller that is

processed by the PBWagent.

The PBWagent is installed on each device and can be distributed

through a software delivery solution or even through GPO. This

enforces privilege identity management rules on the endpoint and

sends status events back to Retina CS for additional reporting,

trending, and rule creation.

Creating a Smart GroupYou can create a Smart Group to organize your PowerBroker assets. You can

set filters based on the PowerBroker client, Windows events, and

PowerBroker Windows events.



For detailed instructions on Smart Groups, see Working with Smart Rules.

Creating PowerBroker RulesYou can create rules after event data is collected from PowerBroker for

Windows.

For more detailed information about rules, refer to the PowerBroker for

Windows product documentation.

The rule types that you can create from Retina CS include, Active X, Hash,

Path, Publisher, MSI. Exclusions rules can also be created.

To create a PowerBroker for Windows rule:

1. On the Retina CS console, select the Assets tab, and then click the

PowerBroker tab.

2. Click the arrow for the events and select the rule type.

Note: There are two ways that you can view events: Rollup and All.

The Rollup view displays all events grouped by Message,

Application/ActiveX, Path, Publisher, EventType, RuleType,

then Hash. In the Rollup view you can select more than one

event. In the All view, select one event at a time.

The PowerBroker Rule XML dialog box is displayed.

3. Copy the XML code to the collection in the PowerBroker for Windows

GPMC snap-in.





Including Arguments in a Rule

When you are creating a rule you can include arguments. Select the Yes

check box on the Application Options dialog box.

Arguments can be included when creating the following rule types: Path,

hash, .msi.

Creating rules for a denied application (28698) will include arguments when

the check box is selected.

Marking Events to ExcludeYou can exclude events from rules. For example, you might want to exclude

certain applications that are flagged as requiring administrative privileges.

To exclude events:

1. On the Retina CS management console, click the Configure tab, and

then click Exclusions.

2. Select an existing exclusion or click + to create an exclusion.

3. Select the exclusion type:

– Admin rights – Exclude all events that match the ‘path’ for the

exclusion you chose. Retina CS provides a predefined list of these

exclusions. This list contains applications that are commonly

incorrectly detected as requiring administrative privileges.

Any exclusion path with a “*” will recurse directories. For example,

c:\windows\system32\* will exclude any exe’s in system32 and any

executables in a subdirectory of system32.



You must provide the full path. For example,

C:\Windows\HelpPane.exe

– Application Exclusion – Excludes all events that match the

application you are excluding.

You must provide the application name only. For example,

HelpPane.exe

– Publisher Exclusion – Excludes all events that have the same

‘publisher’ value.

You must follow the format: "O=Microsoft Corporation,

L=Redmond,S=Washington,C=US"

4. Click Save.

Deploying and Managing Policies Using Retina CSYou can configure PowerBroker for Windows to use Central Policy to

deploy policies through Retina CS rather than using GPMC.

During the installation of PowerBroker for Windows, you can choose to

deploy policies using Central Policy. Ensure the following Central Policy

setting is selected:



For more information about deploying PowerBroker for Windows, refer to

the PowerBroker for Windows Installation Guide.

Deploying Policies

Create your rules and policies in PowerBroker for Windows as usual.

Create Smart Rules to determine the assets where the policies need to be

deployed.

To use Retina CS to deploy PowerBroker for Windows policies:

1. Log on to Retina CS, and then go to the Smart Rules Manager.

2. Select the PowerBroker for Windows assets and the policy that you want

to deploy.

3. Click Save.

Reviewing Policies

You can review the list of policies available from PowerBroker for Windows

on the Configure tab.

Session MonitoringYou can track the following events:

• Keystroke logging

• Mouse events

• Process events

• Screen captures

The events are configured in PowerBroker for Windows. For more

information on configuring session monitoring, refer to the PowerBroker for

Windows product documentation.



Note: To use this feature you must have the Session Monitoring license

key activated. Contact your BeyondTrust representative for more

information.

Viewing Events on the Session Viewer

To view events:

1. On the Assets page, select the Smart Group where the assets reside.

2. Select PowerBroker for Windows from the list, and then click Session

Monitoring.

3. Click i for a particular asset.

On the Session Viewer page, you can view more details about the

events.

4. Double-click an event (or click i) to view more details about the event

on the right pane.

Filtering Events

You can filter the events that are displayed in the Session Viewer.



Viewing Screen Capture EventsWhen viewing screen captures, you can zoom in and zoom out, and scroll

through all of the screen captures saved during the session.

If there is more than one monitor for an asset the Session Viewer displays

the following titles: Display1, Display2...



Saving Session Data

You can save the session monitoring data to a zip file to view the

information offline at a later time.

It might take a few minutes to save the file depending on the number of

events captured.

To save session data to a file:

1. On the Assets page, select the Smart Group where the assets reside.

2. Select PowerBroker for Windows from the list, and then click Session

Monitoring.

3. Click the arrow for an asset, and the select Download Session Data.

4. Save the file to the preferred location.



Patch Management ModuleThe Patch Management module requires a license to activate the feature

set. Contact your BeyondTrust representative.

In this section,

Overview

How Patching with WSUS Works

How a Patch Deployment Works

Third-party Patch Deployment

Connecting to a WSUS Server

Requirements

Adding a Connection

Connecting to a Downstream Server

Installing the WSUS Administration Console

Registering Smart Groups

Redeploying Configuration

Approving Patch Updates

Reviewing Patch Details

Deleting Patches

Third-Party Patching

Generating a Certificate

Subscribing to Vendor Patch Updates

List of Supported Vendors

Retina CS User Guide Patch Management Module


OverviewUse the Patch Management Module to deploy important patches to selected

assets.

Note: Using the Patch Management Module does not override any

automation policies you might have in place with your existing

Windows Server Update Services (WSUS) configuration. Those

policies are retained and applied as usual.

How Patching with WSUS Works

Retina CS integrates with WSUS to facilitate Microsoft and third-party

patching. Retina CS uses WSUS as the patching engine and effectively

becomes a management console to WSUS.

You must be familiar with WSUS features to understand the Retina CS

integration with WSUS. The WSUS client is built into the Microsoft OS,

however, it needs to be enabled and configured. In typical WSUS-only

environments this is accomplished through GPOs. When using Retina CS,

clients are enabled and configured through Retina CS.

The Retina CS configuration and patch deployment process is outlined here.

uConfigure a Retina CS connection to an existing WSUS Server;

Retina CS becomes a management console for WSUS.

�Configure Smart Groups for patch management. This configures

members of the Smart Group, i.e., the clients, for WSUS by making

changes to the registry.

� Identify and approve patches.

�Clients periodically check WSUS for approved patches which are

then subsequently downloaded and installed.



How a Patch Deployment Works

uPatches are approved in Retina CS; consequently, they are marked

as approved in WSUS.

� The client polls WSUS for any relevant, approved patches.

�Patches are downloaded to the client. Optionally, per the Smart

Group settings, the client may be notified that approved patches are

available and then prompted to download and install them.

�Patches are automatically installed per default settings. Optionally,

per the Smart Group settings, the client may be notified that

patches have been downloaded and then prompted to install them.

� The new patch status is sent to WSUS.

� Retina CS retrieves the current patch status from WSUS



Third-party Patch DeploymentThird-party patching is the same as Windows patching with the following

differences at these steps.

�Third party patches are sent to the client with the third-party

certificate that was generated when the connection to WSUS was

created.

�

The certificate from WSUS is verified against the existing certificate

on the client that it received when its associate Smart Group was

enabled for patch management. Trust is now established for third

party patch deployment per Microsoft requirements.



Connecting to a WSUS ServerTo deploy patch updates, you must connect to a Windows Server Update

Services (WSUS) server.

If you are working in a larger environment and use downstream servers to

apply patch updates, you can create connections to the downstream servers

in the Patch Management configuration. This helps distribute the workload

of applying patches to many assets.

Requirements

Installing on Windows Server 2003 SP1• Microsoft IIS 6.0

Ensure the user installing and configuring WSUS is a member in the

group IIS_WPG

• Update for BITS 2.0 and WinHTTP 5.1

(http://go.microsoft.com/fwlink/?LinkID=47251)

• Microsoft .NET Framework Version 2.0 Redistributable Package (x86)

32-bit (http://go.microsoft.com/fwlink/?LinkID=68935)


• Microsoft Report Viewer Redistributable 2005


• Microsoft Management Console 3.0 for Windows Server 2003

(KB907265)



Installing Windows Server 2008• Microsoft IIS 7.0. Ensure the following components are turned on:

– Windows Authentication

– ASP.NET

– 6.0 Management Compatibility

– IIS Metabase Compatibility

• Microsoft Report Viewer Redistributable 2005


• Microsoft SQL Server 2005 SP1

Note that .NET Framework 2.0 and BITS 2.0 update are part of the

Windows Server 2008 OS.



http://go.microsoft.com/fwlink?LinkID=47251







Adding a Connection

You can create a connection to an upstream and downstream server.

The downstream server synchronizes with the upstream server to manage

patch updates. Note that downstream servers are configured in WSUS.

To connect to a WSUS server:

1. On the Retina CS console, select Configure, and then click the Patch

Management tab.

Alternatively, on the Dashboard, click Mitigate.

2. Click +, and then enter the server name, port number, and credentials

for the server.

Ports available: 80, 8530, 443 (SSL), or 8531 (SSL).

3. Click Test Connection to ensure the information is correct.

Note: The WSUS Administration Console must be installed if WSUS

and Retina CS are not on the same server. For more information,

see Installing the WSUS Administration Console.

1. Click Save.

2. After you connect to a WSUS server, set the following options.

– Synchronization - Select the time that you want to synchronize the

patches with the WSUS server.

The schedule determines the frequency that WSUS checks with

Microsoft Update Servers for new patches.

If this is a new installation, the initial synchronization can take

several hours depending on the number of items selected in the

Products and Classification section.

If you are using downstream servers, increase the frequency of the

synchronizations per day. All updates and approvals occur on the

upstream server. Increasing the frequency ensures that all assets

receiving updates from the downstream server are updated when the

approvals are applied on the upstream server.

– Products and Classifications - Select the updates to subscribe to.

– Downstream Servers - Displays the downstream servers for the

selected server.

– Third Party Certificate - Generate or import a certificate to

subscribe to vendor patch updates.

For more information, see Third-Party Patching.

Note that the Groups feature is not supported in Retina CS

Community.



– Groups - Select the check boxes for the groups that already exist in

WSUS. Additionally, select synchronization frequency, credentials,

and how you want patches applied.

After you click Save, a patch-enabled Smart Group for each WSUS

group that you selected is displayed in the Smart Groups browser

pane.

