Requirements

Installation Requirements

1. It is recommended to use a server with Windows Server 2016 64 Bit or Windows Server 2019 64 Bit operating system with English Language Pack (en-US) for installation.

2. The following system requirements should be determined according to the total object count (Users, Groups and Computers) in the Active Directory inventory. You can find total object count with the script below. You need to run this script for all domains in the Active Directory.

# You need to install ActiveDirectory Powershell module or run this script on Domain Controller
Import-Module ActiveDirectory;

$domain = Get-ADDomain;
$users = Get-ADUser -Filter * | Measure-Object;
$computers = Get-ADComputer -Filter * | Measure-Object;
$groups = Get-ADGroup -Filter * | Measure-Object;

Write-Host "Users: $($users.count), Computers: $($computers.count), Groups: $($groups.count)" -ForegroundColor Green;
Write-Host "$($domain.DistinguishedName) - Total Object Count: $($users.count + $computers.count + $groups.count)" -ForegroundColor Green;

1. To perform all security assessments during the scans, the server which FSProtect has been deployed, needs to be able to access all computers over the network (outbound) in the Active Directory environment. With this reason, necessary configurations should be made on the firewall according to the following table.

1. In order to access FSProtect Web Application in your environment, inbound connections over the network must be allowed in the server which FSProtect has been deployed. With this reason necessary configurations should be made on the firewall according to the following table.

1. For the installation and security scans to be performed properly, the security software on the server should be removed or the necessary exclusions should be applied.

2. In order to access the web interface during installation, one of the Google Chrome, Mozilla Firefox, or Microsoft Edge browsers must be installed.

3. FSProtect should be deployed on a domain-joined server. A user with local Administrator privileges (Built-in local Administrator or Domain User with Local Admin privilege can be used) on the FSProtect deployed server is required to perform the product installation.

4. In order to perform scans, a user with read permission must be created for each Active Directory Forest. By default, unprivileged user who is member of Domain Users group is enough for this task. But if this permission is not allowed or blocked in your AD environment, such user with this right must be created. This user can be created using the following Powershell script.

Import-Module ActiveDirectory;

$username="FSProtectUser";
New-ADUser -Name $username -AccountPassword(Read-Host -AsSecureString "$username Password:") -PasswordNeverExpires $true -Enabled $true;

1. With an update released by Microsoft, non-privileged users are prevented from making SAM calls on servers and clients. If it is desired to obtain local user and local group information (This is required to perform full check and it is recommended), a Group Policy object should be created by the following steps below for the domain user which will be used during the scans.

   1. Open the Group Policy Management.

   2. Choose the Forest and the Domain which FSProtect will be used.

   3. Right click to Group Policy Objects and select New.

   4. Write down any name to the Name section and click to the OK button.

   5. Right click to the newly created Group Policy object and click to the Edit button.

   6. In popped up page, click to these items in order.

      1. Computer Configuration

      2. Policies

      3. Windows Settings

      4. Security Settings

      5. Local Policies

      6. Security Options

      7. Network Access: Restrict clients allowed to make remote calls to SAM

   7. In popped up page, enable the Define this policy setting option.

   8. By clicking on the Edit Security button, the user created for the FSProtect application is selected and the Remote Access option is marked as Allow. Finally, the Group Policy object is saved by clicking the OK button and clicking the Apply button.

   9. The created Group Policy object needs to be linked to the Organizational Units where the computers’ local inventory information required to be collected by FSProtect. (By default, linking this GPO to the Organizational Units except Domain Controllers is recommended to find all attack paths.)

1. This Group Policy object also can be created automatically with the Powershell script below.

Import-Module ActiveDirectory;

$username="FSProtectUser";
$GPOName="FSProtectGPO";
$domain = Get-ADDomain;
$path = $domain.DistinguishedName;

New-GPO -Name $GPOName | New-GPLink -Target $path;

$FSProtectGPO = Get-GPO -Name $GPOName;
$FSProtectUser = Get-ADUser -Identity $username -Properties ObjectSid;

$domain = Get-ADDomain;
$domainAddress = $domain.DNSRoot;

$folderPath = "C:\Windows\SYSVOL\sysvol\$($domainAddress)\Policies\{$($FSProtectGPO.Id)}\Machine\Microsoft\Windows NT\SecEdit";

# Create all subdirectories
New-Item -Path $folderPath -ItemType Directory -Force;
$filePath = Join-Path $folderPath "GptTmpl.inf";

# FileContent
$fileContent = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO$`"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM=1,"O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;$($FSProtectUser.ObjectSid))"
"@

# Create the file and add content
$fileContent | Set-Content -Path $filePath;

1. To allow FSProtect to access the necessary registry paths, you need to modify the Network Access: Remotely accessible registry paths policy setting using a Group Policy Object (GPO). This involves adding two registry paths to this GPO, either manually through the Group Policy Management Console interface.

