Requirements
Installation Requirements
It is recommended to use a server with
Windows Server 2016 64 Bit
orWindows Server 2019 64 Bit
operating system withEnglish Language Pack (en-US)
for installation.The following system requirements should be determined according to the total object count (Users, Groups and Computers) in the Active Directory inventory. You can find total object count with the script below. You need to run this script for all domains in the Active Directory.
Total Object Count | Minimum RAM | Minimum Free Disk Space | CPU Core Count |
---|---|---|---|
0-5.000 | 24 GB | 100 GB | 4 |
5.000-25.000 | 32 GB | 300 GB | 8 |
25.000-50.000 | 64 GB | 500 GB | 12 |
50.000-250.000 | 128 GB | 2 TB | 16 |
To perform all security assessments during the scans, the server which FSProtect has been deployed, needs to be able to access all computers over the network (outbound) in the Active Directory environment. With this reason, necessary configurations should be made on the firewall according to the following table.
Target Computers | Protocol | Protocol2 | Port | |
---|---|---|---|---|
DC Servers | TCP/UDP | LDAP | 389 | To collect the data with the help of LDAP queries. |
All Computers in Domain | TCP/UDP | SMB | 445 | To perform SMB related vulnerability checks. |
DC Servers | TCP/UDP | KERBEROS | 88 | To authenticate in the domain with Kerberos. |
DC or DNS Servers | TCP/UDP | DNS | 53 | To resolve names in AD environment with the help of DNS. |
All Computers in Domain | TCP/UDP | DCERPC | 135 | To collect local assets (Local Users, Local Groups, etc.) |
All Computers in Domain | TCP/UDP | RDP | 3389 | To perform RDP related vulnerability checks. |
DC or NTP Server | TCP/UDP | NTP | 123 | To resolve time in environment |
All Computers in Domain | TCP/UDP | NETBIOS | 137 | To perform NETBIOS queries |
DC Servers | TCP/UDP | DCERPC | 49667 | To perform LSARPC queries |
DC Servers | TCP/UDP | DCERPC | 49670 | To perform NETLOGON queries |
DC Servers | TCP/UDP | DCERPC | All ports between 49152 – 65535 | To perform Spool Service related vulnerability checks. |
In order to access FSProtect Web Application in your environment, inbound connections over the network must be allowed in the server which FSProtect has been deployed. With this reason necessary configurations should be made on the firewall according to the following table.
Target Computers | Protocol | Protocol2 | Port | |
---|---|---|---|---|
FSProtect Deployed Server | TCP | HTTPS | 443 (Can be changed during installation) | Web App. UI |
FSProtect Deployed Server | TCP | HTTPS | 8443 (Can be changed during installation) | REST API Access |
For the installation and security scans to be performed properly, the security software on the server should be removed or the necessary exclusions should be applied.
In order to access the web interface during installation, one of the Google Chrome, Mozilla Firefox, or Microsoft Edge browsers must be installed.
FSProtect should be deployed on a domain-joined server. A user with local Administrator privileges (Built-in local Administrator or Domain User with Local Admin privilege can be used) on the FSProtect deployed server is required to perform the product installation.
In order to perform scans, a user with read permission must be created for each Active Directory Forest. By default, unprivileged user who is member of Domain Users group is enough for this task. But if this permission is not allowed or blocked in your AD environment, such user with this right must be created. This user can be created using the following Powershell script.
With an update released by Microsoft, non-privileged users are prevented from making SAM calls on servers and clients. If it is desired to obtain local user and local group information (This is required to perform full check and it is recommended), a Group Policy object should be created by the following steps below for the domain user which will be used during the scans.
Open the Group Policy Management.
Choose the Forest and the Domain which FSProtect will be used.
Right click to Group Policy Objects and select
New
.Write down any name to the
Name
section and click to theOK
button.Right click to the newly created Group Policy object and click to the
Edit
button.In popped up page, click to these items in order.
Computer Configuration
Policies
Windows Settings
Security Settings
Local Policies
Security Options
Network Access: Restrict clients allowed to make remote calls to SAM
In popped up page, enable the
Define this policy setting
option.By clicking on the
Edit Security button
, the user created for the FSProtect application is selected and theRemote Access
option is marked asAllow
. Finally, the Group Policy object is saved by clicking theOK
button and clicking theApply
button.The created Group Policy object needs to be linked to the Organizational Unit or Domain object where the computers’ local inventory information required to be collected by FSProtect. (By default, linking this GPO with Domain is recommended to find all attack paths.)
This Group Policy object also can be created automatically with the Powershell script below.
Verifying the Requirements
You can use the Powershell script below to verify Firewall rules and port statuses.
You can use the Powershell script below to verify DNS configuration, Active Directory connection and user status.
Installation Requirements Checklist
No | Checklist Item | Status (Yes/No) |
---|---|---|
1 | Has the server been set up according to the requirements specified for the installation of the FSProtect? (Requirement 1 and Requirement 2) | |
2 | Have the specified firewall rules been created for the network access? (Requirement 3 and Requirement 4) | |
3 | Can the server resolve all FQDNs and server IP addresses in Active Directory domains to be scanned? | |
4 | Are the security software on the server disabled or are necessary exclusions implemented? (Requirement 5) | |
5 | Is one of the Google Chrome, Mozilla Firefox or Microsoft Edge browsers installed on the server to access the FSProtect web interface? (Requirement 6) | |
6 | Have domain users with the specified requirements been created in all Forests to perform Active Directory scans? (Requirement 8) | |
7 | Has the required Group Policy object been created to perform local inventory enumeration? (Requirement 9) |
Last updated