Change Guardian Configuration Scanner is a standalone service that uses Windows Remote Management (WinRM) to monitor servers on a domain it is installed on, to collect configuration data and perform compliance assessments. The collection of data is governed by predefined policy templates that consist of security checks. Each security check in turn represents a specific control mandated by one or more compliance standards.
NOTE:Change Guardian Configuration Scanner does not support FIPS mode.
NOTE:You can create a new Group Policy Object or edit an existing one and link to apply to required member servers. Manually update group policies on target servers by using the gpupdate /force command or wait until group policies automatically refresh.
Log in to a domain controller with domain administrator privileges.
Open Group Policy Management.
Navigate to the target domain.
Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM).
Double-click WinRM Service on the right hand pane.
Double-click Allow remote server management through WinRM.
Select Enabled and enter * as a wildcard or a range of IP addresses in the IPv4 and IPv6 filter fields
Click OK.
Double-click Disallow Kerberos authentication.
Select Not Configured or Disabled.
Click OK.
Select Windows Remote Shell on the left hand pane.
Double click Allow Remote Shell Access on the right hand pane.
Select Enabled.
Click OK.
Exit the Group Policy Management Editor.
Log in to a domain controller with domain administrator privileges.
Open Group Policy Management.
Navigate to the target domain.
Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.
Navigate to Computer Configuration > Preferences > Control Panel Settings > Services.
Right-click Services and select New > Service.
Select Automatic from the Startup drop-down list.
Enter WinRM as the Service name.
Select Start service from the Service Action drop-down list.
Click Apply and OK.
Exit the Group Policy Management Editor.
Log in to a domain controller with domain administrator privileges.
Open Group Policy Management.
Navigate to the target domain.
Select a required Group Policy Object, right click and select Edit to open the Group Policy Management Editor.
Navigate to Computer Configuration > > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security - LDAP.., Inbound Rules.
Select Inbound Rules, right-click and select New Rule.
Select the Predefined radio button and then Windows Remote Management from the drop down list.
Click Next.
Keep default rule selections and click Next.
Select Allow the connection radio button.
Click Finish.
Exit the Group Policy Management Editor.
Change Guardian Configuration Scanner requires an Administrative user account to authenticate with WinRM service. If an Administrative account is not available, you can choose to use a least privileged user account.
To create a least privileged user account, follow the steps below:
Log in to a domain controller with domain administrator privileges.
Create a service account in Active Directory Users and Computers.
Add the created service account manually to the default Remote Management Users group on the domain controller.
Use Group Policy Preferences to add the created account to the Remote Management Users group of all computers across the domain:
Open Group Policy Management.
Navigate to the target Domain.
Select a required Group Policy Object, right-click and select Edit to open the Group Policy Management Editor.
Navigate to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups.
Right click and select New and then Local Group.
Select Update from the Action drop down list.
In the Group Name field, enter Remote Management Users.
Click Add.
Enter the service account and click Check Names.
Click OK.
Click Apply and OK.
Assign Registry Read permission:
Navigate to Computer Configuration > Policies > Windows Settings > > Security Settings > > Registry.
Complete the following steps to provide read permissions to each of the given registry keys one by one:
MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters
MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions
Right click Registry and select Add Key.
Navigate to the required registry key and click OK.
Click Add.
Enter the service account and click Check Names.
Click OK.
Select the service account and select Read under the Allow column.
Click Advanced.
Select the service account from the Permissions tab.
Click Edit.
Select the following:
Select Allow from the Type list.
Select This key and subkeys from the Applies to list.
Click OK on the Permission Entry dialog box.
Click OK on the Advanced Security Settings dialog box.
Click OK on the Security dialog box.
Select Configure this key then and then Propagate inheritable permissions to all subkeys.
Click OK on the Add Object dialog box.
Assign WMI namespace permissions:
NOTE:Perform these steps on all servers Change Guardian Configuration Scanner must monitor.
Enter wmimgmt.msc in the Run dialog box and click OK.
Right click WMI Control and select Properties.
Select the Security tab.
Complete the following steps to provide required permissions to each of the given WMI namespaces and subnamespaces:
Root > RSOP
Root > CIMV2
Root > Interop
Root > RSOP > Computer
Root > RSOP > User
Select and click the Security button.
Click Add.
Enter the service account and click Check Names.
Click OK.
Select the service account and then select Allow to enable the following permissions:
Execute Methods
Enable Account
Remote Enable
Read Security
Click Advanced.
Select the service account from the Permissions tab.
Click Edit.
Select the following:
Select Allow from the Type list.
Select This namespace and subnamespaces from the Applies to list.
Click OK on the Permission Entry dialog box.
Click OK on the Advanced Security Settings dialog box.
Click OK on the Security dialog box.
Click OK on the WMI Control Properties dialog box.
Exit the wmimgmt console.
Open the ASP.NET Core download page.
Click Download Hosting Bundle under Run server apps.
Use Agent Manager to download and install Change Guardian Configuration Scanner service.
To download and install:
In Agent Manager, click All Assets> Manage Installation> Download.
Select the Change Guardian Configuration Scanner package and click Download.
Copy ChangeGuardianConfigurationScanner.zip to the target server and extract.
Copy the ChangeGuardianConfigurationScanner folder and contents to the install location, for example, C:\Program Files.
Open a PowerShell or Command Prompt as an Administrator and change the directory to the install location.
Use the WSS.ConfigureService.exe utility to execute the Create command to install Change Guardian Configuration Scanner service.
You can use the WSS.ConfigureService.exe utility as an administrator to execute commands to install and configure the Change Guardian Configuration Scanner service. The available commands are:
Create: Creates and starts the WinRM configuration scanner service. The available options are:
-u: The user name to authenticate with the WinRM service. This user must be an administrator or least privileged user.
-p: The password to authenticate.
-a: The administrator password to login to Change Guardian Configuration Scanner.
-n: The port number for Change Guardian Configuration Scanner.
Example:
WSS.ConfigureService.exe Create -u ConfigScanUser -p Password -a AdminPassword -n 8077
Edit: Edits WinRM credentials. The available options are:
-u: The user name to authenticate with the WinRM service. This user must be an administrator or least privileged user.
-p: The password to authenticate.
-a: The administrator password to login to Change Guardian Configuration Scanner.
Example:
WSS.ConfigureService.exe Edit -u ChangedUser -p ChangedPassword -a ChangedAdminPassword -n 8077
Import (Optional): Imports an external certificate. The available options are:
-f: Import the external certificate(.pfx).
-p: Enter the certificate password.
Example:
WSS.ConfigureService.exe Import -f PathToPFXCert -p CertPassword
Remove: Removes Change Guardian Configuration Scanner service.
Example:
WSS.ConfigureService.exe Remove
The ASP.NET Core Runtime server uses cipher suites of the operating system it is installed on. It is recommended to disable weak cipher suites such as RC4. To disable weak cipher suites, refer to Microsoft documentation.
By default, any user-related security check uses the administrator user profile. To change the user profile, follow the steps below:
Go to Change Guardian Configuration Scanner service Install location.
Open appsettings.json and modify the value corresponding to UserProfileName, from Administrator to the desired username.
Restart the Change Guardian Configuration Scanner service.
NOTE:Ensure to perform the preceding steps if you renamed the administrator account.