Академический Документы
Профессиональный Документы
Культура Документы
Configuration Guide
Version 9.5.0 and Above
HPS Inspection Engine Plugin
Table of Contents
About the HPS-Inspection Engine Plugin ...................................................................... 4
Requirements ............................................................................................................... 4
Supported Windows Operating Systems ....................................................................... 4
Accessing Windows Endpoints ..................................................................................... 5
Configuration at the Initial Setup Wizard ....................................................................... 5
Configuration per Appliance .......................................................................................... 5
Configuring the Plugin .................................................................................................... 6
Domain Credentials ...................................................................................................... 6
SecureConnector Options ............................................................................................. 8
Actions ..................................................................................................................... 8
Detection .................................................................................................................. 9
Additional Options .................................................................................................. 10
Windows Updates ....................................................................................................... 10
Scanning Using Windows Updates Settings ........................................................... 10
WSUS Environment Settings.................................................................................. 11
Windows Update Default Settings .......................................................................... 11
Minimize Bandwidth during Vulnerability File Download ......................................... 11
Classification .............................................................................................................. 12
CounterACT Classification Versions....................................................................... 13
Nmap Banner Scan ................................................................................................ 14
Nmap Fingerprint Scan .......................................................................................... 14
Tuning ........................................................................................................................ 14
Specify Endpoint IP Addresses to Ignore ............................................................... 15
Tune HPS- Inspection Engine Processes ............................................................... 16
Automatic Tuning for Nmap Processes .................................................................. 17
Run Script Method ................................................................................................. 17
Send HTTP Actions on SecureConnector Connect and User Login ....................... 18
HTTP Notification Action - Attempt to Open Browser at Endpoint........................... 18
User Name Resolve Priorities ................................................................................ 18
Testing and Verifying Connectivity .............................................................................. 19
SecureConnector .......................................................................................................... 20
About SecureConnector.............................................................................................. 21
SecureConnector Support – Microsoft Windows ......................................................... 21
How SecureConnector Works ..................................................................................... 22
Activating SecureConnector ....................................................................................... 22
SecureConnector Details ............................................................................................ 22
Running the SecureConnector Executable ................................................................. 23
SecureConnector ID ................................................................................................... 25
SecureConnector Installation Methods ....................................................................... 25
Download an Installation File from an Appliance .................................................... 25
Configuring Appliances ................................................................................................ 27
Apply the Configuration to All Appliances.................................................................... 28
Apply a Configuration to a Single Appliance ............................................................... 28
Apply the Configuration to Groups of Appliances ........................................................ 29
Editing and Updating Configurations ........................................................................... 30
Troubleshooting the HPS-Inspection Engine Plugin .................................................. 30
Operational Requirements .......................................................................................... 30
Testing the Domain Credentials .................................................................................. 31
Testing the Credentials on a Desktop Using a Localhost Query ............................. 31
Testing the Credentials on a Desktop Using Remote Query ................................... 32
Port Setup Test ...................................................................................................... 34
NetBIOS over TCP/IP Setup Test .......................................................................... 36
Services Test ......................................................................................................... 36
Sharing Test........................................................................................................... 36
Disable “Use simple file sharing” ............................................................................ 37
Appendix A: Running Scripts for Remote Inspection................................................. 38
fsprocsvc.exe Information ........................................................................................... 38
Microsoft Task Scheduler vs. fsprocsvc.exe ............................................................... 39
Task Scheduler Limitations ......................................................................................... 39
Activating a Method ................................................................................................ 39
Appendix B: Executable Files Used by the Plugin ...................................................... 40
If you are working with Macintosh or Linux endpoints, use the Macintosh/Linux
Property Scanner Plugin.
Plugin Updates
The plugin is bundled with major CounterACT releases but new releases may become
available in in between major version releases. The Plugin Updates icon appears on the
status bar of the Console when an update is available for the plugin.
Requirements
CounterACT version 6.3.4.1 or higher
3. Configure as required. If you are logged into the Enterprise Manager but want to
configure all Appliances or a specific Appliance, make your selection from the
Appliances drop-down list.
The options available in each of the tabs are described in the following sections.
