Getting Started With Halo for Windows For CloudPassage Halo Protecting your Windows servers in a public or private cloud is much easier and more secure with CloudPassage ® Halo® for Windows. Halo for Windows brings to Windows Server users the same ease of use and strong protection that CloudPassage is known for in the Linux world.
With Halo for Windows, you can set up strong, automatically deployed Windows firewall protection for any Windows Server 2008 or 2012 installation. You can create and deploy a security-events policy that notifies you of potentially suspicious events. You can set up file integrity monitoring, to detect file, directory, and registry changes that may indicate an intrusion. And, your server administrators can use GhostPorts multi-factor authentication to achieve maximum security when remotely administering your servers. Just follow the simple steps listed here to implement serious protection for your Windows servers.
Contents:
Install Halo Daemons New Installation Upgrade Installation Start Using Halo for Windows Create a Server Group Deploy a Windows Firewall Policy Deploy a Special Events Policy Deploy File Integrity Monitoring Use GhostPorts for Secure Server Administration Advanced Techniques for Windows Daemons Performing Unattended Installations Installing a Daemon on Your Gold Master Server Using Halo Server Tags to Populate Server Groups Uninstalling a Halo Daemon
1
Install Halo Daemons It's simple and fast to start securing your Windows servers with CloudPassage Halo. The first thing to do is to install the Halo Daemon (a Windows service) on one or more of your servers. You can install the Daemon on Windows Server 2008 R1 or R2. Just follow the five steps below, and you could be up and running in less than 5 minutes. You will need: Administrative access to your Windows cloud server (for example, through Remote Desktop Connection) Registration with CloudPassage and access to the Halo Portal An assigned CloudPassage Daemon registration key (you'll retrieve it from the Portal in Step 3) Note: These installation instructions are also available in the Portal itself, at Servers > Install Windows Daemons.
New Installation If you have not previously installed a Daemon on your server, follow these steps.
1 Log into your Windows server Log into your Windows 2008 server using a Windows Remote Desktop Connection client (or using a browser with Remote Desktop Web Access). You'll perform all five steps on your remote server.
2 Start Internet Explorer as administrator To launch Internet Explorer, right-click the Internet Explorer Icon (or Ctrl-Shift-click if your local machine is Macintosh), and choose Run as Administrator .
3 Log into the CloudPassage Halo Portal Using Internet Explorer on your server, go to https://portal.cloudpassage.com and log in with the credentials sent to you when you signed up for Halo. You will need to add *.cloudpassage.com to Internet Explorer's trusted site list in order to log into the Portal. Then navigate to Servers > Install Windows Daemons . (You may also be asked to add other sites, such as 2
Google Analytics or Marketo, to the trusted site list. It is not necessary to do that to download the Daemon installer.)
4 Download the Halo Daemon installer On the Daemon installation page for Windows, page, click Download cphalo-2.4.2-win32.exe . The installer program is copied to whatever location on your cloud server that you specify.
5 Run the installer and enter your Daemon registration key Leaving your Internet Explorer window open, locate the installer file on your server and double-click it. The installation starts. When prompted to enter your Halo Daemon registration key, return to the browser window (at Servers > Install Windows Daemon ) and copy the registration key from that page. Then paste the key into the Daemon Registration Key field in the installer. Click Install to complete the installation, then click Finish to leave the installer. Note: You can also assign your server to a server group by specifying a server tag when you run the installer. See Using Halo Server Tags to Populate Server Groups .
You're Done! The Halo Daemon is now running as a Windows service on your server. You can close the Remote Desktop session and start configuring and monitoring your server's security through the Halo Portal accessed from your local machine. Or, you can repeat these steps to install Daemons on additional servers. Note: For information on advanced installation techniques and on uninstallation, see Advanced Techniques for Windows Daemons.
