Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
This document is provided for informational purposes only. All warranties relating to the information
in this document, either express or implied, are disclaimed to the maximum extent allowed by law.
The information in this document is subject to change without notice. Copyright © 2014 Symantec
Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
Symantec eDiscovery Platform 7.1.4
Security Outline
This document is to provide an outline of some of the security aspects of Symantec eDiscovery Platform from the view
of a security officer
If you have any feedback or questions about this document please email them to [email protected] stating the
document title.
Page 1
Symantec eDiscovery Platform 7.1.4 Security Outline
Purpose
The Symantec eDiscovery Platform is the industry leading, single pane of glass application which
answers each phase of the eDiscovery reference model in an intuitive manner with utilities to
consolidate traditional Legal Hold methodology, and agentless and targeted approach Identification and
Collections, a powerful and flexible Processing engine, and a rich and robust Review and Analytics
solution. The Symantec eDiscovery Platform is an appliance based solution with an Oracle MySQL
database backend integrated with web services from Apache Tomcat to provide an easy to deploy and
manage web based solution for both technology and legal team perspectives.
Scanning - tools and validation
Qualys and Cenzic
Retina – Nessus – Hyperion (Government Standard Tools)
GOVT. Common Process
o Deploy Solution
o Schedule Scan
o Review Vulnerabilities and resolve
o Rescan (and repeat as necessary – typically this has been a single scan iteration for
success, leaving Windows Updates to the customer to apply)
Symantec performs vulnerability scanning annually to determine high and medium vulnerabilities and
work to remediate any issues found:
Vulnerability
DB Vulnerabilities
OS Vulnerabilities
Network Related Vulnerabilities
DISA STIG Security Documentation
Government Standard delivered by DISA to provide specialized, required application security settings to
be met for solution to be approved for addition to production networks regardless of network security
classification (unclassified – top secret)
Page 2
Symantec eDiscovery Platform 7.1.4 Security Outline
OS Level
Web Application Level
Database level
Third Party Application Level
o Method of disabling Lotus Notes client until updated to newest version with product.
Anti-virus
Symantec eDiscovery Platform does not bundle an anti-virus solution with its appliances. Furthermore,
there does not seem to be such a need in certain configurations.
Why does the Symantec eDiscovery Platform not need A/V during processing
Unlike Worms, viruses need to be activated, for example, by launching an executable or invoking a
script. In due processing an email, attachment or loose file, we may well encounter an infected
document, but so long as we don't actually run the attachment, or attempt to evaluate any embedded
javascript during processing we should be safe. Opening an attachment as a file is safe, such as what
Stellant would, but asking the OS or JVM to run it is not.
Symantec eDiscovery Platform does support native file printing, for example printing a spreadsheet by
launching MS Excel. Virus protect is a concern for native file printing. See “CW Virus Scanning
Guidelines” for more information on scanning the directory used for native document viewing.
Note – If the Symantec eDiscovery Platform environment is not licensed for native document
review the native file printing directory will not exist and therefore is not a potential virus
gateway.
Symantec eDiscovery Platform interacting with Virus
o The Symantec eDiscovery Platform is compatible with the anti-virus application of
choice, but there are a number of exceptions that must be kept in mind to ensure that
the appliance is properly protected. One of the basic tenants of eDiscovery is the
collection, processing, and review of case data. This data comes from many sources
such as file shares and email.
Page 3
Symantec eDiscovery Platform 7.1.4 Security Outline
o Collected email and other file types are sometimes found to have phony links and
malicious spyware which may be needed for a particular case or matter. To use this
data and have it available to be processed and then reviewed by the legal team is
necessary – but there is a risk that reviews could inadvertently click links or open files
containing these types of files within the case data population.
o Configuring the Anti-Virus client is simple with a provided Anti-virus setup guide,
available on request.
o It is possible to configure the path for attachment directory by using the property
"esa.altAttachmentsDir". By default the value would be empty and it defaults to
d:\CW\<current_version>\scratch\temp\esadb\attCacheDir\.