4. Click Apply to save your changes.
Domain Credentials
Domain credentials are domain-level administrator privileges used to connect to network
endpoints. Domain credentials are usually defined when setting up the Console via the
Console Initial Setup Wizard (see Configuration at the Initial Setup Wizard).
Select the Add button to define a new domain, or Edit to modify credentials for an existing
domain.
The following options are available in the Add and Edit dialog boxes:
Field Description
Domain The domain administrator for the endpoints that are to be handled
Administrator by the plugin. These must be endpoints within your internal
network. You must enter at least one administrator.
Domain Name The domain name for the endpoints that are to be handled by the
plugin. These must be endpoints within your Internal
Network. You must enter at least one domain name.
Domain The domain administrator password for the endpoints that are to
Password be handled by the plugin. These must be endpoints within your
Internal Network.
Select the Authenticate using NTLMv2 checkbox to configure the plugin to use NTLM
version 2 to perform deep inspection in environments that support it. If the checkbox is
cleared, the plugin uses NTLM version 1.
SecureConnector Options
The following SecureConnector configuration and deployment options are available from the
HPS-Inspection Engine Plugin.
Actions
Detection
Permanent SecureConnector Deployment Parameters
Additional Options
Actions
Disable External Device
The Disable External Device action can be used to disable external devices currently
connected to the endpoint. This feature is supported only when SecureConnector is installed
at the endpoint. Select the Automatically run SecureConnector when using the Disable
External Device action checkbox to automatically install SecureConnector when the Disable
External Device action is used.
SecureConnector sends a desktop balloon message when the Disable External Devices, Kill
Process, Kill Instant Messaging and Kill Peer-to-peer actions are performed. The message
indicates which processes were killed.
Detection
Learning MAC Addresses
Instruct CounterACT to learn MAC addresses from the endpoint ARP table when the
endpoint is managed by SecureConnector. This enables detection of endpoints that may be
otherwise unreachable. When cleared, other methods of MAC learning are used, for example
from the Switch Plugin. This option is not available if SecureConnector is located behind a
NAT address.
Select the Use SecureConnector to learn MAC address from local ARP tables checkbox
Additional Options
This section of the SecureConnector tab includes other options for use with SecureConnector.
Windows Updates
Specify parameters to use when scanning for vulnerabilities and installing missing updates.
These parameters are used when working with the Microsoft Vulnerabilities and Microsoft
Vulnerabilities Fine-tuned properties, and the Start Windows Updates action.
If you do not enter any ranges, the hosts will be scanned by CounterACT using the HPS
Vulnerability DB plugin. Select Tools>Options>Plugins>HPS-Vulnerability DB>Help for
more information about this plugin. Vulnerability scanning is activated when you create a
policy that includes either the Windows Security> Microsoft > Vulnerabilities or Microsoft
Vulnerabilities Fine-tuned property.
You can minimize bandwidth usage during Microsoft vulnerability file download processes
by limiting the number of concurrent HTTP downloads to endpoints. The default is 20
endpoints simultaneously. Define a value in the Maximum Concurrent Vulnerability DB
File HTTP uploads field.
Classification
The HPS Inspection Engine Plugin powers CounterACT tools used for classifying assets.
These tools include the Asset Classification template, Mobile Classification template, the
Classification action and Classification/Advanced Classification properties.
Use tools to classify network assets into the following categories:
Windows devices Printers
Mobile devices CounterACT devices
Linux desktop/servers Servers
Unix servers/workstations Network devices such as switches
VoIP devices Terminal Servers
Network Address Translation (NAT) devices Unclassified devices
Apple MAC/OSX And more
In addition, classification techniques are also used when resolving services, application
versions, operating system details and related information.
The HPS Inspection Engine Plugin uses several methods for retrieving this information, for
example: Nmap tools; domain credentials; passive fingerprinting via the Appliance;
information resolved on devices managed by SecureConnector; or switches configured to
work with CounterACT. Nmap tools are used if other mechanisms could not resolve the
endpoint classification.
