4.5 Installing Change Guardian Configuration Scanner

Change Guardian Configuration Scanner is a standalone service that uses Windows Remote Management (WinRM) to monitor servers on a domain it is installed on, to collect configuration data and perform compliance assessments. The collection of data is governed by predefined policy templates that consist of security checks. Each security check in turn represents a specific control mandated by one or more compliance standards.

NOTE:Change Guardian Configuration Scanner does not support FIPS mode.

4.5.1 Setting Up The Environment

  1. Allowing Remote Server Management through WinRM

  2. Configuring The Firewall to Allow WinRM Service

  3. Enabling WinRM Service

  4. Creating a WinRM Enabled User Account

  5. Install ASP.NET Core Runtime 5.0 (Hosting Bundle)

NOTE:You can create a new Group Policy Object or edit an existing one and link to apply to required member servers. Manually update group policies on target servers by using the gpupdate /force command or wait until group policies automatically refresh.

Allowing Remote Server Management through WinRM

  1. Log in to a domain controller with domain administrator privileges.

  2. Open Group Policy Management.

  3. Navigate to the target domain.

  4. Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.

  5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM).

  6. Double-click WinRM Service on the right hand pane.

    1. Double-click Allow remote server management through WinRM.

    2. Select Enabled and enter * as a wildcard or a range of IP addresses in the IPv4 and IPv6 filter fields

    3. Click OK.

    4. Double-click Disallow Kerberos authentication.

    5. Select Not Configured or Disabled.

    6. Click OK.

  7. Select Windows Remote Shell on the left hand pane.

    1. Double click Allow Remote Shell Access on the right hand pane.

    2. Select Enabled.

    3. Click OK.

  8. Exit the Group Policy Management Editor.

Enabling WinRM Service

  1. Log in to a domain controller with domain administrator privileges.

  2. Open Group Policy Management.

  3. Navigate to the target domain.

  4. Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.

  5. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services.

  6. Right-click Services and select New > Service.

    1. Select Automatic from the Startup drop-down list.

    2. Enter WinRM as the Service name.

    3. Select Start service from the Service Action drop-down list.

    4. Click Apply and OK.

  7. Exit the Group Policy Management Editor.

Configuring The Firewall to Allow WinRM Service

  1. Log in to a domain controller with domain administrator privileges.

  2. Open Group Policy Management.

  3. Navigate to the target domain.

  4. Select a required Group Policy Object, right click and select Edit to open the Group Policy Management Editor.

  5. Navigate to Computer Configuration > > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP.., Inbound Rules.

  6. Select Inbound Rules, right-click and select New Rule.

    1. Select the Predefined radio button and then Windows Remote Management from the drop down list.

    2. Click Next.

    3. Keep default rule selections and click Next.

    4. Select Allow the connection radio button.

    5. Click Finish.

  7. Exit the Group Policy Management Editor.

Creating a WinRM Enabled User Account

Change Guardian Configuration Scanner requires an Administrative user account to authenticate with WinRM service. If an Administrative account is not available, you can choose to use a least privileged user account.

To create a least privileged user account, follow the steps below:

  1. Log in to a domain controller with domain administrator privileges.

  2. Create a service account in Active Directory Users and Computers.

  3. Add the created service account manually to the default Remote Management Users group on the domain controller.

  4. Use Group Policy Preferences to add the created account to the Remote Management Users group of all computers across the domain:

    1. Open Group Policy Management.

    2. Navigate to the target Domain.

    3. Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.

    4. Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.

    5. Right click and select New and then Local Group.

    6. Select Update from the Action drop down list.

    7. In the Group Name field, enter Remote Management Users.

    8. Click Add.

    9. Enter the service account and click Check Names.

    10. Click OK.

    11. Click Apply and OK.

  5. Assign Registry Read permission:

    1. Navigate to Computer Configuration > Policies > Windows Settings > > Security Settings > > Registry.

    2. Complete the following steps to provide read permissions to each of the given registry keys one by one:

      • MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters

      • MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions

      1. Right click Registry and select Add Key.

      2. Navigate to the required registry key and click OK.

      3. Click Add.

      4. Enter the service account and click Check Names.

      5. Click OK.

      6. Select the service account and select Read under the Allow column.

      7. Click Advanced.

      8. Select the service account from the Permissions tab.

      9. Click Edit.

      10. Select the following:

        1. Select Allow from the Type list.

        2. Select This key and subkeys from the Applies to list.

        3. Click OK on the Permission Entry dialog box.

        4. Click OK on the Advanced Security Settings dialog box.

        5. Click OK on the Security dialog box.

      11. Select Configure this key then and then Propagate inheritable permissions to all subkeys.

      12. Click OK on the Add Object dialog box.

  6. Assign WMI namespace permissions:

    NOTE:Perform these steps on all servers Change Guardian Configuration Scanner must monitor.