Connecting to a Downstream Server

When you configure assets for patch updates in the Smart Rule, you can

choose the downstream server that will apply the updates and patches to the

assets.

In the Patch management Configure area, you can view information on

upstream servers and if there are any downstream servers configured on that

upstream.

A downstream server is displayed with a green arrow.

Installing the WSUS Administration Console

You must install the WSUS Administration Console if you want to connect

to an installation of WSUS on a different server.

Download the WSUS 3.0 Administration Console installer file:

http://go.microsoft.com/fwlink/?LinkId=88321

After you install the administration console, start the console and verify that

you can connect to the WSUS server that will be configured as the active

software update point.



http://go.microsoft.com/fwlink?LinkId=88321

Registering Smart RulesRegistering the group adds the group to the WSUS server database. The

assets in the group are then available for the updates. If an asset is a member

in two groups, the patch update applied will be the most recent one.

You can review the status of a patch group on the Asset Details pane (select

the Assets tab, click i). If the status is registered, patches can be approved

and installed on the patch group.

Checkpoint

– Create a Smart Rule to associate with the patch update schedule. A

Smart Rule is required. For more information, see Creating a Smart

Rule.

To register patch updates for a Smart Group:


2. Click Manage Smart Rules and then click New Rule.

3. Enter a name and description for the patch group.

4. Select an existing category or create a new category.

5. Select the asset matching criteria. Select Asset fields from the list then

select matching criteria: Last Updated Date, Status, Current Policy,

Pending Policy, Wsus Status, or Patch Install Schedule.

6. From the Perform Actions area, select Enable for Patch

Management, then select values for the following:

– Credentials - Click the browse button to open the Manage Patch

Credentials page. Create or select the preferred patch credentials.

Ensure the credentials provided can access the registry and install the

certificate on the target asset.

The credentials apply only to the Patch module. The credentials are

not related to vulnerability scans or the WSUS server connection.

– WSUS Servers - Select the WSUS servers from the list.

– Important Updates - Select if you want to:

Download and install updates automatically – Client computers poll

WSUS at the selected day and time and download and install

approved updates.

Download updates but let me choose if the updates are installed –

Client computers poll WSUS at regular intervals (1 hour by default),

and download approved and relevant updates. After downloaded,

notifications are sent to the system log and notification area of Retina

CS.

Check for updates but do not download.



– Every / At - Select a day and time the client computers will poll the

WSUS server.

– Retry registration of errored Patch Management assets - Select the

check box to try registration again if the initial registration attempt

fails.

7. Click Save.

After clicking Save, the following occurs:

• The client is contacted by one of three methods, listed in priority:

– If the client has the Retina Protection Agent (v. 4.7 or greater),

registry changes occur through the Central Policy connection.

– If the client does not have the RPA, registry changes occur through

the Remote Registry API. Remote Registry service must be enabled

on the client. The supplied credentials must have permissions for

Remote Registry.

– If the first two fail, then registry changes are facilitated through

WMI, a service running on the endpoint.

• Retina CS uses the supplied credentials to access and edit the client’s

registry. The client is configured for WSUS and then pointed to the

WSUS Server. All other relevant registry parameters are set, see:

HKEY_LOCAL_

MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

HKEY_LOCAL_MACHINE\Sof-

tware\Policies\Microsoft\Windows\WindowsUpdate\AU

• Optionally, Retina CS downloads the third party certificate to the client.

The client is now configured to poll WSUS for any approved updates; this is

standard WSUS client behavior. Note that polling may not occur

immediately and it may take up to 6 hours for WSUS clients to display as

patch-enabled assets in Retina CS.

The patch group is displayed in the Smart Groups browser pane.

After the group is registered, you must approve the patches that you want to

apply to the assets.

Updates are installed during the time that you selected in step 6.



Redeploying Configuration

You might need to redeploy the Smart Rule configuration settings in the

following scenarios:

• Registry settings are not properly set on the client

• Certificate for 3rd party patching not properly set

Select Redeploy Configuration to apply the settings in the Patch-enabled

Smart Rule.

Approving Patch UpdatesAfter you register a Smart Group for patch updates, you can approve the

patches for installation.

Track the status of patch updates on the Patch pane. Select the Assets tab

then Patch.

On the Approvals page, you can filter the patch status to determine the

patches that are installed, not installed, failed, and more.

Note that on the Approvals page, the most recent patches available are

always displayed. Any older patches superseded by new patches are no

longer displayed. You can however, select the Show Superseded Patches

check box to review older patches not applied.

To display the Superseded column, click the Preferences button and then

select Superseded.

To approve patch updates for registered Smart Groups:



1. Select the Assets tab, and then select Patch.

After a patch group is registered, you can access the last accessed group

through the Mitigate button on the Dashboard.

2. Select a registered Smart Group from the browser pane.

To view the number of patch updates installed and not installed, hover

on the icon.

3. Select an asset, and then click i.

By default, only critical updates are displayed. You might need to change

the filters to display the relevant patches. Click the Filters button and

select the filters.

To view superseded patches, select the Show Superseded Patches

check box.

Patches are superseded when a new patch is available.

Microsoft patches are superseded automatically when a synchronization

occurs with WSUS.

4. Select a patch, and then select Approve.



5. Select the All Groups check box to apply the patch to all registered

patch Smart Groups; or select the check box for a particular Smart

Group.

The assets are set to check in with the WSUS server every hour.

If you select All Groups, and a group already has approved patches, the

menu changes to Keep existing approvals. This ensures that all previously

approved patches will still be deployed at the scheduled time.

Select Decline to remove the patch from the Not Installed list.

Select Not Approved will not apply the patch to the select Smart Group.

However, the patch is still displayed in the Not Installed list.

Reviewing Patch Details

Click i to review more information about the update.

Click Apply Patch Now to install the update to the designated assets.

When selected, the clients are forced to check in with WSUS. The patch is

applied immediately regardless of the installation settings in the Smart Group

associated with the clients. The credentials in the Smart Group are used to

apply the patch.

Note that the client evaluates and downloads the patch before the

installation occurs.



Deleting PatchesYou can delete patches either on the Asset details page or on the approval

page where patches are listed.

Third-Party PatchingYou can download and deploy patches for third-party products such as

Adobe, WinZip, and Apple. For a complete list, see List of Supported

Vendors.

You can subscribe to vendor patches through the Retina CS Configure tab.



Generating a Certificate

After setting up a connection to WSUS, a Third Party section is available.

A message indicates that a certificate is required when you initially log on

and go to the Third Party section. The certificate establishes trust between

the WSUS server and the client.

If the WSUS connection is configured to use SSL, you can use the Import

button on the Third Party Certificate tab to import an external certificate or

use the Generate button to create a self-signed certificate.

Note that if the upstream server has a third-party certificate, then the

downstream server automatically receives the certificate. The certificate

feature is not available for only downstream servers.

Click Generate.

Self-signed CertificatesIf you are using a self-signed certificate for 3rd Party Patching, sometimes

Windows will automatically delete it.

If Windows finds a discrepancy with an intermediate certificate on the server

it will check it against their list of approved SSL’s. If it does not match

Windows will remove it and log the following in the application log:

Event ID: 4108Successful auto delete of third-party root certificate

To disable this feature and keep your root certificate installed:

1. Click Start > Run > “gpedit.msc” > OK.

2. Double-click Administrative Templates > System > Internet

Communication Management.

3. Select Internet Communication settings.

4. Double-click Turn off Automatic Root Certificates Update.

5. Select Enabled, and then click OK.

Subscribing to Vendor Patch Updates

To subscribe to vendor patch updates:



1. Select the Configure tab, and then select Patch Management.

2. In the Products and Classifications section, select the vendor patches

that you want to subscribe to.

Note that the patch classifications apply to Microsoft updates only.

3. Select the check boxes for the vendor products, and then click Save.



List of Supported Vendors

Adobe Systems Incorporated

Adobe Flash Player

Adobe Acrobat

Adobe Reader

Adobe Shockwave - Firefox/IE

Apple Incorporated Safari

Foxit Corporation Foxit Reader

Google Incorporated Chrome

Igor Pavlov (LGPL) 7-Zip

Mozilla Foundation Mozilla Firefox

Opera Software ASA Opera Browser

Oracle Corporation Sun Java

Skype Limited Skype

win.rar GmbH WinRAR

WinZip International LLC WinZip



System Center Configuration Manager


In Retina CS, you can create a connection to your Microsoft System Center

Configuration Manager (SCCM) site server and manage the software updates

to the collections.

OverviewThe SCCM feature in Retina CS offers you a way to create a connection to

your SCCM server and manage deploying software packages to selected

collections.

An important difference between traditional Smart Groups in Retina CS and

the SCCM Smart Groups is that asset data is gathered from the collections in

SCCM and is stored in the Retina CS database. The assets have not been

scanned by Retina CS. You can use the synchronize feature on the SCCM

configure page to ensure the most current data resides in the Retina CS

database.

The package deployment feature in Retina CS is similar to SCCM and offers

most of the options that you are already familiar with.

Requirements• The client must have SCCM installed or patches cannot be deployed and

applied.

• The SCCM Smart Groups are not patch-enabled like the WSUS Smart

Groups.

• The SCCM instance must have an Active Software Update Point

component configured prior to making a connection from Retina CS.

Creating a Connection to a SCCM Site Server

To connect to a SCCM Site Server:

1. On the Retina CS console, select Configure, and then click the SCCM

tab.

2. Click +, and then enter the server name, domain, user name and

credentials for the server.

3. Click Test Connection to ensure the information is correct.

4. Click Save.

Retina CS User Guide System Center Configuration Manager


5. After you create the connection to a SCCM Site Server, additional tabs

are available.

You must select the collections to include in the Smart Group.

6. Click the Collections tab.

7. Select the collections, and then click Save.

A collection includes the assets that you want to apply patches to.

Collections are displayed here if at least one asset is detected in the

collection.

Note: You cannot change the autogenerated Smart Group.

Status information is provided for the following:

– Site Status - Displays a site status only. Includes such information as:

current status, site code, server availability (online or offline), event

information, version.

– Site Details - Displays information about the MS System Center

Configuration Manager.

A unique identifier (the site code) is added to every SCCM Smart Group.

This helps to identify the SCCM Site Server where the collection is from.

Deploying a Package to a CollectionPatches are immediately applied to the assets in the collection.

To deploy a package:

1. Select the collection in the Smart Groups browser pane.

2. Click the SCCM tab.

Review the client list to ensure that all targets have the SCCM client

installed.

3. Click Updates.

4. Review and select updates, and then click Deploy.



The page identifies the software available to deploy and the status of the

software on the assets in the collection: Installed, Required, N/A, and

Unknown.

