Symantec eDiscovery Platform 7.1.4 Security Outline - Veritas€¦ · Qualys and Cenzic Retina – Nessus – Hyperion (Government Standard Tools) GOVT. Common Process o Deploy Solution

This document is provided for informational purposes only. All warranties relating to the information

in this document, either express or implied, are disclaimed to the maximum extent allowed by law.

The information in this document is subject to change without notice. Copyright © 2014 Symantec

Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are

trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other

countries. Other names may be trademarks of their respective owners.

Symantec eDiscovery Platform 7.1.4

Security Outline

This document is to provide an outline of some of the security aspects of Symantec eDiscovery Platform from the view

of a security officer

If you have any feedback or questions about this document please email them to [email protected] stating the

document title.

mailto:[email protected]

Page 1

Symantec eDiscovery Platform 7.1.4 Security Outline

Purpose

The Symantec eDiscovery Platform is the industry leading, single pane of glass application which

answers each phase of the eDiscovery reference model in an intuitive manner with utilities to

consolidate traditional Legal Hold methodology, and agentless and targeted approach Identification and

Collections, a powerful and flexible Processing engine, and a rich and robust Review and Analytics

solution. The Symantec eDiscovery Platform is an appliance based solution with an Oracle MySQL

database backend integrated with web services from Apache Tomcat to provide an easy to deploy and

manage web based solution for both technology and legal team perspectives.

Scanning - tools and validation

Qualys and Cenzic

Retina – Nessus – Hyperion (Government Standard Tools)

GOVT. Common Process

o Deploy Solution

o Schedule Scan

o Review Vulnerabilities and resolve

o Rescan (and repeat as necessary – typically this has been a single scan iteration for

success, leaving Windows Updates to the customer to apply)

Symantec performs vulnerability scanning annually to determine high and medium vulnerabilities and

work to remediate any issues found:

Vulnerability

DB Vulnerabilities

OS Vulnerabilities

Network Related Vulnerabilities

DISA STIG Security Documentation

Government Standard delivered by DISA to provide specialized, required application security settings to

be met for solution to be approved for addition to production networks regardless of network security

classification (unclassified – top secret)

Page 2


OS Level

Web Application Level

Database level

Third Party Application Level

o Method of disabling Lotus Notes client until updated to newest version with product.

Anti-virus

Symantec eDiscovery Platform does not bundle an anti-virus solution with its appliances. Furthermore,

there does not seem to be such a need in certain configurations.

Why does the Symantec eDiscovery Platform not need A/V during processing

Unlike Worms, viruses need to be activated, for example, by launching an executable or invoking a

script. In due processing an email, attachment or loose file, we may well encounter an infected

document, but so long as we don't actually run the attachment, or attempt to evaluate any embedded

javascript during processing we should be safe. Opening an attachment as a file is safe, such as what

Stellant would, but asking the OS or JVM to run it is not.

Symantec eDiscovery Platform does support native file printing, for example printing a spreadsheet by

launching MS Excel. Virus protect is a concern for native file printing. See “CW Virus Scanning

Guidelines” for more information on scanning the directory used for native document viewing.

Note – If the Symantec eDiscovery Platform environment is not licensed for native document

review the native file printing directory will not exist and therefore is not a potential virus

gateway.

Symantec eDiscovery Platform interacting with Virus

o The Symantec eDiscovery Platform is compatible with the anti-virus application of

choice, but there are a number of exceptions that must be kept in mind to ensure that

the appliance is properly protected. One of the basic tenants of eDiscovery is the

collection, processing, and review of case data. This data comes from many sources

such as file shares and email.

Page 3


o Collected email and other file types are sometimes found to have phony links and

malicious spyware which may be needed for a particular case or matter. To use this

data and have it available to be processed and then reviewed by the legal team is

necessary – but there is a risk that reviews could inadvertently click links or open files

containing these types of files within the case data population.

o Configuring the Anti-Virus client is simple with a provided Anti-virus setup guide,

available on request.

o It is possible to configure the path for attachment directory by using the property

"esa.altAttachmentsDir". By default the value would be empty and it defaults to

d:\CW\<current_version>\scratch\temp\esadb\attCacheDir\.

Protecting our users

Although the Symantec eDiscovery Platform application should continue to function normally in the

presence of viruses, the end users/reviewers are at risk. A user can get infected if he/she downloads an

attachment (for example, after a Search) for native viewing such as with MS Word or QuickView Plus.

Users responsibility

The first responsibility remains with our users. We assume our users have scanned all documents and

emails provided to Symantec eDiscovery Platform for indexing. However, sometimes this is not possible.