Classification Version 1
Classification version 1 uses Nmap engine version 3.48 and database version 4.01
Nmap Banner Scan Not available for classification when using version 1
Nmap Fingerprint Used to resolve operating system class and network functionality
Scan
Classification Version 2
Classification version 2 methods include:
Nmap 5 – to actively fingerprint the devices in the network and identify their
network functionality
HTTP and SMB banners – to parse protocols
New banner-based classification – based on portal HTTP traffic
Classification version 2 uses Nmap engine version 5.21 and database version 5.35
Nmap Banner Scan Classification version 2 uses the Nmap banner scanning utility.
This improves resolution of device services, application versions
and other operating system details. This information is used by
CounterACT to classify devices.
Nmap fingerprint Used to resolve operating system class and network functionality
Scan
Tuning
Modify the default values used for various global parameters.
Add the addresses to the Define addresses to ignore when using Number of IP
Addresses property table.
4GB< 40
To customize tuning:
1. Deselect the Automatic Tuning for HPS Inspection Engine Processes checkbox.
2. Enter a value in the Concurrent HPS Inspection Engine Processes field. If you set
the value too high, you may overload your network and the Appliance.
To customize tuning:
1. Deselect the Automatic Tuning for Nmap Processes checkbox.
2. Enter a value in the Concurrent Nmap Processes field. If you set the value too
high, you may overload your network and the Appliance.
See Appendix A: Running Scripts for Remote Inspection for more information about these
methods.
Field Description
verify:
Connectivity to the domain name, administrator and password.
Remote registry connection.
CounterACT identifies a running Windows service.
It is recommended to use an address that grants permissions and access
to your entire network, for example the domain controller or the LDAP
server.
Connectivity Specifies whether to test connectivity via SNMP or SMB/RPC.
Test Type
If you are testing via SNMP, you must enter the SNMP access
parameters listed below.
(SNMP Test The OID number to test.
Parameters)
OID
(SNMP Test The community name to test.
Parameters)
Community
(SNMP Test This option controls the SNMP retry and timeout requests. You may
Parameters) need to use this to handle SNMP timeout problems. These problems
Extra may occur if the network is extremely busy.
Parameters
Timeout – The number of seconds to wait for a response. The default
timeout is 25 seconds.
Retry – The number of times to retry sending an SNMP message. The
default number of retries is 1. The upper limit is 20.
For example, to indicate a timeout of five seconds and three retries,
enter the following:
-t 5 –r 3
SecureConnector
This section covers the following SecureConnector topics.
About SecureConnector
SecureConnector Support – Microsoft Windows
How SecureConnector Works
SecureConnector Details
Running the SecureConnector Executable
SecureConnector ID
SecureConnector Installation Methods
About SecureConnector
CounterACT’s SecureConnector is a light footprint executable that runs at the endpoint for
the purpose of making endpoints manageable, and for performing or optimizing certain
actions. SecureConnector is a dissolvable client / agent.
SecureConnector is also available when working with Macintosh/Linux endpoints. Refer to
the Macintosh/Linux Property Scanner Plugin Configuration Guide for details.
Activating SecureConnector
SecureConnector is powered by the HPS-Inspection Engine Plugin, but activated from the
Console, Start SecureConnector action. Installation, visibility and other options can be
configured when defining the action. Navigate to the Working with Actions page in the online
Help for details.
In addition, you can distribute SecureConnector to endpoints by downloading an installation
file from an Appliance, and then distributing the file. See Download an Installation File
from an Appliance for details.
Several SecureConnector configuration options are available in this plugin, See
SecureConnector Options for details.
SecureConnector Details
Size on disk Approximately 920 KB
Endpoint Process mode:
memory Main process: 3MB – 6MB
utilization
Watchdog process: 400kB – 600kB
Service mode:
Agent process: 3 MB – 5 MB
Performer process: 4 MB – 6 MB
Service: 3 MB – 5 MB
Deployment type Permanent or dissolvable.
Defined in the Start SecureConnector action.
Visibility options Visible (Icon in systray) or non-visible
Defined in the Start SecureConnector action
Installation Remote inspection
methods
Browser – using HTTP redirection. Defined in the Start
SecureConnector action.
Browser – direct setup file download. Described in this guide.
See Download an Installation File from an Appliance.