5. On the Deployment Package Details page, enter the following

information:

– Package name, description and deployment package location.

Note: The package source location must be entered as a UNC path

(\\servername\share\package name) and must be unique for

every package that you deploy. The share must already be created

on the server. This is SCCM behaviour.

6. Select the optional additional settings:

– Enforce an installation deadline for this deployment

– Enable Wake On Lan when the deadline for this deployment has

been reached

– Enable user notifications

– Enable reboot of client machines outside of maintenance window

– Suppress system restart on Workstations

– Suppress system restart on Servers

7. Click Deploy.

You can keep track of the successfully deployed packages on the Job

page.

SCCM and 3rd Party PatchingIf you are using SCCM, you can publish 3rd party patches to an Active

Software Update Point (SUP) by configuring the Update Point (WSUS

server) on the Configure > Patch Management tab in Retina CS.



Any SUP that has an active WSUS connection in RCS should not be used to

create Patch-enabled Smart Rules. For more information, see Connecting to

a WSUS Server.

Using Group Policy to Configure SCCM Assets for 3rd Party Patches

Configuring SCCM assets to accept 3rd Party Patches involves two steps:

• Exporting the WSUS Certificate

• Configuring the Group Policy Object

Exporting the WSUS Certificate

Go through the steps in this section on the WSUS server that is the Active

Software Update Point for SCCM.

For detailed information on exporting a certificate, refer to the Help file

available with the Certificates snap-in.

To export a WSUS certificate:

1. Run .mmc, and then add the Certificates snap-in.

Be sure to select Computer account, and Local computer.

2. Expand the WSUS node.

3. Right-click WSUS Publishers Self-signed and select All Tasks >

Export.

4. In the Certificate Export Wizard, select the following:

– No, do not export the private key

– DER encode binary X.509 (.CER)

– Enter a file name for the certificate and go through the remaining

pages of the wizard.



Configuring the GPO

Use the following procedures to configure the Group Policy Object (GPO)

to deploy configuration to SCCM enabled assets. The GPO saves the WSUS

certificate to the appropriate certificate stores and configures the assets to

accept third-party patches from non-Microsoft sources.

After the GPO is created, it must be linked to an OU that contains the

SCCM assets that you want to receive 3rd party patches.

To configure assets using Group Policy on Windows Server domains:

1. Open Group Policy Management Console (GPMC) on a domain

controller.

2. Create a GPO for the certificate at the domain level:

a. Select the domain you want to use, and then click Action > Create

a GPO in this domain, and Link it here.

b. Enter a name for the GPO, and then click OK. For example, enter

Patch Management Client Configuration Policy.

3. Select the new object, and then click Action > Edit .

4. Expand Computer Configuration > Policies > Windows Settings >

Security Settings > Public Key Policies.

5. Import the WSUS publishing certificate to the Trusted Root

Certification Authorities and Trusted Publishers stores.



6. Turn on signed updates in the Windows Update administrative template:

a. Expand Computer Configuration >Policies> Administrative

Templates > Windows Components, and then select Windows

Update.

b. Double-click Allow signed updates from an intranet Microsoft

update service location .

c. Select Enabled, and then click OK.

7. Select an OU or domain and create a link to this new GPO.





In this section,

Overview

Downloading Retina Protection Agents

Configuring a Default Policy

Preparing Target Assets

Using the 3rd Party Deployment Tool

Updating RPA Licenses

Deploying the Protection Policies

Storing Retina Protection Agent Serial Numbers

Reviewing Details About Protection Agents

Removing Protection Agents

Configuring Protection Policies

Working with Rules and Rule Groups

Creating a Rule Group and Setting Rules

Creating a Protection Policy

Organizing Your Policies

Rules Reference

Retina CS User Guide Retina Protection Agents


OverviewThis section provides information on how the Retina Protection agent

deployment works.

How RP Agent Deployments Work

u

The Application Bus service receives a message from Retina CS to

start a deployment. A deployment package is created and includes

these files:

l BlinkSetup.exe

l #deploy.xml

l deployc.pfx

l msxml3.dll

l msxml3r.dll

l startdeplservice.exe

To ensure secure deployment, the deployc.pfx file includes a

security certificate, eEyeEmsClientCert.pfx.

�The package is queued and ready to be copied to a share on the

target asset.

�

This starts the deployment service (startdeplservice.exe).

This service sends a message to Retina CS indicating the job status.

When the deployment is complete, the startdeplservice.exe is

removed from the asset.

�

The service runs BlinkSetup.exe and installs:

l The VS2008 runtime environment if required.

l RPA

Reports to Retina CS that installation was successful.



Downloading Retina Protection AgentsThe Retina Protection Agent must be downloaded before you can deploy

policies to selected assets.

You can deploy Retina Protection Agents using one of the following ways:

• Download through the Retina CS console

• Copy the Retina protection agent installer to the following directory:

$Common Files\eEye Digital Security\Shared Services

Host\data\Setups\Blink\4.0.0. Change the name of the installer file to:

BlinkSetup.exe

• Use the 3rd Party Deployment tool. See Using the 3rd Party

Deployment Wizard.

To deploy the protection agent:


2. Click Protect.

3. If the protection agent deployment package is not found, click

Download Protection Agent.

Progress messages are displayed during the download. A file size

indicator updates every 10 seconds to show the status of the download.

After the Retina protection agent is downloaded, you must configure the

Default policy.

Air Gapped Connectivity to Retina CS

If the server where Retina CS resides does not have an Internet connection,

you can download Blink Professional and Blink Server from the client portal.

• Change the name of Blink Professional to BlinkSetup.exe and copy to

the following directory: C:\Program Files (x86)\Common Files\eEye

Digital Security\Shared Services Host\data\Setups\Blink\4.0.0\

• Change the name of Blink Server to BlinkSetup.exe and copy to the

following directory: C:\Program Files (x86)\Common Files\eEye

Digital Security\Shared Services Host\data\Setups\Blink Server\4.0.0\

Configuring a Default Policy

You must configure the Default policy to use the Retina CS server as the

central policy agent.

To configure the Default policy:


2. Click Protection Policies.

3. Select Default policy, and then select Edit Policy.



4. Click the pencil icon next to Master Rules.

5. Expand Misc Options then select General.

6. Expand Central Policy.

7. Select the Yes check box to use central policy.

8. Use the default protocol, https.

9. Enter the Retina CS server name and password.

10. Click Update.

Preparing Target Assets

Assets must have appropriate permissions in place so that the protection

policies can be copied to the asset.



Using the 3rd Party Deployment ToolUse the 3rd Party Deployment wizard to create Retina Protection Agent

deployment packages. You can create a directory, executable, or .msi.

To create a deployment package:

1. Select Start > All Programs > eEye Digital Security > Tools > 3rd

Party Deployment Wizard.

2. Select the directory where you want to create the package files and

where the package will be deployed.

3. Select the check boxes for the type of deployment package: Create

Directory, Create Executable, Create MSI.

4. Select Retina Protection Agent Setup information:

– Setup filename - Displays the name for the .exe. The default value is

BlinkSetup.exe.

– Serial number - Enter the serial number for the Retina Protection

Agent.

– Mode - Select a mode: Interactive, Alert Only, Silent, Hidden.

– Administrator password/confirm password - Enter a password.

– Enable Firewall - Select to turn on firewall protection.

– Enable Virus and Spyware Protection - Select to turn on virus and

spyware protection.

– Enable Intrusion Prevention - Select to turn on intrusion prevention.

– Enable System Protection - Select to turn on system protection.

– 3rd party AV uninstall password - Enter the password to uninstall

existing anti-virus and intrusion prevention applications if detected

during deployment.

5. Click Next.

6. To activate central policy, select the Use Central Policy check box.

a. Select the protocol: https, rem.

b. Select the server name where Retina CS resides.

c. Select the default policy.

d. Enter the password for central policy.

e. Enter the time interval to check for updates.

7. Click Next.

8. Select the Send REM events check box to activate REM events.

9. Click Next.

10. Enter your registration information and click Next.

11. Enter the URL to download updates. Click Next.



12. Click Finish.

Updating RPA LicensesWhen your Retina Protection Agents (RPA) serial numbers are close to

expiry, you can deploy a serial number to all assets where RPAs are

deployed.

To update the serial number:


2. Select Agents, and then click Relicense.

3. Select the assets from the Smart Groups browser pane.

4. In the Deploy section, select: currently selected assets, single IP

address, IP range, CIDR notation or named host.

5. Select the check box to skip the assets that do not have an RPA

deployed.

6. Enter credentials.

7. Enter the serial number.

8. Click Run.

Deploying the Protection PoliciesUse the following procedure to deploy protection policies to selected assets

and agents.

Checkpoint

– Policies are only available after you deploy Retina protection

agents. For more information, see Downloading Retina

Protection Agents.

– Before proceeding, you might want to customize your policies.

For more information, see Configuring Protection Policies.

Note: Turn off the Require SSL setting in IIS Manager for the Retina CS

default web site.

Otherwise, the status displayed does not indicate when the

deployment has successfully completed.



To deploy protection policies:

1. Select the Dashboard tab and click Protect; or select the Assets tab

and click Protect.

2. Select a policy and click Deploy.

3. Expand Status to determine the assets that already have Retina

protection agents deployed. Select Don't perform deployment on

these (n) assets, with n being the number of assets that do not have

the protection agent installed.

4. Expand Deploy to select the assets you want to apply the protection

policies to: Smart Groups, Single IP, IP Range, CIDR Notation, or

Named Host.

5. Expand Credentials Management to enter the domain, username, and

password credentials for the assets to deploy on. Credentials are

required.

For IP Range and CIDR Notation, the policies are deployed to the assets

that match the credentials entered.

6. Expand Software Removal Tool, and select the Enabled check box.

Enter a password, if required. This step is optional.

Third-party anti-virus and intrusion prevention applications are

uninstalled if detected during deployment.

7. Expand Advanced and enter the serial number and installation directory

for the Retina protection agent.

8. Select the Enable Event Forwarding check box to view malware and

vulnerability events on the Retina CS console.

9. Select the Force installation of Protection Agent check box to deploy

the protection agent to the selected targets.

10. Click Request Protection Agent Update to automatically download

updates for the protection agent.

11. Click Start Deploy.

Click Show Status to view the progress of the deployment; or click the

Jobs tab.

Storing Retina Protection Agent Serial Numbers

You can set a serial number as the default so that you do not need to enter

the serial number every time you deploy an agent.

The serial number is displayed differently depending on the permissions that

you are assigned. If you are assigned the Protection Policy Management

permission, all digits for a saved serial number are displayed and the Save as

Default button is available.