    1. Enter wmimgmt.msc in the Run dialog box and click OK.

    2. Right click WMI Control and select Properties.

    3. Select the Security tab.

    4. Complete the following steps to provide required permissions to each of the given WMI namespaces and subnamespaces:

      • Root > RSOP

      • Root > CIMV2

      • Root > Interop

      • Root > RSOP > Computer

      • Root > RSOP > User

      1. Select and click the Security button.

      2. Click Add.

      3. Enter the service account and click Check Names.

      4. Click OK.

      5. Select the service account and then select Allow to enable the following permissions:

        • Execute Methods

        • Enable Account

        • Remote Enable

        • Read Security

      6. Click Advanced.

      7. Select the service account from the Permissions tab.

      8. Click Edit.

      9. Select the following:

        1. Select Allow from the Type list.

        2. Select This namespace and subnamespaces from the Applies to list.

        3. Click OK on the Permission Entry dialog box.

        4. Click OK on the Advanced Security Settings dialog box.

        5. Click OK on the Security dialog box.

    5. Click OK on the WMI Control Properties dialog box.

    6. Exit the wmimgmt console.

Install ASP.NET Core Runtime 5.0 (Hosting Bundle)

  1. Open the ASP.NET Core download page.

  2. Click Download Hosting Bundle under Run server apps.

4.5.2 Installing Change Guardian Configuration Scanner Service

Use Agent Manager to download and install Change Guardian Configuration Scanner service.

To download and install:

  1. In Agent Manager, click All Assets> Manage Installation> Download.

  2. Select the Change Guardian Configuration Scanner package and click Download.

  3. Copy ChangeGuardianConfigurationScanner.zip to the target server and extract.

  4. Copy the ChangeGuardianConfigurationScanner folder and contents to the install location, for example, C:\Program Files.

  5. Open a PowerShell or Command Prompt as an Administrator and change the directory to the install location.

  6. Use the WSS.ConfigureService.exe utility to execute the Create command to install Change Guardian Configuration Scanner service.

Using Change Guardian Configuration Scanner Commands

You can use the WSS.ConfigureService.exe utility as an administrator to execute commands to install and configure the Change Guardian Configuration Scanner service. The available commands are:

  • Create: Creates and starts the WinRM configuration scanner service. The available options are:

    -u: The user name to authenticate with the WinRM service. This user must be an administrator or least privileged user.

    -p: The password to authenticate.

    -a: The administrator password to login to Change Guardian Configuration Scanner.

    -n: The port number for Change Guardian Configuration Scanner.

    Example:

    WSS.ConfigureService.exe Create -u ConfigScanUser -p Password -a AdminPassword -n 8077

  • Edit: Edits WinRM credentials. The available options are:

    -u: The user name to authenticate with the WinRM service. This user must be an administrator or least privileged user.

    -p: The password to authenticate.

    -a: The administrator password to login to Change Guardian Configuration Scanner.

    Example:

    WSS.ConfigureService.exe Edit -u ChangedUser -p ChangedPassword -a ChangedAdminPassword -n 8077

  • Import (Optional): Imports an external certificate. The available options are:

    -f: Import the external certificate(.pfx).

    -p: Enter the certificate password.

    Example:

    WSS.ConfigureService.exe Import -f PathToPFXCert -p CertPassword

  • Remove: Removes Change Guardian Configuration Scanner service.

    Example:

    WSS.ConfigureService.exe Remove

Disabling Weak Cipher Suites

The ASP.NET Core Runtime server uses cipher suites of the operating system it is installed on. It is recommended to disable weak cipher suites such as RC4. To disable weak cipher suites, refer to Microsoft documentation.

4.5.3 Setting Up Custom User Profiles

By default, any user-related security check uses the administrator user profile. To change the user profile, follow the steps below:

  1. Go to Change Guardian Configuration Scanner service Install location.

  2. Open appsettings.json and modify the value corresponding to UserProfileName, from Administrator to the desired username.

  3. Restart the Change Guardian Configuration Scanner service.

NOTE:Ensure to perform the preceding steps if you renamed the administrator account.