For example, although many anti-virus software applications will scan zip files, they may not scan PST

files, or WINMAIL.DAT files, or CAB files, or various other container files.

It is recommended that all user desktops have an anti-virus application actively scanning for any user

viewing attachments and loose files natively outside of the Symantec eDiscovery Platform.

No worms

Although this section is not about worms, they do deserve a mention. Worms, unlike viruses, are not

activated: they are programs that are self-activated (for example from a startup folder), or trick the user

and/or the OS into activating them. Once activated they can cause damage to the local machine and/or

propagate themselves outwards through open ports or various tools such as email clients.

Page 4


With the use of the Firewall and other measures worms should not be able to infect the network.

Open Ports / Protocols / Encryption Standards

This is list of ports to manipulate when provisioning an internet-facing or firewalled secured instance of

the Symantec eDiscovery Platform. Be aware that not all ports are required to stay open after a specific

port-related task(s) is complete, for example, Windows activation using port 53

Port Protocol Description Optional Misc.

22 TCP SSH, SCP/SFTP Y

25 TCP SMTP Y

53 TCP/UDP DNS Y

80 TCP HTTP

443 TCP HTTPS

3389 TCP Microsoft RDP Y

21 ftp

626 Ldap-s Y

88 kerberos Y

123 ntp

389 LDAP Y

135-139

Required by NETBIOS that enables various network related communications: Microsoft fi le sharing SMB: User Datagram Protocol (UDP) ports and Transmission Control Protocol (TCP) ports Used for File Share Collection & Desktp Collection. Must be Bi -Directional.

3306 Used by MySQL to enable remote database access. Must be used with a Symantec eDiscovery Platform cluster or if a separate MySQL server is being used

445 For File Share and PC Collections we use the SMB or CIFS protocol, which uses TCP port 445

Required for fi le sharing and needed to allow sharing fi les across a network. Must be Bi-Directional.

2595 Symantec eDiscovery Platform

Page 5


application port for inter-appliance communication

135 Used by various windows critical services including the Firewall Service. Symantec eDiscovery Platform util izes the native Windows Firewall on the appliance to "harden" the Symantec eDiscovery Platform.

Table 1

Auditing & reporting

Symantec eDiscovery Platform provides a number of logs and auditing services within the User Interface

(UI) as well as locally on the appliance. If necessary, these logs are able to be compressed and retained

according to local retention and preservation policies.

The jobs are listed by name (see below) with the corresponding data and time appended in the name for

ease of use and troubleshooting.

The location of the logs on the local appliance is:

D:\CW\Vx.x\Logs (Vx.x denotes the latest installed version of the Symantec eDiscovery Platform

– if the deployed is version 7.1.4 the path would be D:\CW\V714\Logs)

o Access Logs

Provides information on application access times on login.

o Catalina Logs

Provides information on the Apache Tomcat webserver jobs as well as any

errors for ease in troubleshooting

o Server Logs

Provides information on server related tasks and errors for ease in

troubleshooting

o Jobs Logs

o Crawler\Retriever

These log files are related to collections tasks within the collections module and

rendering tasks in the review module. These are listed by specific name such as

PSTCrawler, PSTRetriever, etc.

Page 6


o Processing

These logs provide detail into processing tasks within the Collections module.

NOTE: Logs are managed by the system and are overwritten

Services

This section reviews all of the necessary Symantec eDiscovery Platform specific services providing

descriptions of each. Symantec eDiscovery Platform specific services are denoted in the services console

with the prefix ESA. For accounts related to running these services, please reference the Accounts

section of this document.

EsaApplicationService:Firedaemon

o Controls the Symantec eDiscovery Platform Application Server, which is responsible for

indexing the incoming documents and processing search requests. This service depends

on the MySQL service. No configuration is required, except in the following cases:

To crawl PST files or loose files on a network share that requires a username and

password, this service must run under a login account with those permissions.

To crawl an Active Directory domain other than the domain of the Symantec

eDiscovery Platform, this service must run under a login account in that domain

(used mainly for lab tests).

EsaEvCrawlerService & EsaEvRetrieverService

o Responsible for crawling and retrieving documents on Symantec Enterprise Vaults. The

login user name must match the name used by the Symantec services (generally the

“Vault Service Account”).

EsaExchangeCrawlerService & EsaExchangeRetrieverService

o Responsible for crawling and retrieving documents on Exchange servers. The login user

must have the following permissions:

Read

Execute

Read permissions

List contents

Read properties

List objects

Open mail send queue

Read metabase properties

Administer information store

Create name properties in the information store

Page 7


View information store status

Receive As

EsaPstCrawlerService & EsaPstRetrieverService

o Responsible for crawling and retrieving PST data stores. Note the following:

If the PST files are on a network share that requires a username and password,

these services must run under a login account with read and write access to the

network share. –If the PST files are on a storage device attached to the

Symantec eDiscovery Platform, then only local permissions are required.