   1. Open the Group Policy Management Console (GPMC).

   2. In the left pane, expand the Forest: <your domain name> node and find your domain under the Domains section.

   3. Right-click on the Domain Controllers container and select Create a GPO in this domain, and Link it here

   4. Name the new GPO, for example, FSProtect Remote Registry Access and click OK.
   5. Right-click on the newly created GPO and select Edit.

   6. When the Group Policy Management Editor opens, navigate to:

      1. Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

   7. Find and double-click on Network access: Remotely accessible registry paths.

   8. In the dialog that opens, check the Define this policy setting in the template box.

   9. Click on the Local Policy Setting tab.

   10. Add the following registry paths to allow remote access:

       • SYSTEM\CurrentControlSet\Services\Kdc

       • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel

   11. Click Apply and then OK to save the changes.

2. The installation directory must be excluded from antivirus scans to ensure proper functionality. Otherwise, antivirus programs may block essential application operations.

• C:\Forestall\FSProtect\

Verifying the Requirements

You can use the Powershell script below to verify Firewall rules and port statuses.

function Test-FSProtectPorts {
    param
    (
        [parameter(Mandatory=$true)][String]$IPAddress
    )

    $ports = @(
        @{port=389;description="LDAP"},
        @{port=445;description="SMB"},
        @{port=88;description="KERBEROS"},
        @{port=53;description="DNS"},
        @{port=135;description="DCERPC"},
        @{port=3389;description="RDP"},
        @{port=123;description="NTP"},
        @{port=137;description="NETBIOS"},
        @{port=49667;description="DCERPC/LSARPC"},
        @{port=49670;description="DCERPC/NETLOGON"}
    );

    Write-Host -ForegroundColor Cyan "Scanning $IPAddress"

    foreach ($port in $ports){
        $response = Test-NetConnection -ComputerName $IPAddress -Port $port.port -WarningAction SilentlyContinue
        if ($response.TcpTestSucceeded){
            Write-Host -ForegroundColor Green "✔️ Port $($port.port) TCP/$($port.description) is reachable"
        }else {
            Write-Host -ForegroundColor Red "❌ Port $($port.port) TCP/$($port.description) is not reachable"
        }
    }

    Write-Host -ForegroundColor Yellow "⚠️ You need to check Spool Service ports"
}

Test-FSProtectPorts -IPAddress 127.0.0.1

You can use the Powershell script below to verify DNS configuration, Active Directory connection and user status.

$Forest = "fslab.local"
$UserName = "fsprotectuser"
$Password = Read-Host -Prompt "Password: " -AsSecureString

function Test-ADConnection {
    param
    (
        [parameter(Mandatory=$true)][String]$Forest,
        [parameter(Mandatory=$true)][String]$UserName,
        [parameter(Mandatory=$true)][System.Security.SecureString]$Password
    )

    $PdcOutput = nltest /dsgetdc:$Forest /PDC
    if ($PdcOutput -eq $null){
        Write-Host "!!!!!!!! --> PDC not accessible. Forest: $Forest"
        return
    }

    $PdcOutput
    Write-Host "# PDC is accessible"

    $ServerIp = ([regex]::Match($PdcOutput,'(?<=\\\\)(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}')).value
    $Password_Plaintext = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password))

    $ContextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::DirectoryServer
    $ADContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext $ContextType, $ServerIp, "$Forest\$UserName", $Password_Plaintext
    $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($ADContext)

    if ($Domain -eq $null){
        Write-Host "!!!!!!!! --> AD is not enumarable. Forest: $Forest - Username: $UserName"
        return
    }

    $DomainObj = $Domain.GetDirectoryEntry()
    $DomainObj

    Write-Host "----------------------------"
    Write-Host "# Enumeration Success"
    Write-Host "IP: $ServerIp"
    Write-Host "Path: $($DomainObj.Path)"
    Write-Host "----------------------------"
}

Test-ADConnection -Forest $Forest -UserName $UserName -Password $Password

Installation Requirements Checklist