Protecting our users
Although the Symantec eDiscovery Platform application should continue to function normally in the
presence of viruses, the end users/reviewers are at risk. A user can get infected if he/she downloads an
attachment (for example, after a Search) for native viewing such as with MS Word or QuickView Plus.
Users responsibility
The first responsibility remains with our users. We assume our users have scanned all documents and
emails provided to Symantec eDiscovery Platform for indexing. However, sometimes this is not possible.
For example, although many anti-virus software applications will scan zip files, they may not scan PST
files, or WINMAIL.DAT files, or CAB files, or various other container files.
It is recommended that all user desktops have an anti-virus application actively scanning for any user
viewing attachments and loose files natively outside of the Symantec eDiscovery Platform.
No worms
Although this section is not about worms, they do deserve a mention. Worms, unlike viruses, are not
activated: they are programs that are self-activated (for example from a startup folder), or trick the user
and/or the OS into activating them. Once activated they can cause damage to the local machine and/or
propagate themselves outwards through open ports or various tools such as email clients.
Page 4
Symantec eDiscovery Platform 7.1.4 Security Outline
With the use of the Firewall and other measures worms should not be able to infect the network.
Open Ports / Protocols / Encryption Standards
This is list of ports to manipulate when provisioning an internet-facing or firewalled secured instance of
the Symantec eDiscovery Platform. Be aware that not all ports are required to stay open after a specific
port-related task(s) is complete, for example, Windows activation using port 53
Port Protocol Description Optional Misc.
22 TCP SSH, SCP/SFTP Y
25 TCP SMTP Y
53 TCP/UDP DNS Y
80 TCP HTTP
443 TCP HTTPS
3389 TCP Microsoft RDP Y
21 ftp
626 Ldap-s Y
88 kerberos Y
123 ntp
389 LDAP Y
135-139
Required by NETBIOS that enables various network related communications: Microsoft fi le sharing SMB: User Datagram Protocol (UDP) ports and Transmission Control Protocol (TCP) ports Used for File Share Collection & Desktp Collection. Must be Bi -Directional.
3306 Used by MySQL to enable remote database access. Must be used with a Symantec eDiscovery Platform cluster or if a separate MySQL server is being used
445 For File Share and PC Collections we use the SMB or CIFS protocol, which uses TCP port 445
Required for fi le sharing and needed to allow sharing fi les across a network. Must be Bi-Directional.
2595 Symantec eDiscovery Platform
Page 5
Symantec eDiscovery Platform 7.1.4 Security Outline
application port for inter-appliance communication
135 Used by various windows critical services including the Firewall Service. Symantec eDiscovery Platform util izes the native Windows Firewall on the appliance to "harden" the Symantec eDiscovery Platform.
Table 1
Auditing & reporting
Symantec eDiscovery Platform provides a number of logs and auditing services within the User Interface
(UI) as well as locally on the appliance. If necessary, these logs are able to be compressed and retained
according to local retention and preservation policies.
The jobs are listed by name (see below) with the corresponding data and time appended in the name for
ease of use and troubleshooting.
The location of the logs on the local appliance is:
D:\CW\Vx.x\Logs (Vx.x denotes the latest installed version of the Symantec eDiscovery Platform
– if the deployed is version 7.1.4 the path would be D:\CW\V714\Logs)
o Access Logs
Provides information on application access times on login.
o Catalina Logs
Provides information on the Apache Tomcat webserver jobs as well as any
errors for ease in troubleshooting
o Server Logs
Provides information on server related tasks and errors for ease in
troubleshooting
o Jobs Logs
o Crawler\Retriever
These log files are related to collections tasks within the collections module and
rendering tasks in the review module. These are listed by specific name such as
PSTCrawler, PSTRetriever, etc.
Page 6
Symantec eDiscovery Platform 7.1.4 Security Outline
o Processing
These logs provide detail into processing tasks within the Collections module.