The Symantec eDiscovery Platform requires different accounts but similar

privileges for each of the PST crawler, and retriever services. Setting up separate

accounts avoids potential memory contention and management issues with

Microsoft’s MAPI interface which could result in sub-optimal performance.

EsaNsfCrawlerService & EsaNsfRetrieverService

o Responsible for crawling and retrieving NSF data stores. These services must be

configured with the permissions needed to access NSF files over the network. Note the

following:

If the NSF files are on a network share that requires a username and password,

these services must run under a login account with read and write access to the

network share.

If the NSF files are on a storage device attached to the Symantec eDiscovery

Platform appliance, then only local permissions are required.

Make sure that these two services are configured to use the same account.

Notes client must be activated to work with this account.

o EsaRissCrawlerService & EsaRissRetrieverService

Responsible for crawling and retrieving documents on the Hewlett-Packard

IntegratedArchive Platform (IAP), formerly called the Reference Information

Storage System (RISS).

To properly start and run, the account used for this service must be setup with

access the RISS shares.

o MySQL Services

Services operate in a traditional manner, providing for operation stability of the

Symantec eDiscovery Platform MySQL database.

Processes Services

BDLGenServer.exe EsaApplicationService : FireDaemon

BelsService.exe EsaIGCBravaLicenseSrvice

CWJava.exe EsaIGCJobProcessor

Page 8


EVCrawler.exe EsaNsfCrawlerService

EVRetriever.exe EsaNsfRetrieverService

ExchangeCrawler.exe EsaPstCrawlerService

ExchangeRetriever.exe EsaPstRetrieverService

FileFilter.exe

FireDaemon.exe

Java.exe

JPConsole.exe

JPService.exe

MySqld-nt.exe

Mysqldump.exe

NSFCrawler.exe

NSFRetriever.exe

NSFScan.exe

PSTCrawler.exe

PSTRetriever.exe

PSTScan.exe

PSTWriter.exe

RISSCrawler.exe

RISSRetriever.exe

fragmon.exe

cscript.exe

perl.exe

Table 2

There are some specific rights needed to be granted to services within the Symantec eDiscovery

Platform prior to the installation. A comprehensive list of these is available in the installation guide

which can be found here

http://www.symantec.com/business/support/index?page=content&id=DOC6865

http://www.symantec.com/business/support/index?page=content&id=DOC6865

Page 9


Identification and collections

The Symantec eDiscovery Platform was created with an all in one, very intuitive ease of use in mind to

provide a more efficient workflow for eDiscovery needs. The Identification and Collection module was

created with a targeted and agentless approach. There are no agents to be installed and then

repeatedly managed and QC’ed throughout the infrastructure.

Symantec eDiscovery Platform is able to directly collect from a multitude of sources out of the box, with

the only requirement being a managed user account with proper access to the targeted source for

collection purposes.

Accounts typically need a higher level of access to properly collect necessary case data such as:

Read – Read rights are necessary for the designated account to see the data that is to be requested

to be collected.

List – List Rights are needed for the designated account to present the data to the Symantec

eDiscovery Platform.

Write – Write rights are necessary for the destination account so that the data requested to be

collected can be written in a forensically sound manner (very much like ROBOCOPY) to the

designated data store and keep the content and metadata sound an in its original format.

Accounts

Traditionally, software will come shipped with default username and password credentials out of the

box, and the Symantec eDiscovery Platform is no different. These accounts are completely configurable

and the passwords are able to updated, renamed, and changed on the fly as needed.

Local Accounts

Symantec eDiscovery Platform comes configured out the box ready for immediate use with local

accounts (listed below); these credentials are able to be renamed and passwords changed to fit the

needs and policies of our customer environment.

CWAppAdmin

o One of the default accounts that comes as a default configuration of the Symantec

eDiscovery Platform. If using this local account, it MUST be a local administrator as it is

used to run necessary ESA Services (see ESA service description above) and will need

Page 10


admin level access locally on the appliance to access all of the necessary directories to

ensure that each module and function within the Symantec eDiscovery Platform will

operate at optimum levels. The username and password are able to be configured to

necessary security standards and policies as needed, and on the fly.