Upgrade Installation Upgrading from a 32-bit Daemon to a 64-bit Daemon If your server currently has an installed 32-bit Halo Daemon (version 2.5.6 or earlier) and you are upgrading to a newer, 64-bit Daemon (version 2.7.8 or later), you will need to uninstall the 32-bit Daemon and then install the 64-bit Daemon as a new installation rather than an upgrade installation. The configuration of your 32-bit server and its server-group assignment will not be carried over to your 64-bit server. Follow these steps to upgrade: 3
1. Connect to your server through RDP and open Add/Remove Programs. 2. Remove the Daemon from your server by following the steps in Uninstalling a Halo Daemon. 3. In the Halo Portal, note the server group that the (now deactivated) server belongs to. Then move the server into the Retired group, or simply delete it from Halo if you do not want to preserve a record of its configuration or history. 4. Proceed to install the new server as described in New Installation. 5. Back in the Halo Portal, select your server from the Unassigned group and add it back into its appropriate server group.
Start Using Halo for Windows Once you have installed Daemons on your servers, you're ready to put them to work. First, you'll create groups of servers that have the same firewall and other security requirements; then you'll create the policies and have Halo deploy them to the servers.
Create a Server Group The concept of server groups is fundamental to Halo. A server group is a set of similar servers—such as all of the web servers, or all of the load-balancers—that can have the same Halo security policy. For example, all servers in a given group will use the same firewall policy. In Halo, you assign a policy to a server group, not to an individual server. So you'll need to create server groups before any of your Halo policies (such as firewalls) can take effect. Once you have installed daemons on a set of similar servers (or maybe just one daemon on a golden master server), follow the instructions below to create a group:
1 Log into the Halo Portal Dashboard. Log into the Halo Portal. (Dismiss the Getting Started With Halo dialog box if it appears.) You are on the Dashboard page, which lists all existing server groups. If you were already in Halo, click the CloudPassage logo or the Servers menu to go to the Dashboard.
2 Create a new server group. Click Add New Group at the bottom of the list of server groups.
4
In the dialog box that opens, give the group a name and click Save. You do not need to fill in any other fields yet. The group now appears in the list of server groups on the Dashboard.
3 Select servers and add them to the group. On the Dashboard page, verify that your new group appears in the server-group list, then look in the Unassigned or All Servers group to find the servers that you want to add to your group. ( All Servers includes every server in your installation that has an installed Daemon, whether or not it belongs to a server group. Unassigned includes only servers with daemons that belong to no group.) Only servers that already have installed daemons can appear on this page.
Use the checkboxes to select which servers to add, then choose Move Server(s) from the Actions drop-down menu to move them into your server group.
Your selected servers are now in your group. As you create policies (see following sections), you can return to the Dashboard page to assign them to this group.
Deploy a Windows Firewall Policy Now use CloudPassage Halo to easily create a Windows firewall policy for the server group you just created. Once the policy is active and any server comes online through cloning or re-activation of a server in this group, that new server automatically receives the latest appropriate firewall policy from Halo.
1 Go to the New Windows Firewall Policy page. In Halo, navigate to Policies > Firewall Policies and click Add New Windows Firewall Policy .
5
2 Create firewall rules. 1. Enter a name and optional description for the policy. 2. Create inbound rules: For each rule, specify whether the firewall should accept or drop incoming communication of a specified network service (such as HTTP over TCP port 80) from a specified source (such as a given IP address range or Halo server group).
3. Create outbound rules: For each rule, specify whether the firewall should accept or drop outgoing communication of a specified network service (such as SMTP over TCP port 25) to a specified target (such as a given IP address range or Halo server group). Note: If you create an inbound rule that accepts a connection, you do not need to create an outbound rule that permits return communication on that connection. Halo creates those automatic corollary rules for you. The rules don't appear on the screen, but you can see them if you export the policy. 4. Create as many rules as you need, specify default behaviors (what to do if no rules are matched), choose your logging preferences, and click Apply.
3 Open your server group details. Back on the Halo Dashboard, click your server group's name in the group list, then click Edit Details beneath the name. The Edit Group Details dialog opens.
4 Assign the firewall policy to your server group. In the Firewall Policies area, open the Windows Policy drop-down menu and select the name of the policy that you just created. (Note that Linux policies appear in a different field.) Then click Save.
Your firewall policy is deployed automatically to the servers in your server group and it will start protecting them right away. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them.
