Requirements

Installation Requirements

It is recommended to use a server with Windows Server 2016 64 Bit or Windows Server 2019 64 Bit operating system with English Language Pack (en-US) for installation.
The following system requirements should be determined according to the total object count (Users, Groups and Computers) in the Active Directory inventory. You can find total object count with the script below. You need to run this script for all domains in the Active Directory.

# You need to install ActiveDirectory Powershell module or run this script on Domain Controller
Import-Module ActiveDirectory;

$domain = Get-ADDomain;
$users = Get-ADUser -Filter * | Measure-Object;
$computers = Get-ADComputer -Filter * | Measure-Object;
$groups = Get-ADGroup -Filter * | Measure-Object;

Write-Host "Users: $($users.count), Computers: $($computers.count), Groups: $($groups.count)" -ForegroundColor Green;
Write-Host "$($domain.DistinguishedName) - Total Object Count: $($users.count + $computers.count + $groups.count)" -ForegroundColor Green;

Total Object Count	Minimum RAM	Minimum Free Disk Space	CPU Core Count
0-5.000	24 GB	100 GB	4
5.000-25.000	32 GB	300 GB	8
25.000-50.000	64 GB	500 GB	12
50.000-250.000	128 GB	2 TB	16

To perform all security assessments during the scans, the server which FSProtect has been deployed, needs to be able to access all computers over the network (outbound) in the Active Directory environment. With this reason, necessary configurations should be made on the firewall according to the following table.

Target Computers	Protocol	Protocol2	Port
DC Servers	TCP/UDP	LDAP	389	To collect the data with the help of LDAP queries.
All Computers in Domain	TCP/UDP	SMB	445	To perform SMB related vulnerability checks.
DC Servers	TCP/UDP	KERBEROS	88	To authenticate in the domain with Kerberos.
DC or DNS Servers	TCP/UDP	DNS	53	To resolve names in AD environment with the help of DNS.
All Computers in Domain	TCP/UDP	DCERPC	135	To collect local assets (Local Users, Local Groups, etc.)
All Computers in Domain	TCP/UDP	RDP	3389	To perform RDP related vulnerability checks.
DC or NTP Server	TCP/UDP	NTP	123	To resolve time in environment
All Computers in Domain	TCP/UDP	NETBIOS	137	To perform NETBIOS queries
DC Servers	TCP/UDP	DCERPC	49667	To perform LSARPC queries
DC Servers	TCP/UDP	DCERPC	49670	To perform NETLOGON queries
DC Servers	TCP/UDP	DCERPC	All ports between 49152 – 65535	To perform Spool Service related vulnerability checks.

Target Computers

Protocol

Protocol2

Port

DC Servers

TCP/UDP

LDAP

389

To collect the data with the help of LDAP queries.

All Computers in Domain

TCP/UDP

SMB

445

To perform SMB related vulnerability checks.

DC Servers

TCP/UDP

KERBEROS

To authenticate in the domain with Kerberos.

DC or DNS Servers

TCP/UDP

DNS

To resolve names in AD environment with the help of DNS.

All Computers in Domain

TCP/UDP

DCERPC

135

To collect local assets (Local Users, Local Groups, etc.)

All Computers in Domain

TCP/UDP

RDP

3389

To perform RDP related vulnerability checks.

DC or NTP Server

TCP/UDP

NTP

123

To resolve time in environment

All Computers in Domain

TCP/UDP

NETBIOS

137

To perform NETBIOS queries

DC Servers

TCP/UDP

DCERPC

49667

To perform LSARPC queries

DC Servers

TCP/UDP

DCERPC

49670

To perform NETLOGON queries

DC Servers

TCP/UDP

DCERPC

All ports between 49152 – 65535

To perform Spool Service related vulnerability checks.

In order to access FSProtect Web Application in your environment, inbound connections over the network must be allowed in the server which FSProtect has been deployed. With this reason necessary configurations should be made on the firewall according to the following table.