If you are only assigned the Deployment permission the last section of the

serial number is displayed and the Save as Default button is not displayed.

You can clear the Use Default Serial check box at any time and then enter

another serial number.

For more information about permissions, see User Group Permissions.

Reviewing Details about Protection Agents

You can review the following information for a protection agent on the

Agents tab:

• Policy name

• Protection agent version

• Computer name where the agent is deployed

• Operating system

To review protection agent details:

1. Select the Agents tab.

2. To review only protection agent information, click the Preferences

button and clear any Retina scanner check boxes (for example, Retina

Version and Agent Name). This is optional.

3. Click the Filters button to set sorting information on the protection

agents. This is optional. This is helpful if there are a lot of protection

agents deployed in your environment.

Note that you cannot sort by Protection Agent Policy name.



Removing Protection Agents

You can remove a deployed protection agent from an asset.

To remove a protection agent:

1. Click the Assets tab.

2. Click the Agents tab.

3. Click Uninstall.

4. Enter the IP addresses for the assets.

5. Enter the credentials, and then click Run.



Configuring Protection PoliciesIn this section,





Rules Reference

When setting up a protection solution using Retina CS, you need to

determine the rules that you want to use to protect your assets. Retina CS

ships with a set of default rules and rule groups.

After you determine the rule set and configure rules, you can attach the rule

groups to a policy. The policy is then deployed to your assets.


When creating rules and rule groups, review the following sections to

understand how they work.

Rule Group OrderingWhen there is more than one rule group attached to a policy, the rules for all

attached groups are automatically merged into an effective set of rules for

the policy.

In the case where a specific rule is set in more than one attached group, the

group that is located higher in the list of attached groups takes priority. You

can click and drag on attached Rule Groups to modify their ordering and

thus their resulting relative priority.

Retina CS ships with a set of default rules. Each new policy automatically

inherits these default settings. Some rules are “on” while others are “off.”

Changing a default value is considered an override even if that setting is later

changed to its default state. This is important to understand since a rule

setting override is considered when multiple Rule Groups are merged in a

given Policy, but rules considered to be in their “factory default” state are

not.

To remove all rule setting overrides, from a rule category in a Rule Group,

select that category and click the arrow next to the category title. In the

context menu that appears, select “Revert to factory.”



For example, consider three cases where two Rule Groups are attached to a

policy, Group A (highest priority) and Group B. The factory default setting

for a particular rule is “off”.

o Case 1: In Group B, that rule is set to on. The rule in Group A has never

been changed and is considered the “default.” The effective merged rule

setting will be “on”.

o Case 2: The rule in Group B is set to “on”, but in Group A that rule has

been set to “on” previously, but later set to “off”. Since this “off”

setting is now considered an override over the default setting, the

effective merged rule setting will now be “off.”

o Case 3: The rule category where this rule resides is “reverted to factory

default” for Group A and now the effective merged setting is once again

“on”, this case now being identical to the first.

Master RulesEvery policy has a set of Master Rules which can be considered a non-shared

Rule Group (it is specific to one policy only) that always has the highest

priority when rules are merged. Any rule set in the Master Rules section will

override the same rule setting in any attached groups.


A Rule Group is a container for the rules that you want to apply to protect

your assets. In Retina CS, a rule group can contain any combination of rule

categories that includes: system firewall, application firewall, IPS signatures,

and Trusted and Banned IPs. In each rule category, there are particular rules

that you can activate if you want to provide that specific protection to your

asset.

Rule groups provide proactive and reactive protection against intruder,

internal attack and machine misuse. When assigned to a policy, rule groups

are applied to assets, such as networks, servers, workstations and laptops.

To create a rule group:

1. Select the Dashboard tab and click Protect; or select the Assets tab,

and then click Protect.

2. Click Manage Rule Groups.

3. On the Manage Rule Groups page, you can:

– Click + to add a rule group. Enter a name for the rule group.

– Select the rule group from the Rule Groups pane to change the rule

group properties. You can type the name of the rule group in the box

to search for the rule group.

– Select the rule group and click - to delete the rule group.



4. Select a rule group, then select a rule category to display the associated

rules.

Rule categories with arrows contain subcategories. Click the arrow to

display the subcategories; select the subcategory to display the rules.

5. Select a rule name check box to activate the rule. To create a rule, go to

Rules.

6. Click Revert to revert to either last saved or the default value for the

rule category.

7. Click Update.


Create a policy that defines the rules you want to apply to your assets.

You can create a dynamic protection policy. A dynamic policy includes

conditions that determine the assets where the protection policy will be

applied. For more information, see Creating a Dynamic Protection Policy.

Checkpoint

– At least one policy category must be created to create a policy. See

Organizing Policies.

To create a protection policy:


2. Click Protect.

You can also create a policy from the Configure tab.

3. Click New Policy.

Drag rule groups to the rules pane. For more information, see Rule

Groups.

4. Click Create.

5. Enter the name of the policy and the policy group to which it is a

member. Click Update when editing an existing policy.

Creating a Dynamic Policy

You can attach a location to a policy. When a policy is processed, rule groups

and locations in the policy are also processed.

Locations and conditions define when a policy will be deployed to particular

assets.

l Location – One or more conditions.

l Condition – A set of criteria that determines the assets.



Assets in an environment can change or be removed. The policy is dynamic

since only those assets that meet the criteria in the condition are included.

To manage locations, you must access an existing policy or through a new

policy.

The following procedure shows you how to create a condition and add the

condition to a location.

To create a dynamic policy:

1. Select the Dashboard tab, and then click Protect; or select the Assets

tab and click Protect.

2. Click New Policy.

You can also add locations to existing policies.

3. Click Add Location.

4. From the Location menu, select Manage Locations.

5. Click the + sign. Enter a name and click Create.

To edit an existing location, select the location from the Location pane.

To delete a location, select the location from the Location pane and click

the - sign.

6. Click Manage.On the Manage Conditions window, you can create and delete

conditions.

a. Click + to create a condition. Enter a name and click Create.

b. Select Command or Script from the Command Type list.

Command options:

CheckReachable

In the Command Parameters box,type the IP address or domainname.Pings the IP address or domainname to verify access in thenetwork. For example, if the IPaddress or domain is reachable,then the policy can be applied.



CompareVersion

Verifies which version of protectionagent is installed on the assets. Thisfeature will be available at a laterdate.

Verify DNS In the Command Parameters box,type the IP address.Confirms the Domain Name Systemserver.

VerifyDHCP

In the Command Parameters box,type the IP address.Confirms the Dynamic HostConfiguration Protocol server.

Script options:

Script Name Java or Visual Basic script file.ClickUpload Script to upload ascript.

ScriptParameters

Script file location.

c. Select the Network Status Change Events check box if you want to

log network status changes.

d. Click Update.

7. Drag the condition from the Conditions pane.

8. More than one condition can apply to a location. The following operators

are available:

And = &

Or = |

Not = !

Parentheses group conditions



9. Click Update.




A policy category is a set of similar policies. A policy must be assigned to a

category when the policy is created.

To organize policies:


and click Protect.

You can also create a category from the Configure tab.

2. Click New Policy Category.

3. Enter the policy category name and click Create.

4. Drag policies from other policy categories to populate the new policy

category.



Rules ReferenceAs mentioned earlier, a protection policy contains the security rules that are

deployed to your assets.

This section details the rules available to you.

You can create, copy, edit, and delete rules. You cannot create rules for the

following rule categories: Identity Theft and Analyzers.

To copy, edit, or delete a rule:


and click Protect.


You can also manage rule groups from the Configure tab (Protection

Policies).

3. Select a rule group from the Rule Groups pane. You can also type the

name of the rule group in the box to search for a rule group.

4. Select the rule category.

5. Select a rule name check box to activate the rule.

6. Select the rule, click the arrow and select one of the following menu

items:

– Edit Rule—to edit the selected rule. Click the pencil icon to change

the settings.

– Duplicate Rule—to create a copy of the rule. Edit the new rule as

needed.

– Delete Rule—to delete the selected rule.

Note that menu items are not available on all rules.

System Wide Firewall Rules

System Wide Firewall rules control the flow of data by examining each

packet and determining whether to forward the packet toward a specific

destination.

To create system-wide firewall rules:


and click Protect.






4. Select the System Firewall rule.

5. Click Create New Rule to start the wizard.

6. Complete the following pages.

a. Action

– Allow – traffic that matches the rule can pass through the

firewall.

– Deny – traffic that matches the rule cannot pass through the

firewall.

– Ask – a message is displayed requesting permission to pass

through the firewall.

– Log event – select to create an event log when the rule is

matched.

– Alert user – receive and log alerts from Blink when the rule is

matched. This can create a flood of alerts and increase the size of

the log file.

b. Protocol

– Select a protocol – TCP, UDP, TCP or UDP, ICMP, IP

c. Traffic Direction

– Traffic from Other Computers - filters only inbound traffic

received by your computer.

– Traffic from This Computer - filters only outbound traffic

sent from your computer.

– Any Direction - filters both inbound and outbound traffic.

d. Local IPs & Ports

– Rule applies to all IP addresses – Create a rule for all local IP

addresses.

– Specific local IP addresses – Click +, and then select:

Determine IP(s) at run-time, Single IP, IP Range, or Subnet.

Click Set.

– Rule applies to all ports – Create a rule for all ports.

– Specific ports – Click +, and then enter a port number, port list,

or port range.



Use a comma to separate values. Ports in a range are separated

with a hypen.

e. Remote IPs & Ports

Options on this page are the same as Local IPs & Ports page.

f. Rule Summary

– Click Finish.

Enter a name and description for the rule.

Place at the top of the rule list – select to run the rule first.

Rule Summary

Application Firewall Rules

Application Firewall rules tailor the protection closer to the applications and

the specific network environment being protected.

To create an Application Firewall rule:


and click Protect.



name of the rule group in the text box to search for the rule group.

4. Select the Application Firewall rules category.

5. Click Create New Rule to start the rule wizard.

a. Application

– Full Path – Retina CS compares the path stored in the firewall

rule to the path of the application requesting network access.

The rule triggers when there is a match. Select this option for

applications that are typically updated during normal use.

– Process Name - Retina CS compares the application process

name to the process that is requesting network access.

The rule triggers when there is a match. This is the least secure

option.



– MD5 - Retina CS creates and stores an MD5 checksum of the

specified application. The MD5 algorithm is a method for signing

and verifying a file and its contents mathematically. At run-time,

Retina CS compares this MD5 checksum to the checksum of the

application that is requesting network access.

