Deploying HIDS to Servers

Applies to Product: USM Appliance™ AlienVault OSSIM®

We recommend deploying a host-based intrusion detection system (HIDS) to enable

  • File integrity monitoring
  • Rootkit detection
  • Event log collection

The Getting Started Wizard provides two options for HIDS agent deployment.

Windows — HIDS agent is installed locally on specified hosts. All Windows hosts must meet the prerequisites described in the Asset Management topic, Deploying HIDS Agents, of the USM Appliance User Guide.

UNIX/Linux — HIDS agents are not installed on hosts but provide agentless operation. UNIX and Linux systems are monitored remotely for file integrity only. For information on installing HIDS agents on UNIX/Linux hosts, see Deploy the AlienVault HIDS Agents to Linux Hosts.

Before you can deploy a HIDS agent to the Windows machine, make sure that it meets the following requirements.

  • If using any network accelerator devices in the environment, you must add USM Appliance Sensor to their allowlist. This is because the USM Appliance Sensor utilizes SMB (Server Message Block) to transfer the HIDS agent installation package to the Windows machine. If the network accelerator tries to optimize the traffic from the USM Appliance Sensor, it may cause the HIDS deployment to fail.

  • The operating system must be one of the following

    • Microsoft Windows XP
    • Windows 7, 8, or 10
    • Windows Server 2003, 2008R2, or 2012R2

  • You need to use a user account that belongs to the same Administrators group as the local Administrator account.

    Note: For security reasons, the local Administrator account is disabled by default on all versions of Windows currently in mainstream support. In order for the HIDS deployment to succeed, you need to enable the local Administrator account (not recommended), or create a user account and add it to the built-in Administrators group.

  • You must have changed the target Windows machine based on the steps below.

    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use simple file sharing.
    3. Go to Control Panel > Windows Firewall > Exceptions.
    4. Select File and Printer Sharing.
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Go to Control Panel > User Accounts > Change User Account Control Settings.
    6. Move the slider to Never notify.
    1. Go to Control Panel > Windows Firewall > Advanced Settings > Inbound Rules.
    2. Enable File and Printer Sharing (SMB-In).
    3. To allow NTLMv2 security, run gpedit.msc.

    4. Go to Local Security > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and change these settings.

      1. Network Security: Minimum session security for NTLMSPP based (including secure RPC) clients, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      2. Network Security: Minimum session security for NTLMSPP based (including secure RPC) servers, select
        • Require NTLMv2 session security
        • Require 128-bit encryption
      3. Network Security: LAN Manager Authentication level, select
        • Send NTLMv2 response only\refuse LM & NTLM
    1. Go to Control Panel > Folder Options > View.
    2. Deselect Use Sharing Wizard (Recommended).
    3. Go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules.
    4. Enable File and Printer Sharing (SMB-In).
    5. Enable Windows Management Instrumentation (WMI) entry.
    6. Go to Control Panel > User Accounts > Change User Account Control Settings.
    7. Move the slider to Never notify.

    8. Open Group Policy.

      1. Go to Local Policies > Security Options
      2. Set Network access: Shares that can be accessed anonymously to IPC.
      3. Set User Account Control: Run all administrators in Admin Approval Mode to Disabled (recommended).
    9. Apply changes and restart the machine.

Note: The Winexe installation utility may trigger a false positive alert as a “potential hacking tool” during an authorized application installation, even though the Winexe remote installation is an authorized action. In this instance, the best practices are to either allowlist the IP address of USM Appliance, or temporarily disable the antivirus software during the installation.

To deploy HIDS

  1. Select the Windows or the UNIX/Linux tab, as appropriate.

  2. Type your Username and Password.

    Note: For UNIX/Linux systems, this should be your SSH credentials.

  3. (Windows only) Optionally, enter the Domain information.
  4. From the asset tree on the right, choose the asset(s) on which you would like to deploy a HIDS agent.

  5. Click Deploy.

    The HIDS Deployment popup prompts you for confirmation

  6. Click Continue.

    A progress bar appears.

    After the deployment finishes, a message displays the number of devices successfully deployed with HIDS.

  7. Click OK.

    Deploy HIDS to Servers window for Getting Started Wizard

  8. After you finish deploying the HIDS agents, click Next at bottom-right to proceed.

Next...

You must now enable the USM Appliance Log to collect data from network assets; see Enabling Log Management.