NOTE: Logs are managed by the system and are overwritten
Services
This section reviews all of the necessary Symantec eDiscovery Platform specific services providing
descriptions of each. Symantec eDiscovery Platform specific services are denoted in the services console
with the prefix ESA. For accounts related to running these services, please reference the Accounts
section of this document.
EsaApplicationService:Firedaemon
o Controls the Symantec eDiscovery Platform Application Server, which is responsible for
indexing the incoming documents and processing search requests. This service depends
on the MySQL service. No configuration is required, except in the following cases:
To crawl PST files or loose files on a network share that requires a username and
password, this service must run under a login account with those permissions.
To crawl an Active Directory domain other than the domain of the Symantec
eDiscovery Platform, this service must run under a login account in that domain
(used mainly for lab tests).
EsaEvCrawlerService & EsaEvRetrieverService
o Responsible for crawling and retrieving documents on Symantec Enterprise Vaults. The
login user name must match the name used by the Symantec services (generally the
“Vault Service Account”).
EsaExchangeCrawlerService & EsaExchangeRetrieverService
o Responsible for crawling and retrieving documents on Exchange servers. The login user
must have the following permissions:
Read
Execute
Read permissions
List contents
Read properties
List objects
Open mail send queue
Read metabase properties
Administer information store
Create name properties in the information store
Page 7
Symantec eDiscovery Platform 7.1.4 Security Outline
View information store status
Receive As
EsaPstCrawlerService & EsaPstRetrieverService
o Responsible for crawling and retrieving PST data stores. Note the following:
If the PST files are on a network share that requires a username and password,
these services must run under a login account with read and write access to the
network share. –If the PST files are on a storage device attached to the
Symantec eDiscovery Platform, then only local permissions are required.
The Symantec eDiscovery Platform requires different accounts but similar
privileges for each of the PST crawler, and retriever services. Setting up separate
accounts avoids potential memory contention and management issues with
Microsoft’s MAPI interface which could result in sub-optimal performance.
EsaNsfCrawlerService & EsaNsfRetrieverService
o Responsible for crawling and retrieving NSF data stores. These services must be
configured with the permissions needed to access NSF files over the network. Note the
following:
If the NSF files are on a network share that requires a username and password,
these services must run under a login account with read and write access to the
network share.
If the NSF files are on a storage device attached to the Symantec eDiscovery
Platform appliance, then only local permissions are required.
Make sure that these two services are configured to use the same account.
Notes client must be activated to work with this account.
o EsaRissCrawlerService & EsaRissRetrieverService
Responsible for crawling and retrieving documents on the Hewlett-Packard
IntegratedArchive Platform (IAP), formerly called the Reference Information
Storage System (RISS).
To properly start and run, the account used for this service must be setup with
access the RISS shares.
o MySQL Services
Services operate in a traditional manner, providing for operation stability of the
Symantec eDiscovery Platform MySQL database.
Processes Services
BDLGenServer.exe EsaApplicationService : FireDaemon
BelsService.exe EsaIGCBravaLicenseSrvice
CWJava.exe EsaIGCJobProcessor
Page 8
Symantec eDiscovery Platform 7.1.4 Security Outline
EVCrawler.exe EsaNsfCrawlerService
EVRetriever.exe EsaNsfRetrieverService
ExchangeCrawler.exe EsaPstCrawlerService
ExchangeRetriever.exe EsaPstRetrieverService
FileFilter.exe
FireDaemon.exe
Java.exe
JPConsole.exe
JPService.exe
MySqld-nt.exe
Mysqldump.exe
NSFCrawler.exe
NSFRetriever.exe
NSFScan.exe
PSTCrawler.exe
PSTRetriever.exe
PSTScan.exe
PSTWriter.exe
RISSCrawler.exe
RISSRetriever.exe
fragmon.exe
cscript.exe
perl.exe
Table 2
There are some specific rights needed to be granted to services within the Symantec eDiscovery
Platform prior to the installation. A comprehensive list of these is available in the installation guide
which can be found here
http://www.symantec.com/business/support/index?page=content&id=DOC6865
Page 9
Symantec eDiscovery Platform 7.1.4 Security Outline
Identification and collections
The Symantec eDiscovery Platform was created with an all in one, very intuitive ease of use in mind to
provide a more efficient workflow for eDiscovery needs. The Identification and Collection module was
created with a targeted and agentless approach. There are no agents to be installed and then
repeatedly managed and QC’ed throughout the infrastructure.