The rule triggers when there is a match. This is the default value

and the most secure option; however, if the application changes

during an auto-update, the rule becomes invalid. If selected,

enter the MD5 value.

– System Process – filters the system process requests from the

Operating System or Kernel Drivers running under a system

context. Typical system processes include printing and file

sharing.

b. Action

– Allow – traffic that matches the rule can pass through the

firewall.

– Deny – traffic that matches the rule cannot pass through the

firewall.

– Ask – a message is displayed requesting permission to pass

through the firewall.

– Log event check box – select to create an event log when the

rule is matched.

– Alert user check box - receive and log alerts from Blink when

the rule is matched. This can create a lot of alerts and increase

the size of the log file.

c. Protocol

– Select a protocol – TCP, UDP, or TCP or UDP

d. Traffic Direction

– Traffic from Other Computers - filters only inbound traffic

received by your computer.

– Traffic from This Computer - filters only outbound traffic

sent from your computer.

– Any Direction - filters both inbound and outbound traffic.

e. Local IPs & Ports


addresses.




– Specific ports – Click +, and then enter a port number, port list,

or port range.

Use a comma to separate values. Ports in a range are separated

with a hypen.

f. Remote IPs and Ports


g. Rule Summary

– Click Finish.



IPS Signature Rules

You can create IPS network signatures that filter a specific protocol, such as

FTP, ICMP, and SMTP. For example, you can create an application layer IPS

signature that filters traffic from the subject line of all incoming or outgoing

email messages associated with the EMAIL protocol.

When you create an IPS signature rule, you can choose the Network Layer

or Application Layer protocol. The wizard pages change depending on the

protocol that you select.

For the following procedure, the wizard pages described assume CGI Scripts

and Network Layer options are selected.

To create an IPS signature rule:


and click Protect.


3. Select a rule group from the Rule Groups pane. You can type the name

of the rule group in the box to search for the rule group.

4. Expand IPS Signatures and select a subcategory to display the

associated rules.


Protocol

Select a protocol.

IP Protocol

– Fragment Flags – Select the check box then select: More Fragment,

Don't Fragment Bit, Reserved Bit.

– Don't Care – The value is ignored.



– Set – The binary value of the corresponding flag for 1s only is

verified.

– Not Set – The binary value of the corresponding flag for 0s only

is verified.

– IP ID – Select Less Than, Equal To, or Greater Than and set the ID

number.

– IP Protocol – Select Less Than, Equal To, or Greater Than and set

the protocol.

– Time to Live – Select Less Than, Equal To, or Greater Than and set

the time.

– IP Options – Select Record Route, End of Option List, No

Operation, Internet Timestamp, Security, Loose Source Routing, or

Strict Source Routing.

– Type of Service – Select the service: Minimize Delay, Maximize

Throughput, Maximum Reliability, or Minimize Monetary Cost.

Traffic Direction

– Inbound – Filters only inbound traffic received by your computer.

– Outbound – Filters only outbound traffic sent from your computer.

– Both – Filters both inbound and outbound traffic.

Local IPs & Ports


addresses.

– Specific local IP addresses – Click +, and then select: Determine

IP(s) at run-time, Single IP, IP Range, or Subnet. Click Set.


– Specific ports – Click +, and then enter a port number, port list, or

port range.

Use a comma to separate values. Ports in a range are separated with a

hyphen.

Remote IPs & Ports


Search Pattern

– Click +, and then type the pattern to search on.

You can create patterns using hex characters or a combination of

ASCII and hex characters. A hex sequence must be enclosed in < >.



– Start – (Optional) Enter the number of bytes to skip from the

beginning of the packet’s payload.

– Depth – Enter the total number of bytes to search in the packet’s

payload.

– Trigger rule if pattern not found – (Optional) Stop the action

from completing when the pattern is matched.

– Use regular expressions – (Optional) Find a specific word

followed by an alphanumeric.

– Match case on pattern – (Optional) Find a pattern that matches

the case in the Pattern field.

– Match only on patterns of same size – (Optional) Find a pattern

that matches the size in the Pattern field.

Action

– Stop attack – Stop the attack by terminating the session or dropping

packets.

– Capture Packets – Hold the packet for review by the user.

– Block IP for – Stop the attack for the specified number of minutes.

Available only for TCP-based IPS signatures.

This is not recommended for spoofable protocols, such as IP, UDP

and ICMP. In a spoofable attack, an attacker mimics the IP address

of critical systems and then forces the IP address to be added to the

banned list. Specify the frequency of the action.

– Log event – Create an event log when the rule is matched.

– Alert user – Receive and log alerts from RPA when the rule is

matched. This can create a flood of alerts and increase the size of the

log file.

Specify Threshold

– Take action for every occurrence of the event – When the

pattern is found, the action defined on the Action page occurs.

– Take action when the threshold is exceeded – When the

threshold is exceeded, the action defined on the Actions page

occurs.

The default is one event every one second.

Specify References

– (Optional) Enter more information about the vulnerabilities and

exploits.



The information helps to define what the IPS signature protects

against.

Set More Details

– Enter more information about the rule.

– Rule severity – Select a severity between 0 and 9 (highest severity).

The severity level is included in the event log.

Rule Summary

Click Finish.



Trusted and Banned IPs

You can set trusted and banned IP addresses to manage lists of hosts

processed by the Firewall and IPS protection engines. You must activate

Intrusion Prevention or System Firewall to use the Trusted and Banned IPs

feature.

l Trusted IPs – Add the IP address or range of IP addresses of trusted

critical machines. All data is then allowed from the trusted systems.

Note that if a trusted system attacks your Retina CS-protected server or

workstation, the attack will not be detected.

l Banned IPs – Provides time-based traffic blocking from an IP address.

You can ban an IP for a period of time or indefinitely. Data flowing from

known problematic hosts can be discarded without further processing.

If an IP address is added to the Trusted list and Banned list, that IP address

is banned.

All IPS Analyzer rules and signatures can be configured to ban the attacker

IP for a certain amount of time. For example, you may want to slow down

someone trying to guess your FTP password account by stopping them from

accessing the server for 10 minutes after each 10 failed attempts occurring in

less than three minutes.

To create a Trusted IP or Banned IP rule:


and click Protect.






4. Select the Trust IPs or Banned IPs rule category.


6. Enter the IP address, IP address range, or subnet.

7. Specify the time the IP remains on the list as either Permanent or Keep

for [n] Minutes. You can also include a date and time. The IP address is

automatically deleted from the IP list after the time period elapses.

8. Enter a description for the IP address.

9. Click Set. The IP address displays in either Trusted IPs or Banned IPs

list.

10. Click Update.

Registry Protection Rules

Registry rules protect registry resources against unauthorized modifications.

To create a Registry rule:


and click Protect.



of the rule group in the text box to search for the rule group.

4. Select the Registry rule category.


a. Select Resource Type

Registry is selected.

b. Resource Path

– Registry Key Path – Enter the registry path.

– Match Type – Select a matching type. See Caller Path page

details for descriptions.

c. Caller Path

– Caller Path – Enter the path.

– Match Type – Select a matching type.

Exact – Matches only the exact path. This is the fastest matching.

Partial – Matches if the pattern is found anywhere in the path.

This is the second fastest matching.



Wildcard – Creates more complex rules that use * for any

sequence of characters, # for any single numerical character and ?

for any single alpha character.

Regex – Creates the most complex matching rules. This can be

the slowest and should be used with care.

– MD5 Validation

Do not use caller MD5.

Auto-calculate caller MD5 – Calculates MD5 if access to the file

is provided on disk.

User specified caller MD5 – Enter a hex MD5 caller.

The MD5 algorithm is a method for signing and verifying a file

and its contents mathematically. At run-time, Retina CS

compares this MD5 checksum to the checksum of the

application that is requesting network access. There is an implicit

OR between the two types of matching, such as location and

MD5 checksum. If either matches, the rule is triggered.

d. Specify an Action

Select a Read or Write action to be matched by this rule.

– Allow – Traffic that matches the rule can pass through the

firewall. This is the default.

– Deny – Traffic that matches the rule cannot pass through the

firewall.

– Log – Select to create an event log when the rule is matched.

– Alert – Receive and log alerts from Blink when the rule is

matched. This can create a lot of alerts and increase the size of

the log file.

e. Rule Summary

– Click Finish.



Execution Protection Rules

Execution rules prevent the system from executing unauthorized processes.

To create an Execution rule:




and click Protect.



name of the rule group in the text box to search for, display, and select

that Rule Group.

4. Select the Execution rule category.


a. Select Resource Type

Execution is selected.

b. Resource Path

– Registry Key Path – Enter the registry path.

– Match Type – Select a matching type. See Caller Path page

details for descriptions.

c. Caller Path

– Caller Path – Enter the path.

– Match Type – Select a matching type.

Exact – Matches only the exact path. This is the fastest matching.

Partial – Matches if the pattern is found anywhere in the path.


Wildcard – Creates more complex rules that use * for any



Regex – Creates the most complex matching rules. This can be

the slowest and should be used with care.

– MD5 Validation

Do not use caller MD5

Auto-calculate caller MD5 – Calculates MD5 if access to the file

is provided on disk.

User specified caller MD5 – Enter a hex MD5 caller.



The MD5 algorithm is a method for signing and verifying a file

and its contents mathematically. At run-time, Retina CS

compares this MD5 checksum to the checksum of the

application that is requesting network access. There is an implicit

OR between the two types of matching, such as location and

MD5 checksum. If either matches, the rule is triggered.

d. Specify an Action

The Execute check box is selected and cannot be changed.

– Allow – Traffic that matches the rule can pass through the

firewall. This is the default.

– Deny – Traffic that matches the rule cannot pass through the

firewall.

– Log – Select to create an event log when the rule is matched.

e. Rule Summary

– Click Finish.



File Integrity Rules

There are three types of integrity rules:

• Protected files – Folders and files that you want to monitor for changes.

• Authorized applications – Applications which are allowed to modify any

file.

• Custom rules – Exceptions to any other rules. Custom rules are

processed first.

A file protection rule activates when the protected file is changed, renamed,

or deleted.

Add a Protected File RuleA protected file rule applies PowerBroker EPP protection on the file.

To create a file integrity rule:


and click Protect.






4. Select the File Integrity rule category and select the Protected Files

subcategory to display the associated rules.

5. Select Create New Rule.


a. Specify File/Folder Path

– Protect a file

Enter the file that you want to protect.

– Protect files inside a directory

Enter folder that you want to protect.

Enter a list of file extensions that you want to protect.

Select the Also Protect Subfolders check box to protect all

folders in the directory.

b. Specify an action

Select the Log check box to track the rule activities.