SecureConnector If possible, SecureConnector should be installed with Administrator
privilege level (or SYSTEM) privileges on all endpoints. This ensures that it will
run regardless of the privilege level of the logged in user, and all
SecureConnector related features will be available to any user
logged on to the machine. Privilege levels are determined in part by
the mode in which SecureConnector is installed.
The mode is determined when configuring the Start
SecureConnector action.
Service Mode
Install SecureConnector in the service mode to ensure it runs with
Administrator privileges when the current logged in users are not
administrators.
Application Mode
In the Application mode, privileges are determined by the status of
the user currently logged in.
The following actions will not work if an unprivileged user logged
in to a host running SecureConnector if it was installed by an
Administrator in the application mode:
Disable External devices
Kill process (for processes that do not belong to the
SecureConnector user)
Disable Dual Homed
UAC blocks installation for specific system critical folders such as
Program Files. However, SecureConnector can be installed to the
user home folder and has all user privileges.
Installation folder %ProgramFiles% if setup runs with Administrator (or SYSTEM)
when installed privileges.
permanently
%USERPROFILE%\Application Data if setup runs with non-
Administrator privileges or setup is affected by UAC.
Folder used %Temp% if runs with Administrator (or SYSTEM) privileges
when deployed %USERPROFILE%\local settings\Temp if setup runs with non-
in dissolvable
mode
Administrator privileges or setup is affected by UAC.
Information about changes to the executable is announced in the HPS Inspection Engine
Plugin Release Notes when new HPS Inspection Engine Plugin versions are released.
SecureConnector can run as an application or as a service, depending on how it is installed.
Installation options are defined when running the Start SecureConnector action. When
installed as a service, the following SecureConnector.exe processes run and can be seen from
the endpoint Task Manager:
In the example shown above there are three SecureConnector.exe processes and one
fsprocsvc.exe process:
One SecureConnector.exe process manages communication with the
CounterACT Appliance.
One SecureConnector.exe process is responsible for the user interface (such
as Systray icon, View Compliance Center).
One SecureConnector.exe process is the SecureConnector service. (If
SecureConnector is installed as an application then this process does not
appear and SecureConnector only uses two processes.)
The fsprocsvc.exe process is used to install SecureConnector. It runs once
and then dissolves after two hours because it is no longer needed. If
SecureConnector is installed from an HTTP page, this service is used. (See
Appendix A: Running Scripts for Remote Inspection for more information
about fsprocsvc.exe)
When run as a service, the ForeScout SecureConnector service appears at the endpoints’
Computer Management window. The service is started in the automatic mode.
SecureConnector ID
When SecureConnector connects to the CounterACT Appliance, it sends CounterACT a
unique ID. This ID is used as the endpoint’s identity and may cause CounterACT to perform
an identity change if one of the following events occurs:
The current IP address was used by another machine – This occurs if another
SecureConnector ID was learned for this IP address. If another endpoint with
SecureConnector previously used the same IP address, then the system will
conclude this is a new machine, will delete all previous information and will
relearn the properties from the new machine.
The current machine previously used another IP address – This occurs if this
SecureConnector ID was learned on another IP address. If this endpoint
previously used another IP address then all the information learned on the
older IP address will be moved to the new IP address (The old IP address will
be changed to the new one).
4. Select the Download link to download the SecureConnector installation file, or copy
the link on the bottom of the window. Do not change the file name or the link path.
5. Send the file or link to desired endpoints via login script, email or any other method.
If the file method is used, instruct the user to double-click the file to install.
If the link method is used, instruct the user to click the Run button when prompted so
that the installation file will automatically download and run.
6. Create a policy that checks all target endpoints to see if SecureConnector is installed.
Do this using the condition Windows Manageable (SecureConnector) property.
Configuring Appliances
You can configure the HPS Inspection Engine Plugin and apply the configuration as follows:
Apply the configuration to all Appliances
Apply a configuration to a single Appliance
Apply a configuration to groups of Appliances. Group assignments enable
smooth, stream-lined HPS Inspection Engine Plugin configurations.
1. Select the Plus-sign tab . The Select Appliances to configure dialog box
opens.
2. Select an Appliance and select OK. The pane appears with a tab for the Appliance
you selected.
1. Select the Plus-sign tab . The Select Appliances to Configure dialog box
opens.
