Transcription
PowerBroker for WindowsInstallation GuideVersion 7.8 – November 2018
Revision/Update Information: November 2018Software Version: PowerBroker for Windows 7.8Revision Number: 0CORPORATE H EADQUARTERS5090 N. 40th StreetPhoenix, AZ 85018Phone: 1 818-575-4000COPYRIGHT NOTICECopyright 2018 BeyondTrust Software, Inc. All rights reserved.The information contained in this document is subject to change without notice.No part of this document may be photocopied, reproduced or copied or translated in any manner to anotherlanguage without the prior written consent of BeyondTrust Software.BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental orconsequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any otherlegal theory in connection with the furnishing, performance, or use of this material.All brand names and product names used in this document are trademarks, registered trademarks, or trade namesof their respective holders. BeyondTrust Software is not associated with any other vendors or products mentionedin this document.
ContentsContentsIntroduction1Before Contacting Technical SupportContacting SupportTelephoneOnline1222Policy Deployment Options3Installing for Group Policy or BeyondInsight Policy Distribution Mode4Installing PowerBroker for Windows ComponentsInstallation MSI PackagesSoftware RequirementsPolicy Editor RequirementsInstallation OverviewInstalling the Policy EditorVerifying Policy Editor InstallationConfiguring the Passcode Generator44556789Installing PowerBroker for Windows Client Software10Deploying Client MSI PackagesVerifying the Client Software InstallationCommand Line Installation for GPO Mode101212Installing for BeyondInsight Deployment14Configuring PowerBroker with BeyondInsight Management ConsoleGenerating a CertificateCreating an MSI FileDeploying Certificate MSI Packages using GPOConfiguring PowerBroker for WindowsCommand Line Installation for BeyondInsight Mode141414141518Certificate Management20BeyondInsight Reporting24Understanding How Reporting Works with BeyondInsightUpgrading PowerBroker for Windows26PreparationBackup and Export Existing RulesPreserve Administrative Template SettingsUpgrade ProcessInstalling PowerBroker for Windows Client SoftwareDeploying Client MSI PackagesVerifying the Client Software InstallationInstallation Guide24326262627272729 2018. BeyondTrust Software, Inc.
ContentsInstalling the Policy EditorVerifying Policy Editor InstallationConfiguring the Passcode GeneratorReverting to a Previous Version29303131Licensing and Operating Modes32Obtaining a LicenseCreating a License File RequestImporting a License FileDeploying a License to Existing GPOsFrequently Asked Licensing QuestionsDo I need a license to process PowerBroker for Windows rules and policy settings?323234363636Do I need user licenses?36Which containers (domains) should I license?36How many licenses do I need?37Are objects in subcontainers counted towards licensed totals?37Installation Guide4 2018. BeyondTrust Software, Inc.
IntroductionIntroductionThis guide provides the installation instructions and software requirements for PowerBroker for Windows. Forinformation about its features, benefits, functionality, and basic procedures, see the PowerBroker for WindowsUser Guide.If you are upgrading from an earlier version of PowerBroker for Windows, follow the instructions in the See"Upgrading PowerBroker for Windows" section.Documentation Set for PowerBroker for WindowsThe complete PowerBroker for Windows documentation set includes the following: PowerBroker for Windows Installation Guide PowerBroker for Windows User Guide PowerBroker for Windows online help PowerBroker for Windows McAfee ePolicy Orchestrator GuideObtaining SupportBeyondTrust provides an online knowledge base, as well as telephone and web-based support. In addition, whenworking with any PowerBroker for Windows item, you can click the Help button to view detailed information aboutavailable options.Available ResourcesThe PowerBroker for Windows Knowledge Base provides information and solutions to many known problems andissues. Registered users can access the Knowledge Base by logging onto the BeyondTrust Partner Portal on theBeyondTrust website.With the Policy Editor installer, there is now an option to add the Rule Library. This is a comprehensive set of preconfigured rules. You can find the Rule Library under the following path: C:\ProgramFiles\BeyondTrust\RulesLibraryBefore Contacting Technical SupportBe sure to read this section before contacting technical support.Tip: Is the PowerBroker for Windows client software running?A computer must have the PowerBroker for Windows client software installed and running torecognize rules.If a computer does not respond to a rule or a policy setting, make sure that the client software isinstalled and activated on the computer. Run the Policy Monitor (polmon.exe) utility on thecomputer to check for client software activation and functionality.Obtain as much information about the problem as possible using troubleshooting tools such as Policy Monitor, tracelogging, event logging, and Resultant Set of Policy (RSoP) logging. For more information, see “TroubleshootingMechanisms” in the PowerBroker for Windows User Guide.To expedite support, collect the following information: Image or the full text of any error messagesInstallation Guide1 2018. BeyondTrust Software, Inc.
