Deploying HIDS Agents

Applies to Product: USM Appliance™ LevelBlue OSSIM®

In this section, you will learn about deploying HIDS agents from the asset list view:

Deploying HIDS Agents to Linux Hosts

The Asset List View only supports deployment to Microsoft Windows servers. To deploy HIDS agents on Linux hosts, see Deploy the AlienVault HIDS Agents to Linux Hosts.

Deploying HIDS Agents to Windows Hosts

Before you can deploy a HIDS agent to the Windows machine, make sure that it meets the following requirements.

  • If using any network accelerator devices in the environment, you must add USM Appliance Sensor to their allowlist. This is because the USM Appliance Sensor utilizes SMB (Server Message Block) to transfer the HIDS agent installation package to the Windows machine. If the network accelerator tries to optimize the traffic from the USM Appliance Sensor, it may cause the HIDS deployment to fail.

  • The operating system must be one of the following

    • Microsoft Windows XP
    • Windows 7, 8, or 10
    • Windows Server 2003, 2008R2, or 2012R2

  • You need to use a user account that belongs to the same Administrators group as the local Administrator account.

    Note: For security reasons, the local Administrator account is disabled by default on all versions of Windows currently in mainstream support. In order for the HIDS deployment to succeed, you need to enable the local Administrator account (not recommended), or create a user account and add it to the built-in Administrators group.

  • You must have changed the target Windows machine based on the steps below.

    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use simple file sharing.
    3. Go to Control Panel > Windows Firewall > Exceptions.
    4. Select File and Printer Sharing.
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Go to Control Panel > User Accounts > Change User Account Control Settings.
    6. Move the slider to Never notify.
    1. Go to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules.
    2. Enable File and Printer Sharing (SMB-In).
    3. To allow NTLMv2 security, run gpedit.msc.

    4. Go to Local Security > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and change these settings.

      1. Network Security: Minimum session security for NTLMSPP based (including secure RPC) clients, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      2. Network Security: Minimum session security for NTLMSPP based (including secure RPC) servers, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      3. Network Security: LAN Manager Authentication level, select
        • Send NTLMv2 response only\refuse LM & NTLM
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Enable Windows Management Instrumentation (WMI) entry.
    6. Go to Control Panel > User Accounts > Change User Account Control Settings.
    7. Move the slider to Never notify.

    8. Open Group Policy.

      1. Go to Local Policies > Security Options
      2. Set Network access: Shares that can be accessed anonymously to IPC.
      3. Set User Account Control: Run all administrators in Admin Approval Mode to Disabled (recommended).
    9. Apply changes and restart the machine.

Note: The Winexe installation utility may trigger a false positive alert as a “potential hacking tool” during an authorized application installation, even though the Winexe remote installation is an authorized action. In this instance, the best practices are to either allowlist the IP address of USM Appliance, or temporarily disable the antivirus software during the installation.

HIDS Agent Deployment on Selected Assets

To deploy HIDS agents on selected assets

  1. Go to Environment > Assets & Groups > Assets.
  2. Select the asset(s) you want to edit. For assistance, see Selecting Assets in Asset List View.

  3. Click Actions, and then Deploy HIDS Agents.

    The Deploy HIDS Agents screen appears.

  4. Type your MS Windows login credentials. Domain is optional, but the user accounts must have administrator privileges.

  5. Click Deploy.

    USM Appliance deploys HIDS agents on the selected asset(s). For every deployment attempt, the system generates a message in the Message Center Inbox in the USM Appliance web UI which lists messages publicizing availability of various LevelBlue product updates plus other messages such as system errors and warnings. with the outcome.

    Note: After successful deployment, USM Appliance does not show the status of the HIDS agents in real time. Instead, it updates the agents in the background, hourly.

Bulk Deployment Constraints

If you plan to deploy HIDS agents to multiple assets at the same time, keep the following in mind:

  • You must be able to access the selected assets using the same credential.

  • All of the assets are Windows-based.

If none of the assets are Windows-based, USM Appliance does not deploy the HIDS agents. A warning message displays instead.

If only some of the assets are Windows-based, you have the following options:

  • Cancel. Cancel the deployment and go back to the Asset List View.
  • View these assets. Cancel the deployment and view the non-Windows assets in the Asset List View.
  • Continue. Continue with the deployment on the Windows assets only.

Re-naming an Asset with a HIDS Agent Deployed

You cannot change the name of an asset when the deployed HIDS agent is connected. To update the name properly, you must disconnect the HIDS agent first, or shut it down.

About Legacy HIDS Agents

If you upgrade to USM Appliance version 5.1 from a previous version, you may already have some HIDS agents deployed. USM Appliance tries to link legacy HIDS agents with an asset. If the IP address of the HIDS agent does not exist in the inventory, the system creates a new asset with that IP address.

Should the system not have enough information to link the HIDS agent with an asset, a message appears in the Message Center, asking you to link the asset manually.

To connect an HIDS agent with an asset

  1. Go to Environment > Detection > HIDS > Agents.

    The list of HIDS agents displays.

  2. Select the HIDS agent without a value in the Asset column and click the link () icon.

    The Connect an Asset to HIDS agent page displays.

  3. Type in the IP address of the asset or select it from the asset tree.

  4. Click Save.

  5. Click Yes to confirm.