Symantec eDiscovery Platform is able to directly collect from a multitude of sources out of the box, with
the only requirement being a managed user account with proper access to the targeted source for
collection purposes.
Accounts typically need a higher level of access to properly collect necessary case data such as:
Read – Read rights are necessary for the designated account to see the data that is to be requested
to be collected.
List – List Rights are needed for the designated account to present the data to the Symantec
eDiscovery Platform.
Write – Write rights are necessary for the destination account so that the data requested to be
collected can be written in a forensically sound manner (very much like ROBOCOPY) to the
designated data store and keep the content and metadata sound an in its original format.
Accounts
Traditionally, software will come shipped with default username and password credentials out of the
box, and the Symantec eDiscovery Platform is no different. These accounts are completely configurable
and the passwords are able to updated, renamed, and changed on the fly as needed.
Local Accounts
Symantec eDiscovery Platform comes configured out the box ready for immediate use with local
accounts (listed below); these credentials are able to be renamed and passwords changed to fit the
needs and policies of our customer environment.
CWAppAdmin
o One of the default accounts that comes as a default configuration of the Symantec
eDiscovery Platform. If using this local account, it MUST be a local administrator as it is
used to run necessary ESA Services (see ESA service description above) and will need
Page 10
Symantec eDiscovery Platform 7.1.4 Security Outline
admin level access locally on the appliance to access all of the necessary directories to
ensure that each module and function within the Symantec eDiscovery Platform will
operate at optimum levels. The username and password are able to be configured to
necessary security standards and policies as needed, and on the fly.
CWPSTRetriever
o One of the default accounts that comes as a default configuration of the Symantec
eDiscovery Platform. If using this local account, it MUST be a local administrator as it is
used to run necessary ESA Services (see ESA service description above) and will need
admin level access locally on the appliance to access all of the necessary directories to
ensure that each module and function within the Symantec eDiscovery Platform will
operate at optimum levels. The username and password are able to be configured to
necessary security standards and policies as needed, and on the fly. This account is
typically used to run the ESAPSTRetriever service, as a requirement for the Symantec
eDiscovery Platform is to have a separate account running the ESAPST Crawler service to
prevent MAPI profile corruption.
IGCAdmin
o This account is used typically used to allow the BRAVA IGC third party application to run in
conjunction with the Symantec eDiscovery Platform.
o This account is also used to install the Symantec eDiscovery Platform and all necessary
updates and upgrades. This is necessary as during the installation phase, if IGC Services
(BRAVA) are being updated this will allow for a very simple update of the application,
without the need for running a separate installation package to update these credentials.
o If the IGCAdmin credentials are to be used for running the IGC Services – there are very
specific steps that must be followed to update the username and password – as if this
account is assigned to run these services – changes of the credentials must be done in a
specific concentrated effort to ensure that services can be successfully restarted.
Symantec eDiscovery Platform default usernames
o Superuser
This is the out of the box application administrator account that comes with the
Symantec eDiscovery Platform. This should be utilized as the backup administrator
Page 11
Symantec eDiscovery Platform 7.1.4 Security Outline
account for the Symantec eDiscovery Platform User Interface and cannot be
deleted.
The password is able to be updated to align with security standards and should be
changed once the installation of the appliance is complete and management of the
appliance is transferred to local staff.