Set the rule severity. The severity level is included in the event log.

The default value is 1.

You can also create a category to organize rules.

c. Rule Summary

– Click Finish.



Add an Authorized Application RuleAn authorized application rule allows an application to access protected files.

To create a file integrity rule:


and click Protect.




4. Select the File Integrity rule category and select the Authorized

Applications subcategory to display the associated rules.





a. Specify Authorized Application Path

Enter the caller attributes:

– File Path – Browse to the executable location for the caller, and

then select the matching type:

– Exact – Matches only the exact registry key. This is the fastest

matching.

– Contains – Matches if the pattern is found anywhere in the key.


– Not Contains – Matches when the pattern is not found.

– Wildcard – Creates more complex rules that use * for any



– Regex – Creates the most complex matching rules. This can be

the slowest matching.

– Process Arguments – Add process arguments to filter the

scope of the rule.

For example, if the file path is

c:\Windows\System32\svchost.exe, then an argument might be

-k tapisvr. The rule then only applies to the TapiSvr service.

– MD5 or SHA1 – Enter a hex MD5 or SH1 caller. The MD5 or

SHA1 checksum algorithm is a method for creating a file content

checksum and verifying the content has not changed.

SHA1 is a more secure hashing algorithm and is recommended

over MD5.

PBEPP can detect the type of hash used (MD5 or SHA1). Use

MD5 or SHA1 when you can access the file and you are certain

the file does not normally change (for example, due to user

changes or software updates).

– File Size – Enter the file size.

– Executable is packed – Select True to pack the executable.

– File Location – Select from: Hard drive, USB, CD ROM and

Network.

– Product Name, Product Description, Company – Enter the

product information.



– Digital Signature Name, Digital Signature Validity – Select

the signature parameters.

– Process Owner – Enter the name of the user account running

the executable.

Alternatively, enter the SID for the process owner.

– User Group – Enter one or more user groups. If the user

running the executable belongs to one of the listed groups, the

property will match.

Alternatively, enter the SID for the user group.

b. Specify an action





c. Rule Summary

– Click Finish.



Add a Custom RuleA custom rule applies protection on a folder (all files in the folder are

protected regardless of the file type). Files and folders included in the rule

are not included in the scheduled scan.

To create a custom rule:


and click Protect.




4. Select the File Integrity rule category and select the Custom

subcategory to display the associated rules.



a. Specify File/Folder Path

– Protect a file – Enter the file that you want to protect.



– Protect files inside a directory – Enter folder that you want to

protect. Enter a list of file extensions that you want to protect.

Select the Also Protect Subfolders check box to protect all

folders in the directory.

b. Specify Authorized Application Path

Enter the caller attributes:

– File Path – Browse to the executable location for the caller, and

then select the matching type:

– Exact – Matches only the exact registry key. This is the fastest

matching.

– Contains – Matches if the pattern is found anywhere in the key.


– Not Contains – Matches when the pattern is not found.

– Wildcard – Creates more complex rules that use * for any



– Regex – Creates the most complex matching rules. This can be

the slowest matching.

– Process Arguments – Add process arguments to filter the

scope of the rule.

For example, if the file path is

c:\Windows\System32\svchost.exe, then an argument might be

-k tapisvr. The rule then only applies to the TapiSvr service.

– MD5 or SHA1 – Enter a hex MD5 or SH1 caller. The MD5 or

SHA1 checksum algorithm is a method for creating a file content

checksum and verifying the content has not changed.

SHA1 is a more secure hashing algorithm and is recommended

over MD5.

PBEPP can detect the type of hash used (MD5 or SHA1). Use

MD5 or SHA1 when you can access the file and you are certain

the file does not normally change (for example, due to user

changes or software updates).

– File Size – Enter the file size.

– Executable is packed – Select True to pack the executable.

– File Location – Select from: Hard drive, USB, CD ROM and

Network.



– Product Name, Product Description, Company – Enter the

product information.

– Digital Signature Name, Digital Signature Validity – Select

the signature parameters.

– Process Owner – Enter the name of the user account running

the executable.

Alternatively, enter the SID for the process owner.

– User Group – Enter one or more user groups. If the user

running the executable belongs to one of the listed groups, the

property will match.

Alternatively, enter the SID for the user group.

c. Specify an action

Select the action to take when the rule is matched: Allow or Deny.





d. Rule Summary

– Click Finish.



Windows Events Rules

You can create a rule that tracks Windows Event logs, including:

Application, System, and Security.

Source Names

The source name is the name of the Windows event.

The source name that you enter depends on the operating system that is

forwarding the events.

Windows XP

Windows 2003

Use the name in the Windows Event Viewer Source

column.



Vista

Windows 7

Windows 2008

Use System-Provider[EventSourceName] on the Details

tab of the event, if available. Otherwise, use [Name].

To create a Windows event rule:


and click Protect.



name of the rule group in the text box to search for, display, and select

that Rule Group.

4. Expand Windows Events, and then select: Application, System, or

Security.

– Enabled - Select the check box to activate the rule.

One or more Windows event sources must be provided to activate

the rule. Events are only forwarded when a source is provided.

– Severity - Select the severity level from the list: Only Errors, Errors

and Warnings, All.

Note that All includes Information events.

– Add - Click to provide the following information about the event log

you want to track:

– Source name – The name of the application that issued the

event. See Source Names.



You can enter the source name without providing Event IDs. All

events from the source will be forwarded.

– Include – Enter the Event IDs to forward to Retina CS.

– Exclude – Enter the Event IDs to exclude.

Note that the excluded list overrides the included list.

The following example shows a range of event IDs to include and two IDs

in that range to exclude.

5. Click Save.

Trusted List Options

The Trusted List displays trusted malware by name and category.

To access Trusted List rules:


and click Protect.




4. Select the Trusted List rule category.


6. Select a malware name check box and click Save.

7. Click Save.

8. Click Update.

Miscellaneous Options

Miscellaneous options allow you to set rules for Retina CS operations.

To access miscellaneous options:




and click Protect.




4. Expand Misc. Options and select a subcategory:

– Virus and Spyware

– General

– System Protection

– Scheduler

– Auto-Updater

– Vulnerability Assessment

– Intrusion Prevention

– IIS Protection

– Firewall

– Events

For more information, refer to the Retina Protection Agent User Guide.

5. After you change the properties for a subcategory, click Update.



PowerBroker Servers for Unix & LinuxOverview

Managing PowerBroker Servers Events

Creating a Smart Group for PowerBroker Servers Assets

Using pbreplay to Play the Logged Events

Searching the I/O Logs

Search Parameters

For detailed information about PowerBroker Servers for Unix and Linux

features, refer to the PowerBroker Servers product documentation.

OverviewUse Retina CS to manage PowerBroker Servers event log records. Configure

Retina CS and PowerBroker Servers to work together to send the event logs

to the Retina CS management console.

After the event log records are sent to the Retina CS database, you can run

reports to analyze your Unix and Linux assets. You can create Smart Groups

based on the argument types to track the event types in the I/O logs.

The event information is used as the source information to determine the

heartbeat of your assets. For example, is the asset running.

Event Types

The event types forwarded to Retina CS, include: Accept and Reject.

Accept and Reject events can help you determine if your assets are sending

events (indicating that the asset is up and running successfully).

Retina CS and PowerBroker Servers Architecture

The following diagram shows how Retina CS and PowerBroker Servers send

information between their respective components.

Secure Retina CS certificates are deployed to the PowerBroker Servers

assets. Apache Solr software is used to index PBUL I/O logs. The indexed

results are forwarded to Retina CS where they can be sorted and viewed.

Retina CS User Guide PowerBroker Servers for Unix & Linux




Managing PowerBroker Servers EventsOn the Assets page, you can review the run arguments and I/O logs

captured for an asset.

PowerBroker Servers events are tied to runhost events. Create your Smart

Groups using runhost as a filter.

You can run reports on PowerBroker Servers assets using Retina Insight.

Creating a Smart GroupYou can create a Smart Group to organize your PowerBroker Servers assets.

You can set filters based on the PowerBroker Servers assets and the event

types, including user name, command, exit status, and run arguments.

For detailed instructions on Smart Groups, see Working with Smart Rules.

Purge EventsPowerBroker Servers events are purged after 30 days. You can configure the

number of days events remain in the database before purging. See

Maintenance Options.

Using pbreplay to Play the Logged EventsUse pbreplay, a tool available in PowerBroker Servers for Unix & Linux, to

replay the events logged to that point in time.

You can access pbreplay in two ways from Retina CS:

• From the Search results page on the Assets page

• From the Event Details page



To run pbreplay:

1. On the PowerBroker Servers page, select the i for an asset to review

collected arguments and I/O logs.

2. Click the arrow for an I/O log to start pbreplay.

Searching the I/O LogsYou can search the index of the PowerBroker Servers I/O logs.

For information about search commands, see Search Parameters.

To search the index of the I/O logs:

1. Log on to Retina CS.


3. Select the Smart Group where the PowerBroker Servers assets reside.

4. Select PowerBroker for Unix & Linux, and then select the Search

tab.



5. Select the Solr host your I/O Logs were indexed on from the drop-down

menu "Search Hosts".

Note: In order to allow the Search Window to securely connect to the Solr

Servers, you will need to import the SSL Certificates and Certificate

Authorities correctly on the RCS side. The instructions for

importing the certificates are in the PowerBrokers Servers Install

Guide, under "Post-Install" section of "Solr Installation".

Search Parameters

A query is broken up into terms and operators. There are two types of

terms:Single terms and Phrases. A Single Term is a single word such as "test"

or "hello".

A Phrase is a group of words surrounded by double quotes such as "hello

dolly".

Multiple terms can be combined together with Boolean operators to form a

more complex query (see below).

PowerBroker Servers I/O Log files are indexed on the content of the I/O

Log, as well as the following fields: user, runuser, runcommand, runargy.

You can search any field by typing the field name followed by a colon ":" and

then the term you are looking for.

Examples of search on the event log variables in the I/O Logs:

Table 18. Basic and Compound Searching

Search Pattern Finds...runuser:root all documents where the runuser was 'root'

user:oracle AND

runcommand:bash

'all documents where the user was 'oracle'

and the runcommand was 'bash'

If you have added custom policy variables to the list of indexed variables

(using the setting 'solrvariables <var>_pbul'in PowerBroker Servers

pb.settings file), you can also search on those variables using the following

syntax in the "Search" field.