Introduction Context of the problem, including affected platforms How to reproduce the problem For client problems: A copy of the XML configuration data that produces the problem, trace output, event logmessages, and RSoP reporting data if available.Contacting SupportFor support, go to our Customer Portal then follow the link to the product you need assistance with.The Customer Portal contains information regarding contacting Technical Support by telephone and chat, alongwith product downloads, product installers, license management, account, latest product releases, productdocumentation, webcasts and product demos.TelephonePrivileged Account Management SupportWithin Continental United States: 800.234.9072Outside Continental United States: 818.575.4040Vulnerability Management SupportNorth/South America: 866.529.2201 949.333.1997 enter access codeAll other RegionsStandard Support: 949.333.1995 enter access codePlatinum Support: 949.333.1996 enter access port/Installation Guide2 2018. BeyondTrust Software, Inc.
Policy Deployment OptionsPolicy Deployment OptionsBefore you begin installing the PowerBroker for Windows Client and Policy Editor, you must decide how you wouldlike to deploy your policies.The following options are available for deploying your PowerBroker for Windows policies: Group Policy Management Console (GPMC) Central Policy Integration with BeyondInsight McAfee ePolicy Orchestrator (ePO)A client can only be configured for one scheme. A mixture of clients running different schemes is supported butrequires additional work as the rule sets are completely separate.Group PolicyRules and client configuration settings are contained in Active Directory Group Policies and are processed by theclient on the defined Group Policy Interval. Benefits of using Group Policy: Settings replicated through multiple servers Multiple policy resources (Domain Controllers) No web server requiredCentral PolicyRules and client configuration settings are contained in the BeyondInsight database hosted by a web service on theBeyondInsight server and are processed by the client on an interval apart from the Group Policy interval. Benefitsof using Central Policy: Clients not required to be joined to a domain No permissions required in Active DirectoryePolicyRule and Client Configuration settings are contained as an extension of McAfee ePolicy Orchestrator (ePO).Currently ePO 5.9 and 5.3 are supported with the appropriate extension. These settings are processed during aMcAfee Agent Policy Enforcement cycle. Benefits of using ePolicy: Utilize existing infrastructure for Policy Configuration Can use BeyondInsight as an optional security auditing platform Delegated rights to Group Policy are not necessaryInstallation Guide3 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight PolicyInstalling for Group Policy or BeyondInsight Policy Distribution ModeInstalling PowerBroker for Windows ComponentsYou must install two PowerBroker for Windows components: the Policy Editor and the Client. PowerBroker forWindows also has a reporting component which is available using BeyondInsight. Policy Editor- This component must be installed on computers used to edit Group Policy Objects (GPOs). Thisdoes NOT need to be installed on the domain controller - only the machine used to edit policy.If you are using a Central Store for ADMX/ADML files, the Central Store will need to be updated manually.If you are deploying policy via BeyondInsight, install the policy editor on a machine that can connect toBeyondInsight. The Policy Editor provides the ability to change the permissions and privileges of Windows applications usingrules, thereby implementing a least privilege security model for Windows. Use the PowerBroker for WindowsPolicy Editor installer to install this component. For installation instructions, See "Installing the Policy Editor" Client - This component must be installed on each computer where PowerBroker for Windows rules areenforced. This client software enables computers to recognize PowerBroker rules in GPOs. Use thePowerBroker for Windows Client Software installer to install this component. For installation instructions, See"Installing PowerBroker for Windows Client Software"Installation MSI PackagesThe following table identifies installation MSI packages and the components installed by each. Note that separateinstaller files are provided for 32-bit and for 64-bit systems.Table 1.PowerBroker for Windows Installation ComponentsInstaller MSI FileContains and InstallsPowerBroker for Windows Policy Editor: Extensions to the Group Policy ManagementEditor and Resultant Set of Policy (RSoP) snap-ins. These extensions provide the abilityto change permissions and privileges of Windows applications using rules. ThisPolicy Editor installers:component must be installed on computers used to edit GPOs, or if using CentralPowerBrokerPolicy Editor (32 Policy, on the machine used to edit PowerBroker for Windows policy in BeyondInsight.Bit) 7.8.0.msiGPMC Integration: Group Policy client-side extensions for planning and processingpolicy, including support for GPMC operations. These extensions are recommendedPowerBrokerPolicy Editor (64 for computers used to edit GPOs. They are not required for basic GPMC support or ifBeyondInsight is used for policy distribution.Bit) 7.8.0.msiRules Library: Set of sample PowerBroker rules. Includes Privileged Identity (Windowsand Mac), File Integrity, Risk and Compliance, and Windows Events.Client Software installers:PowerBroker forWindows Client(32 Bit)7.8.0.msiInstallation GuidePowerBroker for Windows Client: The client software contains a security driver thatmonitors process launch, checks for applicable rules, and modifies security tokenwhen a rule exists. In addition, the client software provides File Integrity, SessionMonitoring, IE components, and the Discovery Agent. The client software also