Target Computers	Protocol	Protocol2	Port
FSProtect Deployed Server	TCP	HTTPS	443 (Can be changed during installation)	Web App. UI
FSProtect Deployed Server	TCP	HTTPS	8443 (Can be changed during installation)	REST API Access

Target Computers

Protocol

Protocol2

Port

FSProtect Deployed Server

TCP

HTTPS

443 (Can be changed during installation)

Web App. UI

FSProtect Deployed Server

TCP

HTTPS

8443 (Can be changed during installation)

REST API Access

For the installation and security scans to be performed properly, the security software on the server should be removed or the necessary exclusions should be applied.
In order to access the web interface during installation, one of the Google Chrome, Mozilla Firefox, or Microsoft Edge browsers must be installed.
FSProtect should be deployed on a domain-joined server. A user with local Administrator privileges (Built-in local Administrator or Domain User with Local Admin privilege can be used) on the FSProtect deployed server is required to perform the product installation.
In order to perform scans, a user with read permission must be created for each Active Directory Forest. By default, unprivileged user who is member of Domain Users group is enough for this task. But if this permission is not allowed or blocked in your AD environment, such user with this right must be created. This user can be created using the following Powershell script.

Import-Module ActiveDirectory;

$username="FSProtectUser";
New-ADUser -Name $username -AccountPassword(Read-Host -AsSecureString "$username Password:") -PasswordNeverExpires $true -Enabled $true;

With an update released by Microsoft, non-privileged users are prevented from making SAM calls on servers and clients. If it is desired to obtain local user and local group information (This is required to perform full check and it is recommended), a Group Policy object should be created by the following steps below for the domain user which will be used during the scans.
1. Open the Group Policy Management.
2. Choose the Forest and the Domain which FSProtect will be used.
3. Right click to Group Policy Objects and select New.
4. Write down any name to the Name section and click to the OK button.
5. Right click to the newly created Group Policy object and click to the Edit button.
6. In popped up page, click to these items in order.
  1. Computer Configuration
  2. Policies
  3. Windows Settings
  4. Security Settings
  5. Local Policies
  6. Security Options
  7. Network Access: Restrict clients allowed to make remote calls to SAM
7. In popped up page, enable the Define this policy setting option.
8. By clicking on the Edit Security button, the user created for the FSProtect application is selected and the Remote Access option is marked as Allow. Finally, the Group Policy object is saved by clicking the OK button and clicking the Apply button.
9. The created Group Policy object needs to be linked to the Organizational Unit or Domain object where the computers’ local inventory information required to be collected by FSProtect. (By default, linking this GPO with Domain is recommended to find all attack paths.)

This Group Policy object also can be created automatically with the Powershell script below.

Import-Module ActiveDirectory;

$username="FSProtectUser";
$GPOName="FSProtectGPO";
$domain = Get-ADDomain;
$path = $domain.DistinguishedName;

New-GPO -Name $GPOName | New-GPLink -Target $path;

$FSProtectGPO = Get-GPO -Name $GPOName;
$FSProtectUser = Get-ADUser -Identity $username -Properties ObjectSid;

$domain = Get-ADDomain;
$domainAddress = $domain.DNSRoot;

$folderPath = "C:\Windows\SYSVOL\sysvol\$($domainAddress)\Policies\{$($FSProtectGPO.Id)}\Machine\Microsoft\Windows NT\SecEdit";

# Create all subdirectories
New-Item -Path $folderPath -ItemType Directory -Force;
$filePath = Join-Path $folderPath "GptTmpl.inf";

# FileContent
$fileContent = @"
[Unicode]
Unicode=yes
[Version]
signature="`$CHICAGO$`"
Revision=1
[Registry Values]
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM=1,"O:BAG:BAD:(A;;RC;;;BA)(A;;RC;;;$($FSProtectUser.ObjectSid))"
"@