For example, if you had a policy variable called 'ticketnum_pbul' and added

it to solrvariables to be indexed, you can search on it using the syntax:

Search Pattern Finds...ticketnum_

pbul:1523XA5

all documents where the 'ticketnum_pbul'

is set to 1523XA5

You can combine the above queries for eventlogs variables in the query to

search the content of the I/O Logs. For example:

Search Pattern Finds...runuser:root AND rm all documents where the runuser was root

and the word 'rm' was found in the I/O

Log file

You can also narrow down your search using the Start and End time fields.

These dates are in the local time zone of browser (where Retina CS is

accesssed).

Note: These are the date and time where the I/O Log files (sessions) were

created and completed. These are not the date and time when a

secured task was executed by PowerBroker Servers. To search using

the date and time within the I/O Log sessions, refer to Proximity

Search below.

Simple Search Example



Compound Search Example

Boolean operators allow terms to be combined through logic operators.

Supported Booleans are AND, OR, and NOT as Boolean operators (Note:

Boolean operators must be ALL CAPS).

The OR operator is the default conjunction operator. This means that if

there is no Boolean operator between two terms, the OR operator is used.

The OR operator links two terms and finds a matching document if either of

the terms exist in a document. This is equivalent to a union using sets.

To search for documents that contain either "cat/etc/passwd" or just

"passwd" user the query: "cat/etc/passwd" OR passwd.

Table 19. Wildcard matching

Search Pattern Finds...grep* any word that starts with "grep" in the title

field.

grep*someFile any word that starts with "grep" and ends

with someFile in the title field.

*:* Everything. All indexed documents

returned.

rm* any word that starts with "rm" in the title

field.

rm *someFile any word that starts with "rm" and ends

with someFile in the title field.

P?sswd any word that start with P followed by any

one letter and ends with 'asswd'

Note: Lucene does not support using * and ? as the first character of a

search.



Range SearchedRange Queries allow one to match documents whose field(s) values are

between the lower and upper bound specified by the Range Query. Range

Queries can be inclusive or exclusive of the upper and lower bounds.

Sorting is done lexicographically.

Search Pattern Finds...runuser:[Aida TO

Carmen]

all documents whose runuser are between

Aida and Carmen, including Aida and

Carmen

runuser:{Aida TO

Carmen}

all documents whose runuser are between

Aida and Carmen, but not including Aida

and Carmen

Inclusive range queries are denoted by square brackets. Exclusive range

queries are denoted by curly brackets.

ANDThe AND operator matches documents where both terms exist anywhere in

the text of a single document. This is equivalent to an intersection using

sets.

To search for documents that contain "cat services" and rm passwd" use the

query:"cat services" AND "rm passwd"

NOTThe NOT operator excludes documents that contain the term after NOT.

This is equivalent to a difference using sets.

To search for documents that contain "rm passwd" but not "cat services" use

the query: "rm passwd" NOT "cat services"

Note: The NOT operator cannot be used with just one term. For example,

the following search will return no results:

NOT "cat services"

GroupingUse parentheses to group clauses to form sub queries. This can be very

useful if you want to control the boolean logic for a query.

To search for either "rm" or "cat" and "passwd" use the query:

(rm OR cat) AND passwd

Field GroupingUse parentheses to group multiple clauses to a single field.



To search for a runargv that contains both the word "rm" and the phrase "-rf"

use the query:

runargv:(rm AND "-rf")

Escaping Special CharactersEscaping special characters that are part of the query syntax is supported.

The current list special characters are

+- &&||!( ) { } [ ] ^ " ~ * ? : \

To escape these character use the \ before the character. For example to

search for (1+1):2 use the query:

$1\+1$\:2

To search for /etc/passwd use \/etc\/passwd

Proximity SearchThe proximity search finds words that are within a specific distance away

from each other. For proximity searches, use a tilde (~) at the end of the

phrase.

Table 20. Proximity matching

Search Pattern Finds..."grep someFile"~4 "grep someFile" within 4 words from each

other.

For proximity searches, exact matches are

proximity 0, and word transpositions

(someFile grep) are proximity 1.

By default, PowerBroker Servers indexes a timestamp in the

following format: "2013 04 23 22:10"

This time-stamp appears in the output every time a CR is in stdin.

"2013 04 26 09:20

rm"~100

for “rm” near today at 09:20 (using Solr's

proximity syntax).

"2013 04 26 rm"~100 expands the search to today.

"2013 04 rm"~100 expands the search to April.



Proximity Search Example



PasswordSafeOverview

Configuring PasswordSafe

Creating a Connection to Your Appliance


Adding a Managed System

Managing Passwords

Requesting a Password

Approving a Password

Retrieving a Password

For detailed information about PowerBroker PasswordSafe features, refer to

the PowerBroker PasswordSafe product documentation.

OverviewPasswordSafe integrates with BeyondTrust's PowerBroker PasswordSafe.

PowerBroker PasswordSafe is a hardened appliance that creates and secures

privileged accounts through automated password management, encryption,

secure storage of credentials, and a sealed operating system.

Configure PasswordSafe to monitor and manage passwords.

Email notification is configured from the PowerBroker Safe appliance.

Emails are sent during the request and approval process.

Configuring PasswordSafeTo configure PasswordSafe, you must:

• Create a connection to your PowerBroker PasswordSafe appliance.

• Create user groups that are assigned roles to manage password releases.

Always use Retina CS to edit or delete the following

PasswordSafe items created in Retina CS: users, user

groups, managed systems, collections.

Using the PasswordSafe appliance to manage these items

can result in unrecoverable configuration or synchronization

errors.

Retina CS User Guide PasswordSafe


Creating a Connection to Your Appliance

You must create a connection between Retina CS and your PowerBroker

PasswordSafe appliance.

Note: You can only create one connection.

After you create a connection to an appliance, the PasswordSafe tab is

available on the Retina CS page.

To create a connection:

1. In Retina CS, click the Configure tab.

2. Click the PasswordSafe Connections tab, and then click New.

3. Provide the following information for the appliance:

– Title – Enter a name for the appliance.

– Appliance IP – Enter the IP address for the appliance.

– CLI User – The CLI user is generated from the appliance and cannot

be changed.

– Key – The key is generated on the appliance.

4. After you enter the information, click Test to ensure the connection is

established to the appliance.

5. Click Save.


In the PasswordSafe password release process, there must be user groups

created to manage the following tasks in the process:

• Requestor – Assign this role to users that can request a password.

• Approver – Assign this role to your users that will approve password

releases.

• Requestor/Approver – Assign this role to user that can approve and

request password releases. Note that if you are assigned this role, you

cannot approve your requests.

• Information Security Administrator – This role is responsible for setting

up managed systems and accounts.

• Auditor – Assign the Auditor role to run reports in Retina Insight. The

Auditor role can be assigned in combination with other roles available.

• No Roles – Assign this role to remove any previously assigned roles to a

user group.

Note that you cannot assign roles to the Retina CS administrator.

Roles are only available to PasswordSafe features.



Note: All changes to PasswordSafe user accounts (users with PasswordSafe

roles assigned) must be managed by the Retina CS Administrator

account.

To create a PasswordSafe user group:

1. Click the Configure tab, and then click the Accounts tab.

2. Click +, and then Group or Active Directory Group.

3. Create the group information as usual. See Creating User Groups.

4. Select a Smart Rule where the PasswordSafe assets will be added.

5. Select the role to assign, and then click Save.

The role changes are synchronized with the PasswordSafe appliance.



Adding a Managed System

Note: Only a user group assigned the Information Security Administrator

role can add an asset to PasswordSafe.

You must configure system and connection settings when you add a system

to PasswordSafe. These settings are similar to the PowerBroker

PasswordSafe appliance settings.

To configure system settings:

1. Right-click the asset on the Asset page, and then click Add to

PasswordSafe.

2. Enter the system settings:

– System Name – Enter a name for the managed system.

– Platform – Select the platform of the system that you want to

manage.

– Network Address – Enter the IP address of the managed system.

– Default Password Rule – Select a password rule. The rule

determines the password requirements (for example, complexity

rules).

Create a password rule in PowerBroker PasswordSafe. Ensure any

password rules that you create are similar to the password rules that

are in place for the platform. You want PasswordSafe rules to be

compliant with the native password rules.

– Default Maximum Release Duration – Set the length of time

before a released password expires.

– Description – (Optional). Enter information about the system.

– Contact E-mail – Enter an email account for email notifications.

– Enable Automatic Password Management – Select the check

box to activate password management with PasswordSafe.

To configure the connection settings:

1. After you configure the system settings, click the Connection tab.

2. Enter the connection information for the appliance:



– Platform Name – The platform of the system.

– Network Address – Enter the IP address of the managed system.

– NetBIOS – If the platform is Windows, then enter the NetBIOS

domain name.

– Account Type, Account Name, Password – Enter the account

credntials used to access the managed system.

– Connection Timeout – Enter the length of time that passes before

a connection to a managed system times out. Increase the timeout if

connections to the managed systems take longer than usual.

To configure management settings:

1. After you configure the connection settings, click the Management

tab.

2. Select the management settings:

– Check Password – Select to check the managed account passwords

daily. The stored password is compared to the current password on

the managed system.

– Reset Password on Mismatch – Select this check box if the

comparison detected differences in the passwords.

If email is configured and this check box is not selected, then an

email notification is sent when a mismatch is detected.

– Change Frequency – Select how frequently you want to reset a

password.

– Change Time – Select the time of day to change a password.

– Change password after any release – Select to automatically reset

a password after the password is released.

– Default duration of ISA releases of password – Set the length of

time that occurs between the ISA retrieval of the password and the

automatic reset of the password.

Add managed accounts from the managed systems. Add administrator

accounts (such as root or Administrator).

To configure accounts:

1. On the Managed Systems Settings page, click the Accounts tab, and

then click Add.

2. Provide the following information for the managed account:

– System Name – Provide the name of the managed system where

the account resides.



– Account Name, Current Password – Enter the credentials for the

account.

– Password Rule – Select the password rule. Password rules are

configured on your appliance.

– Change password for Windows Services started by this

account – Select this check box to update Windows services that

the account runs. For example, if the account you are configuring

here is an Administrator account that runs system services and you

want the services to continue to run uninterrupted with the

password change.

– Use this account's current password to change the password –

Select this check box for managed systems using Windows XP or

Windows Server 2003 operating systems. Security applied to the

operating systems rely on authentication certificates stored for the

account.

– Approvals Required – Enter the number of approvals before the

password is released.

– Send Release Notification Email to – Enter the email address for

the approvers.

– Maximum Release Duration – Select the maximum length of time

that a requestor can choose for the password release duration.

– Enable Automatic Password Changing/Testing – Select the

check box to override the system settings. Password changes are

then managed at the account level.