Deploy a Special Events Policy
6
The Halo special-events alerting system notifies you of unusual occurrences in your cloud installation that may have security implications. For example, if a server unexpectedly restarts, if its IP address changes, or if a firewall configuration is changed outside of Halo, it could be a signal that something malicious has happened and you may want to be alerted in real time. You control the system by implementing a special events policy and assigning it to a server group.
1 Go to the Add New Special Events Policy page. In Halo, navigate to Policies > Special Events Policies and click Add New Special Events Policy .
2 Choose events for logging and alerting. 1. Enter a name and optional description for the policy. 2. Choose the events to include in the policy. Choose which events are to be logged, which should be flagged as critical on the Security Events History page, and which you want to receive email alerts about when they occur. Note that some events are marked as Linux-only and are not available for Windows servers. 3. When you have added all the events you want to include, click Save.
3 Assign the policy to a server group. On the Halo Dashboard, click the name of a server group that you want this policy to apply to, then click Edit Details beneath the name. The Edit Group Details dialog opens. From the Special Events Policy drop-down menu, select the name of the policy that you just created. Then click Save.
Your special events policy is deployed automatically to the servers in your server group and it will immediately start monitoring them for the occurrences you have specified. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them. Note: If a server group has no assigned special events policy, the "global security events policy" is 7
assigned by default.
4 Create and assign an alert profile. When an event occurs on a server, an alert is sent to the Halo users listed in all of the alert profiles assigned to that server's group. If you wish to receive alerts, you must create an alert profile and assign it to your group. 1. Go to Policies > Alert Profiles , and click Add New Alert Profile . 2. Name the profile and choose the Halo users to add to it.
3. Specify who receives which levels of alerts, and save the profile. 4. Go to the Dashboard, select your server group, and click Edit Details beneath its name. 5. On the Edit Group Details page, select your profile from the Alert Profiles drop-down list, then save your changes.
Note: If a server group has an assigned special-events policy but no assigned alert profile, any alerts generated through the policy are sent to all of your company's users that are Halo site administrators.
Deploy File Integrity Monitoring Use the file integrity monitoring feature (available with a Halo Professional subscription) to scan your servers for any alterations to critical system files, directories, or registry keys—or any removal or addition of those objects—any of which could indicate malicious tampering.
1 Set up a file integrity policy 1. Navigate to Policies > File Integrity Policies , and click either Policy Templates or Add New Windows Policy.
8
2. Get started filling in the the policy: If you clicked Policy Templates , locate the Windows file integrity policy that you want to use, and select Clone from its Actions drop-down menu. The Add New Policy page opens, with the content of the template filled in. If you clicked Add New Windows Policy , you are taken directly to the Add New Policy page. 3. On the Add New Policy page, create (or optionally customize, if it's a cloned template) the set of "targets" for the policy to monitor—configuration files, system files, directories, or registry keys whose presence and integrity are vital to secure system functioning. Also, for each directory target: If you want to scan all files at all levels within the directory and its subdirectories, select Recurse. To scan only files at the top level in the directory, leave Recurse unselected. If you want to scan only a certain file or set of files within the target directory, click Add Pattern , move the slider to Inclusion, and name the file or specify a wildcard pattern (such as *.exe) to define the set of files that you do want to scan. If you don't want to scan a certain file or set of files within the target directory, click Add Pattern , move the slider to Exclusion, and name the file or enter a wildcard pattern (such as *.log) to define the set of files that you don't want to scan.
2 Run a baseline scan, assign it to the policy 1. Save the policy, then click Add Baseline or Request Baseline Now to set the baseline server for the policy and to perform the initial baseline scan, against which future scans of a server group will be compared. 9
3 Assign the policy to a server group 1. Navigate to the Dashboard, click the name of a server group to assign the policy to, and click Edit Details below the group name. 2. In the File Integrity Policies field, add your new policy to the group by selecting it from the dropdown list. Then click Save.
4 Run a scan and view the results To view results after a file integrity scan completes, go to Servers > File Integrity Monitoring , select your server group, then click an individual server name. Or go to Servers > Security Events History and filter the search results 10
to show just File Integrity object ... event types. For detailed instructions on setting up a file integrity policy and running scans, see Monitoring Server File Integrity .