# Create the file and add content
$fileContent | Set-Content -Path $filePath;

Verifying the Requirements

You can use the Powershell script below to verify Firewall rules and port statuses.

function Test-FSProtectPorts {
    param
    (
        [parameter(Mandatory=$true)][String]$IPAddress
    )

    $ports = @(
        @{port=389;description="LDAP"},
        @{port=445;description="SMB"},
        @{port=88;description="KERBEROS"},
        @{port=53;description="DNS"},
        @{port=135;description="DCERPC"},
        @{port=3389;description="RDP"},
        @{port=123;description="NTP"},
        @{port=137;description="NETBIOS"},
        @{port=49667;description="DCERPC/LSARPC"},
        @{port=49670;description="DCERPC/NETLOGON"}
    );

    Write-Host -ForegroundColor Cyan "Scanning $IPAddress"

    foreach ($port in $ports){
        $response = Test-NetConnection -ComputerName $IPAddress -Port $port.port -WarningAction SilentlyContinue
        if ($response.TcpTestSucceeded){
            Write-Host -ForegroundColor Green "✔️ Port $($port.port) TCP/$($port.description) is reachable"
        }else {
            Write-Host -ForegroundColor Red "❌ Port $($port.port) TCP/$($port.description) is not reachable"
        }
    }

    Write-Host -ForegroundColor Yellow "⚠️ You need to check Spool Service ports"
}

Test-FSProtectPorts -IPAddress 127.0.0.1

You can use the Powershell script below to verify DNS configuration, Active Directory connection and user status.

$Forest = "fslab.local"
$UserName = "fsprotectuser"
$Password = Read-Host -Prompt "Password: " -AsSecureString

function Test-ADConnection {
    param
    (
        [parameter(Mandatory=$true)][String]$Forest,
        [parameter(Mandatory=$true)][String]$UserName,
        [parameter(Mandatory=$true)][System.Security.SecureString]$Password
    )

    $PdcOutput = nltest /dsgetdc:$Forest /PDC
    if ($PdcOutput -eq $null){
        Write-Host "!!!!!!!! --> PDC not accessible. Forest: $Forest"
        return
    }

    $PdcOutput
    Write-Host "# PDC is accessible"

    $ServerIp = ([regex]::Match($PdcOutput,'(?<=\\\\)(\b25[0-5]|\b2[0-4][0-9]|\b[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}')).value
    $Password_Plaintext = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($Password))

    $ContextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::DirectoryServer
    $ADContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext $ContextType, $ServerIp, "$Forest\$UserName", $Password_Plaintext
    $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($ADContext)

    if ($Domain -eq $null){
        Write-Host "!!!!!!!! --> AD is not enumarable. Forest: $Forest - Username: $UserName"
        return
    }

    $DomainObj = $Domain.GetDirectoryEntry()
    $DomainObj

    Write-Host "----------------------------"
    Write-Host "# Enumeration Success"
    Write-Host "IP: $ServerIp"
    Write-Host "Path: $($DomainObj.Path)"
    Write-Host "----------------------------"
}

Test-ADConnection -Forest $Forest -UserName $UserName -Password $Password

Installation Requirements Checklist

No	Checklist Item	Status (Yes/No)
1	Has the server been set up according to the requirements specified for the installation of the FSProtect? (Requirement 1 and Requirement 2)
2	Have the specified firewall rules been created for the network access? (Requirement 3 and Requirement 4)
3	Can the server resolve all FQDNs and server IP addresses in Active Directory domains to be scanned?
4	Are the security software on the server disabled or are necessary exclusions implemented? (Requirement 5)
5	Is one of the Google Chrome, Mozilla Firefox or Microsoft Edge browsers installed on the server to access the FSProtect web interface? (Requirement 6)
6	Have domain users with the specified requirements been created in all Forests to perform Active Directory scans? (Requirement 8)
7	Has the required Group Policy object been created to perform local inventory enumeration? (Requirement 9)

PreviousArchitecture NextInstallation

Last updated 6 months ago