3. Click Save.

Managing PasswordsThere are three stages in the password release process:

• Requesting a password

• Approving a password

• Retrieving a password

Requesting a Password

You must be assigned the Requestor role in Retina CS to request a password

release.



The Ticket System is managed from the appliance. PowerBroker Safe does

not interact with a ticket system. The ticket information is added for

reference only to track password requests related to a ticket. For more

information, refer to the PowerBroker Safe Administration Guide.

To request a password release:

1. Log on to the PasswordSafe website using your Retina CS credentials.

2. Click the Request Password tab.

3. Provide the request information, and the click Request Password.

A message is displayed indicating that your request is in the approval

queue. At this point, you can view all of your requests or create a new

request.

An email notification will be sent to you confirming the password

request.

You can review all of your password requests on the Request Password

page. Select the tabs to filter the password requests.

The All filter displays all password requests including pending, expired,

and active.

An Active password is a password that is approved and checked out.



Approving a Password

You must be assigned the Approver role to approve password releases.

There might be more than one approver required depending on how the

managed systems are configured.

To approve a password request:


2. Click the Approve Requests tab.

3. Select a request in the list.

The Approval History displays the number of approvals required and if

any approvals are applied.

4. Click Approve.



The Retrieve Password button is now available to the original requestor

in the Approval History section of the Approve Request page.

Click Check-in Password at any time to expire the released password.

The password is then no longer available to use.

Retrieving a Password

To retrieve a password:


2. Select the Request Password tab, and then select an account.

3. Click Retrieve Password.

4. Click Highlight Password, and then Ctrl+C to copy the password the

Clipboard.



Regulatory Reports PackThe Regulatory Reporting packs require a license to activate the feature

set. Contact your BeyondTrust representative.


In this section,

Compliance Scans

Healthcare Pack

Finance Pack

Government Pack

Running a Compliance Scan

Reviewing Compliance Scan Results

You can run regulatory reports to ensure that your assets are in compliance.

Review the following sections to learn more about the compliance scan

templates available, compliance coverage, running a scan, and reviewing scan

results.

Retina CS User Guide Regulatory Reports Pack


Compliance ScansBy default the following scan templates are available.

Healthcare, Finance, and Government packs need an updated license key.

ISO-27002 Scans

Compliance

AreaSection 12.6.1 Control of technical vulnerabilities

COBiT Scans

Compliance

Area

Section DS11.6 Security Requirements for Data

Management

Healthcare Pack Compliance Scans

The Healthcare Pack includes a HIPAA scan template.

Contact BeyondTrust for a license key to activate the compliance pack.

HIPAA Scans

Compliance

AreaSection 164.308 Administrative safeguards, (a)(8)

Standard: Evaluation.

Finance Pack Compliance Scans

The Finance Pack includes a SOX and GLBA scan template.


GLBA Scans

Compliance

Area

Section 6801 Protection of nonpublic personal

information.

SOX Scans

Compliance

Area

Section 404 Management Assessment of Internal

Controls.

Government Pack Compliance Scans

The Government Pack includes the FERC-NERC, NIST 800-53 and MASS

201 scan templates.




Compliance

AreaCIP-005-3 R4 Cyber Vulnerability Assessment

NIST-800-53 Scans

Compliance

Area

SA System and Services Acquisition; SA-10 Developer

Configuration management

MASS 201 Scans

Compliance

AreaSection 17.03(2)(b)(3) Duty to Protect and Standards for

Protecting Personal Information - Detect and Prevent

Security Systems Failures

Running a Compliance ScanThe following procedure is an overview on running a scan. For detailed

information on scan options, see Scanning.

To run a compliance scan:

1. Select the asset group and then select Scan.

2. Select the scan template and click Scan.

Ensure the correct license key is applied to activate the compliance

scans.

3. Click Scan.

4. Select the scan options, and then click Start Scan.



Reviewing Compliance Scan ResultsThe following shows report information from the HIPAA Compliance scan.

The summary of the vulnerability details breaks down the vulnerability by

severity.

Scroll through the list of vulnerabilities provided in the report. You can

review remediation fixes, CVSS scores, and additional information for the

vulnerability as shown in the following example from a report.



Configuration Compliance PackThe Configuration Compliance module requires a license to activate the

feature set. Contact your BeyondTrust representative.


In this section,

Setting Permissions for Configuration Compliance

Managing Benchmarks

Importing Benchmarks

Setting OVAL Tests Option

The following tools are available to run benchmark scans:

l XCCDF audit groups. The Secure Configuration Audits audit group

ships with the Configuration Compliance module. Use this audit group

to run your scan.

l Benchmark configuration. Import benchmark templates, synchronize

templates, and review versions of benchmark templates that ship with

Retina CS.

l Configuration Compliance reports. Includes two reports: Benchmark

Compliance and Benchmark Export.

For information about running a scan, see Running a Scan.

Setting Permissions for Configuration ComplianceYou must create a user group and set permissions for the user group to run

configuration compliance scans.

To create a group and set the permission:

1. Click the Configure tab, and then click Accounts.

2. Click + in the User Groups pane to create a group.

3. Enter a group name and description.

4. Select the Read and Write check boxes for the Benchmark

Compliance permission.

5. Add an IP range for the group.

Retina CS User Guide Configuration Compliance Pack


6. Select attributes (optional).

7. Click Update.

Add your configuration compliance users to the group. See User Accounts.

Managing BenchmarksRetina CS ships with a default set of benchmark templates. You can import

additional or updated benchmarks, and synchronize benchmarks.

If you are working with your benchmark profiles outside Retina CS, then

you can synchronize the templates using the Retina CS Configuration tool.

To download an editor to change your benchmarks, click the Download

Editor button.

To manage benchmarks:


2. Click the Benchmark Management tab.

3. Expand a benchmark to review more detail.

Policies included with benchmark templates can be inactivated if they do

not apply. Clear policies as needed.

4. To import templates, click Import New Benchmark, navigate to the

file and click Open. To overwrite an existing template click Yes.

Importing Benchmarks

You can import .cab or .zip files that include the following:

• For Windows 7:

– CIS_Windows_7_Benchmark_v1.1.0_oval.xml

– CIS_Windows_7_Benchmark_v1.1.0.xml

– Windows-7-cpe-oval.xml

– Windows-7-cpe-dictionary.xml

• For Windows Server 2008:

– CIS_Windows_2008_Server_Benchmark_v1.1.0_oval.xml



– CIS_Windows_2008_Server_Benchmark_v1.1.0.xml

– Windows-2008-cpe-oval.xml

– Windows-2008-cpe-dictionary.xml

Setting OVAL Tests OptionYou can store OVAL XML data to the Retina CS database.

If selected, OVAL values used to determine if a rule was compliant are

parsed from OVAL output files and stored in the Retina CS database.

To store OVAL tests in Benchmark reports:

1. Select Options.

2. On the Application Options dialog box, expand Benchmark

Compliance.

3. Select the Yes check box to store OVAL tests.

4. Click Update.



Appendix A: Preparing Your Database Applicationfor Scans


You can set your database applications as targets for scanning.

To ensure that your database can be successfully scanned by Retina, review

the following section on MySQL to prepare your database.

Preparing Your MySQL DatabaseReview your MySQL settings and ensure the following is in place:

• Verify the latest GA release of MySQL ODBC driver is installed on the

scanner system.

– Go to Administrator tools.

– Run Data Sources (ODBC).

– Select the Drivers tab.

– Search for the MySQL driver.

– If no driver is found, then download and install the latest GA

released MySQL driver from the MySQL website.

• Ensure a remote connection can be established to the target database

using the ‘mysql’ tool provided with the MySQL database installation.

Retina CS User Guide Appendix A: Preparing Your Database


Appendix B: BMC RemedyYou can export asset and vulnerability data from Retina CS to your BMC

Remedy server.

To configure Retina CS, you must:

• Create a connector to Remedy.

• Create a Smart Group. The parameters configured in the Smart Group

include the assets (and data) that will be exported to the Remedy system.

Your Remedy system must already have forms created to accept asset and

vulnerability information.

Creating a Connector to your BMC Remedy ServerSettings from your Remedy WSDL file are required to create the connector.

Sample data from a WSDL file:

Note: Remedy web service endpoints expect a sortable date format. For

example, 2009-06-15T13:45:30.

However, you can override the default format in the registry with a

valid .NET date format string:

HKEY_LOCAL_MACHINE\SOF-

TWARE\eEye\RetinaCS\RemedyExportDateFormatString

View examples of standard date format strings here:

http://msdn.microsoft.com/en-us/library/az4se3k1.aspx

To create a connector:

1. Click the Configure tab, then click the Export Connectors tab.

2. Click +, then click BMC Remedy Connector.

3. Enter a connector name, and a Remedy user name and password.

The connector name can be any name.

Retina CS User Guide Appendix B: BMC Remedy




The credentials for the Remedy system must provide access to the web

service and be able to create requests.

The Active check box is selected by default. Data is only exported when

the check box is selected.

4. Select the check boxes depending on the data that you want to export:

Export Assets, Export Vulnerabilities. You can select both.

5. For the export options, enter the following information:

– Web Service URL - defines the location where data will be exported.

– Target Namespace - Enter the target namespace from the WSDL file.

– SOAP Action - Enter the action as defined in the WSDL file.

– Field Mappings - Enter the fields that you want to include in the

export data.

The order of the fields must match the order of the fields in the

WSDL file. Use the arrows to change the order.

6. After you provide the information, click Test to ensure a connection is

established to your Remedy system. Note that the test creates a record in

the Remedy system.

7. Click Update.



Creating a Smart GroupAssets and vulnerabilities exported are defined in the Smart Group.

To configure the Remedy Smart Group:

1. Configure the Smart Group as usual. See Creating a Smart Rule.

2. In the Perform Actions area, select Export Data.

3. Select the name of the Remedy connector.

4. Select an audit group from the list.

Only vulnerabilities in the selected audit group will be exported. All

vulnerabilities for all assets will be exported if no audit group is selected.

5. Enter the expiration period, in days.

Assets and vulnerabilities (depending on what is defined in the collector

details) are only exported once in the defined expiration period.

However, an item (asset or vulnerability) might be exported more than

once. This might occur if, for any reason, the item is not included in the

Smart Group but then is included again later.

After the expiration period passes, the item is exported again if it remains

in the Smart Group.

6. Click Save.

Exporting the DataAfter the Smart Group is created, the data is set to be collected and exported

every hour on the hour.

You can change the default export time in the RemManagerSvc.exe.config

file located in the Retina CS install directory.

View export results in your Remedy system.

Export results or alerts on progress are not shown in Retina CS.

To stop exporting data, clear the Active check box on the Remedy

Connector Details page.



Documents

Retina CS Users Guide