Use GhostPorts for Secure Server Administration If you have a NetSec or Professional subscription to Halo, you can use GhostPorts multi-factor authentication to achieve strong protection of network access to your Windows servers. It is the most secure way to control access to administrative services on cloud servers, and it has the flexibility to allow authorized, secure access from anywhere. With GhostPorts, your administrators can lock down all administrative ports, then use a firewall policy to dynamically open only specific ports for a specific authenticated user from a given IP address, for a defined period of time. The ports then automatically close when the time period expires. GhostPorts works with either SMS transmission of authentication codes over a mobile phone, or with a USB device called a YubiKey® from Yubico. You can order the keys directly from Yubico or by filling out the form on the CloudPassage public site, at cloudpassage.com/ghost. Note: GhostPorts multi-factor authentication is available only to Halo users with a NetSec or Professional subscription. To take advantage of GhostPorts' extra protection for your Windows servers, follow these steps:
1 Enable a GhostPorts user. For each user that is to have GhostPorts access, do this on the Invite New User page (at Settings > Site Administration > Users > Invite New User ) or Edit User page (at Settings > Site Administration > Users > username > Edit) in the Halo Portal: 1. Select the checkbox to enable GhostPorts access for that user. 2. Specify the multi-factor authentication requirement—SMS code (one-time password transmitted by phone) plus Halo credentials, or YubiKey (hardware device) plus Halo credentials. 3. Configure the authentication method: For SMS authentication, enter the user's phone number (must be a mobile account with textmessaging enabled). For YubiKey authentication, Insert the user's YubiKey into your computer's USB port, place the cursor in the User YubiKey field on the page, and lightly touch circle on the top of the YubiKey to enter its value into the field. For SMS, the user now must log into Halo and verify the phone number before authenticating to GhostPorts; for YubiKey, the user can authenticate as soon as you provide the user with the configured YubiKey. Either method ensures highly secure, multi-factor authentication for accessing and administering a cloud server.
2 Set up firewall rules to handle GhostPorts users. In the firewall policy for each server group in which you want to implement GhostPorts support, create an inbound rule that specifies that administrative access (for example, RDP for Remote Desktop Protocol) to the server through the port used (for example, 3389) is allowed only for the GhostPorts user that you have set up in Step 1. (The user appears in the Source drop-down list.) The policy should not have any other ACCEPT rules for administrative access. When that GhostPorts user authenticates, Halo dynamically replaces the policy rule with one that allows access from the specific IP address of the computer that the user just logged in from. After a time window passes, 11
access from even that IP address is disallowed until the user authenticates to GhostPorts again.
3 GhostPorts user: complete your authentication setup. SMS: If you are an SMS-enabled GhostPorts user, you first need to log into Halo and go to the Open GhostPorts page. Follow the instructions to verify your phone number, after which you will be able to log in and authenticate to GhostPorts. YubiKey: Each YubiKey-enabled user needs to have the specific YubiKey configured for that user. As soon as you obtain your device from your Halo site administrator, you will be able to log in and authenticate to GhostPorts.
4 GhostPorts user: access a remote server. If you are a server administrator (or other user) whose GhostPorts access has been enabled, take these steps to access your server: 1. Log into the Halo Portal and click Open GhostPorts to go to the Open GhostPorts page. 2. Authenticate to GhostPorts: For SMS authentication: a. Click Send Authentication Code to instruct Halo to send an SMS code to your phone. b. When you receive the code on your phone, enter it into the Authentication Code field on the GhostPorts page, then click Submit. You have 5 minutes to enter the received SMS code into the field. The code typically arrives on your phone in less than a minute. For YubiKey authentication: a. Place your YubiKey into your computer's USB port, and click in the blank field on the GhostPorts page. b. Lightly touch the circle on the top of your YubiKey to transfer a one-time password value into the field. 3. Within a few minutes, the administrative ports on your server will be open. From this computer, launch Remote Desktop Connection or other remote-access tool, and log into your cloud server as you normally do. Your access to your cloud servers is now open, but only from the IP address of the machine you authenticated from, and only for four hours (or less, if you click Close GhostPorts in the Portal to manually close them sooner than that).