It is imperative that the account credentials are maintained to ensure that in case of
loss of LDAP connection, the superuser can be used to login locally. This is
considered to be like a windows local admin account and used in last case
circumstances.
o Default Password
These are available upon request to the support team, account representative, or
system engineer.
Domain Accounts
Symantec eDiscovery Platform has the capacity to use domain accounts within an existing
infrastructure to increase scalability, provide better ease of management, and provide
additional auditing with existing tools and infrastructure.
Default Roles
Symantec eDiscovery Platform comes with a list of default roles which in most cases are suitable for the
majority of uses. Custom roles can be created by the system administrator as required.
Role Description Default Assigned Rights
Case Admin Administrator-level access to one or more cases (includes case admin capabilities plus all case user rights)
General Rights Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes
Page 12
Symantec eDiscovery Platform 7.1.4 Security Outline
Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings
Case Manager
Manager-level access to one or more cases (includes case admin capabilities (except source setup rights) plus all case user rights)
General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review
Page 13
Symantec eDiscovery Platform 7.1.4 Security Outline
Allow searching and fi ltering by processing flags Case Administration Rights Allow case status access Allow user management Allow activity report access Allow group and topic management Allow tag definition Allow folder setup Allow folder check-out management Allow production folder management Allow custodian management Allow participant management View exceptions Manage exceptions Allow OCR processing Other case management functions (e.g. jobs, batches, etc.) Access to all other case management functions not otherwise specified. This includes: batches, jobs, logs, and schedules. System Administrative Settings
Case User Search, tagging, and print dashboard rights to one or more cases
General Rights Allow analysis tags dashboard access Allow access to management charts Collection Rights Legal Holds Rights Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags
Page 14
Symantec eDiscovery Platform 7.1.4 Security Outline
Case Administration Rights No case admin rights System Administrative Settings
Collection Admin
Administrator-level collection set management
General Rights Allow integrated analytics access Allow reports access
Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights Document Access Rights Case Administration Rights No case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access
eDiscovery Admin
Administrator-level access to one or more cases as well as well as collection set management and integrated analytics
General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging
Page 15
Symantec eDiscovery Platform 7.1.4 Security Outline
Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access
Legal Hold Admin
Administrator-level legal hold management
General Rights Allow integrated analytics access Allow mobile access Collection Rights Legal Holds Rights Allow Legal Hold access Legal Hold management Document Access Rights Case Administration Rights No case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access
System Manager
Unrestricted rights to manage entire Symantec eDiscovery Platform system, including administrator-level access to all cases
General Rights Allow integrated analytics access Allow analysis tags dashboard access Allow access to management charts Allow reports access Allow mobile access Collection Rights Allow collections access Data map management Collections management Collection sets management Legal Holds Rights
Page 16
Symantec eDiscovery Platform 7.1.4 Security Outline
Allow Legal Hold access Legal Hold management Document Access Rights Allow viewing Allow tagging Allow move or removing from folders Allow bulk tagging Allow smart tagging Allow viewing of prediction ranks Allow predictive coding actions Allow access to tag event comments Allow access to item notes Allow redacting Prompt for reason code Allow tag history viewing Allow tag history searching Allow exporting Allow printing Allow native download Allow caching for review Allow searching and fi ltering by processing flags Case Administration Rights All case admin rights System Administrative Settings Allow Case Home and All Cases Dashboard Access Allow system management Allow support access Allow new case creation, case backup, restore, deletion, template creation Allow collections and data map backup, restore Allow user management Allow admin user and role management
Table 3
About Symantec:
Symantec is a global leader in
providing security, storage, and systems management solutions to help consumers and organizations
secure and manage their information-driven world. Our software and services protect
against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored.
Headquartered in Mountain View,
Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com.
For specific country offices and
contact numbers, please visit our Web
site: www.symantec.com
Symantec Corporation
World Headquarters
350 Ellis Street
Mountain View, CA 94043 USA
+1 (650) 527 8000
+1 (800) 721 3934
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.