CWPSTRetriever

o One of the default accounts that comes as a default configuration of the Symantec

eDiscovery Platform. If using this local account, it MUST be a local administrator as it is

used to run necessary ESA Services (see ESA service description above) and will need

admin level access locally on the appliance to access all of the necessary directories to

ensure that each module and function within the Symantec eDiscovery Platform will

operate at optimum levels. The username and password are able to be configured to

necessary security standards and policies as needed, and on the fly. This account is

typically used to run the ESAPSTRetriever service, as a requirement for the Symantec

eDiscovery Platform is to have a separate account running the ESAPST Crawler service to

prevent MAPI profile corruption.

IGCAdmin

o This account is used typically used to allow the BRAVA IGC third party application to run in

conjunction with the Symantec eDiscovery Platform.

o This account is also used to install the Symantec eDiscovery Platform and all necessary

updates and upgrades. This is necessary as during the installation phase, if IGC Services

(BRAVA) are being updated this will allow for a very simple update of the application,

without the need for running a separate installation package to update these credentials.

o If the IGCAdmin credentials are to be used for running the IGC Services – there are very

specific steps that must be followed to update the username and password – as if this

account is assigned to run these services – changes of the credentials must be done in a

specific concentrated effort to ensure that services can be successfully restarted.

Symantec eDiscovery Platform default usernames

o Superuser

This is the out of the box application administrator account that comes with the

Symantec eDiscovery Platform. This should be utilized as the backup administrator

Page 11


account for the Symantec eDiscovery Platform User Interface and cannot be

deleted.

The password is able to be updated to align with security standards and should be

changed once the installation of the appliance is complete and management of the

appliance is transferred to local staff.

It is imperative that the account credentials are maintained to ensure that in case of

loss of LDAP connection, the superuser can be used to login locally. This is

considered to be like a windows local admin account and used in last case

circumstances.

o Default Password

These are available upon request to the support team, account representative, or

system engineer.

Domain Accounts

Symantec eDiscovery Platform has the capacity to use domain accounts within an existing

infrastructure to increase scalability, provide better ease of management, and provide

additional auditing with existing tools and infrastructure.

Default Roles

Symantec eDiscovery Platform comes with a list of default roles which in most cases are suitable for the

majority of uses. Custom roles can be created by the system administrator as required.

Role Description Default Assigned Rights

Case Admin Administrator-level access to one or more cases (includes case admin capabilities plus all case user rights)

General Rights Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes

Page 12


Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings

Case Manager

Manager-level access to one or more cases (includes case admin capabilities (except source setup rights) plus all case user rights)

General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review

Page 13


Allow searching and fi ltering by processing flags Case Administration Rights Allow case status access Allow user management Allow activity report access Allow group and topic management Allow tag definition Allow folder setup Allow folder check-out management Allow production folder management Allow custodian management Allow participant management View exceptions Manage exceptions Allow OCR processing Other case management functions (e.g. jobs, batches, etc.) Access to all other case management functions not otherwise specified. This includes: batches, jobs, logs, and schedules. System Administrative Settings

Case User Search, tagging, and print dashboard rights to one or more cases

General Rights Allow analysis tags dashboard access Allow access to management charts Collection Rights Legal Holds Rights Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags

Page 14


Case Administration Rights No case admin rights System Administrative Settings

Collection Admin

Administrator-level collection set management

General Rights Allow integrated analytics access Allow reports access

Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights Document Access Rights Case Administration Rights No case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access

eDiscovery Admin

Administrator-level access to one or more cases as well as well as collection set management and integrated analytics

General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging

Page 15


Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access

Legal Hold Admin

Administrator-level legal hold management

General Rights Allow integrated analytics access Allow mobile access Collection Rights Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Case Administration Rights No case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access

System Manager

Unrestricted rights to manage entire Symantec eDiscovery Platform system, including administrator-level access to all cases

General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights

Page 16


Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access Allow system management Allow support access Allow new case creation, case backup, restore, deletion, template creation Allow collections and data map backup, restore Allow user management Allow admin user and role management

Table 3

About Symantec:

Symantec is a global leader in

providing security, storage, and systems management solutions to help consumers and organizations

secure and manage their information-driven world. Our software and services protect

against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored.

Headquartered in Mountain View,

Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.

For specific country offices and

contact numbers, please visit our Web

site: www.symantec.com

Symantec Corporation

World Headquarters

350 Ellis Street

Mountain View, CA 94043 USA

+1 (650) 527 8000

+1 (800) 721 3934

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

http://www.symantec.com/

Documents

Symantec eDiscovery Platform 7.1.4 Security Outline - Veritas€¦ · Qualys and Cenzic Retina – Nessus – Hyperion (Government Standard Tools) GOVT. Common Process o Deploy Solution