Advanced Techniques for Windows Daemons Performing Unattended Installations You can use the CloudPassage installer in a non-interactive mode to install a Halo Daemon without user intervention. 12
This capability allows you schedule installs, perform remote installs without a remote administrator, and use a single command to bulk-provision an entire server installation with Halo Daemons. 1. Run a command-prompt window as administrator: right-click the command-prompt icon (for example, in the Start menu) and select Run as administrator from the context menu. 2. Change the current directory to the folder that contains the Halo installer file. 3. Execute a command with the following syntax: cphalo-2.4.2-win32.exe /S /DAEMON-KEY RegKey [/D installdir] [/TAG servertag] [/NOSTART]
where S
= Specifies that the installation should be silent (unattended). Must be uppercase.
RegKey
= Your 32-character Halo Daemon registration key.
installdir =
(optional) The directory into which to install the Daemon. If you specify nothing, the Daemon is installed in either Program Files or Program Files (x86).
servertag = (optional) This Daemon's server tag. See Using Halo Server Tags to Populate Server Groups . NOSTART
=
(optional) Specifies that the Daemon should not start up after installation. By default, the Daemon starts when installation completes.
Installing a Daemon on Your Gold Master Server If you use local "gold master" versions of your servers as templates from which to create cloud instances, you may want to install Halo Daemons on the gold masters. Then, when you create server instances, each will already have an installed daemon. The installation process is the same as for installing on a cloud server. And CloudPassage recommends that you start the Halo Daemon service after installing, by leaving the Start CloudPassage Halo Daemon now checkbox selected. Doing that will ensure that any cloud instances created from the gold master will have unique Halo IDs and will receive all updated Halo policies.
Using Halo Server Tags to Populate Server Groups In the Halo Portal, the procedure for adding servers to a Halo server group is to select them manually on the Portal Dashboard and execute a command to move them into the server group of your choice. Halo allows you to automate this process and bypass manual assignment. When you create or edit a server group in the Halo Portal, you can specify a server tag for that group. The server tag is a string of your choice. Then, when you install a Halo Daemon on a server, you can optionally specify a server tag to be associated with that daemon whenever it starts up. If a daemon's server tag matches that of any existing server group, that server is automatically assigned to the group. Note: A server tag can contain only alphanumeric characters plus dots, dashes, and underscores. No spaces or other characters are allowed. There are several ways to assign a server tag: When running the installer wizard— The installer includes a screen that you can enter the tag into. 13
When executing an unattended install— Use the /TAG servertag option on the command line. By using the Windows Service Manager after installation— a. Open the Services control panel. For example, from the Start menu, select Administrative Tools and then Services. b. Right-click the line for the CloudPassage Halo Daemon service, then select Properties from the drop-down menu.
c. In the Properties dialog, enter the tag assignment in the Start parameters field, using this format: /tag=tagName
d. Now start the service by clicking Start. Important: Do not click OK without first clicking Start. If you click OK first, the tag will not be assigned to the Daemon. Note that it is also possible to add servers to groups programmatically. If you are interested, follow the Halo API Documentation link on the Support Resources page of the Halo Portal to obtain the documentation.
Uninstalling a Halo Daemon Uninstallation through the Windows user interface: You can uninstall the Halo Daemon using Add/Remove Programs. 14
1. In the Start menu, select Control Panels. 2. Open the Services control panel, locate the Halo Daemon service, and stop it if it is running. 3. Open the Add/Remove Programs control panel. 4. Select the Halo Daemon service from the list, and click Uninstall. The Halo installer launches, displaying the Uninstall page:
5. Click Uninstall. The Halo Daemon is removed from your server. Unattended uninstallation from the command line: You may be able to use the following command to silently uninstall the Halo Daemon from a server: installDir\Uninstall.exe /S where installDir is the Daemon's installation directory (by default C:\Program Files\CloudPassage or C:\Program Files (x86)\CloudPassage ). Note: If User Account Control is enabled on a server, it may not be possible to execute this script unattended on that server.
Copyright ©2013 CloudPassage Inc. All rights reserved.
15