2. Select the required Appliances and type a name in the Name (Optional) field.
3. Select OK. The pane appears with a tab for the Appliances you selected and the
configuration assignment name.
Operational Requirements
If the HPS Inspection Engine Plugin is not operating effectively, you should verify that the
following requirements are met:
1. Endpoints are running Windows 2000, Windows XP, Windows Vista, Windows
Server 2003, Windows Server 2008 or Windows 7.
2. The following services are enabled: Remote Procedure Call, Server Service, and
Remote Registry Service.
3. File and Print Sharing for Microsoft Networks (connection properties) is installed.
CounterACT can access C$ on the endpoint.
4. You have domain-level administrator privileges on each computer being scanned or it
is a member of the Domain Admins group. This group allows writing to the file
system but not to the registry.
5. If your network includes endpoints that run under Windows XP SP2, you changed
the Windows Firewall Settings so that CounterACT can perform remote inspection
on these machines. This means that you should have access to port 139 or 445 TCP.
Allowing access means CounterACT can retrieve Windows-related information. By
default, these ports are open on Windows 2000 machines.
6. CounterACT has access to the endpoint’s remote registry and file system. Refer to
the CounterACT User Manual for more information about verifying this information.
7. (For XP systems only) You have deselected the Use Simple File Sharing for the
endpoint.
2. Verify that the NetBIOS domain name is identical to the one configured in the Host
Properties Scanner Plugin configuration screen. This is done by running ‘nbtstat –n’,
see the following output.
Services Test
Verify the following services (circled in red) are running.
To verify:
1. Open the services view by selecting Start>Control
Panel>Administrative Tools>Services. Verify that the following services (In Red)
are running:
− Remote Procedure Call (RPC).
− Remote Registry Service.
− Server
Sharing Test
Verify the default C$ share exists.
To verify:
1. From My computer, right-click drive C and select Properties.
2. In the Sharing tab, the following should be configured:
fsprocsvc.exe Information
Item Description
Footprint Size on disk: Approximately 250KB
Memory acquired during runtime: 2 MB
Runs under: System
Start type: Automatic
After 2 hours the service removes itself
Properties requiring Expected Script Result
the service Device Interfaces
(With remote
inspection, i.e. not
Number of IP Addresses
via External Devices
SecureConnector) File MD5 Signature
Is Behind NAT
Microsoft Vulnerabilities
Actions requiring Run Script On Windows
the service HTTP Redirection to URL (If Attempt to open a browser at
(With remote the detected endpoint is selected)
inspection, i.e. not
via Start SecureConnector
SecureConnector) Set Registry Key
Start Antivirus
Update Antivirus
Start Windows Updates
Kill Process on Windows, Kill Instant Messaging, Kill Peer-to-
peer
Controlling the fsprocsvc.exe runs from the system temp folder.
location where the
The scripts are run as follows:
service executable
and scripts are The following configuration property sets the directory to use:
copied to config.script_run_folder.value
For example: config.script_run_folder.value =
"C:\Program Files\Forescout\"
If the property is not defined (it is not defined by default), then the
directory to use is determined as follows:
If a user is logged into the endpoint, then the logged-in user temp
folder is used.
Activating a Method
To run scripts in remote inspection using Task Scheduler:
1. Open the following file on the Appliance
/usr/local/forescout/plugin/va/local.properties
2. Add the line: config.run_script_fsnet.value=false
3. This should be done for each Appliance.
Name Description
Additional Files
Legal Notice
Copyright © ForeScout Technologies, 2000-2012. All rights reserved.
The copyright and proprietary rights in the guide belong to ForeScout Technologies. It is strictly forbidden
to copy, duplicate, sell, lend or otherwise use this guide in any way, shape or form without the prior consent
of ForeScout Technologies.
This product is based on software developed by ForeScout Technologies. The products described in this
document are protected by U.S. patent # 6,363,489 issued March 2002 and may be protected by other U.S.
Patents and foreign patents.
Redistribution and use in source and binary forms are permitted, provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials and
other materials related to such distribution and use, acknowledge that the software was developed by
ForeScout Technologies.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
All other trademarks used in this document are the property of their respective owners.
Send comments and questions regarding documentation to: documentation@forescout.com
11/5/12