providesclient-side extensions used for creating and processing policy, enabling computers torecognize PowerBroker for Windows items in GPOs. The client software is normally4 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight PolicyPowerBroker forWindows (64 Bit)7.8.0.msidistributed to computers using a distribution tool, such as Group Policy.Software RequirementsPowerBroker for Windows can be used with a variety of Windows and Windows Server operating systems. Thefollowing sections detail the operating systems supported by each PowerBroker for Windows component.Policy Editor RequirementsThe Policy Editor can be installed on computers running any of the following operating systems: Windows Server 2008 R2 Windows Server 2008 Windows Server 2012 Windows Server 2016 Windows 7 Windows 8 Windows 10 Pro, Enterprise and Enterprise LTSBNote:The .NET Framework V4.0 and .NET Framework V3.5 Features must be installed prior to installingPowerBroker for Windows. If .NET Framework V4.0 Features are installed, they may be listed underFeatures or Windows features rather than in the list of installed programs.Client Software RequirementsPowerBroker for Windows client software can be installed on computers running any of the following operatingsystems: Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 SP1 or later Windows Server 2012 Windows Server 2016 Windows 7 Windows 8 Windows 10 Pro, Enterprise and Enterprise LTSBNote:The .NET Framework V3.5, v4.0 or v4.5 Features must be installed prior to installing PowerBroker forWindows on a client.Note:PowerBroker for Windows supports TLS 1.0, TLS 1.1 and TLS 1.2 protocols when communicating withBeyondInsight. In order to use TLS 1.0, TLS 1.1 and TLS 1.2 .NET Framework 4.5 or higher must be installedprior to the installation of PowerBroker for Windows Client.Installation Guide5 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight PolicyInstallation OverviewDuring the installation of the client software, the Setup Wizard will prompt you to choose the method of policydistribution and then to the select your custom setup options as follows: Internet Explorer Integration - Enables elevation of Internet Explorer and installation of ActiveX controls.Installation Guide6 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight Policy Session Monitoring - This feature provides you with the ability to monitor specific applications and files withrecorded screen captures, keyboard entries and mouse controls for elevated applications. File Integrity - This feature provides you with the ability to protect specific files. Event Monitoring - This feature provides you with the ability to monitor specific events. Asset Discovery - This features provides you with the ability to run a scan detailing out the Hardware, Ports,Processes, Scheduled Tasks, Services, Shares, Software and Users on the local machine. The Asset Discoveryfeature is required for Registry Monitoring Rules.During the installation of the policy editor, the Setup Wizard will prompt you to choose the method of policydistribution and then to the select your custom setup options as follows:Note:The BeyondInsight Central Policy feature enables BeyondInsight to be used for PowerBroker forWindows policy distribution. It must be installed in order for PowerBroker for Windows to receivepolicy from BeyondInsight (BI). This feature is not required to simply send events to BI.You can decline installation of any of the features by clicking the box in front of the option and selecting "Thisfeature will not be available."Installing the Policy EditorThe Policy Editor must be installed on a computer used to manage Group Policy Objects (GPOs) and domains. Thistype of computer is usually a domain controller. PowerBroker for Windows rules are distributed from the domaincontroller’s SYSVOL folder. However, this location might not be where they were created or edited.Installation Guide7 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight PolicyTip: Where to find the Policy Editor InstallerYou must download the PowerBroker for Windows Policy Editor Installer file from the BeyondTrustwebsite. You can then install it on any computer from which you can edit domain policy.Access the Policy Editor Installer from the BeyondTrust Evaluations and Download webpage. After youlog into the website, choose one of the following versions of the Policy Editor installer to download:PowerBroker Policy Editor (32 Bit) 7.8.0.msi for the 32-bit Policy Editor installerPowerBroker Policy Editor (64 Bit) 7.8.0.msi for the 64-bit Policy Editor installerTo install the Policy Editor, do the following:1.2.Download the PowerBroker Policy Editor installer .msi file from the BeyondTrust website.Double-click on the PowerBroker Policy Editor (32 Bit) 7.8.0.msi or PowerBrokerPolicy Editor (64 Bit) 7.8.0.msi file name.For 32-bit computers, use PowerBroker Policy Editor (32 Bit) 7.8.0.msi.For 64-bit computers, use PowerBroker Policy Editor (64 Bit) 7.8.0.msi.3.4.5.6.7.In the Welcome dialog of the Setup Wizard, click Next.In the License Agreement dialog, accept the license terms and click Next.On the BeyondInsight Integration screen, select Yes if you plan to use BeyondInsight. If you do not useBeyondInsight selecting No will ensure you only view options available in GPMC mode.Select the applicable PowerBroker Policy Source and click Next.In the Custom Setup dialog, choose an installation location. Either accept the default root installation folder, orclick Change and select a different location and then click Next.If you are installing in an environment that includes the Microsoft Group Policy Management Console (GPMC),the installation wizard displays a GPMC Integration feature. Installing this feature is required for full GPMCfunctionality.8.Provide the Server Name for the Central Policy or McAfee ePolicy Orchestrator server if you had choseneither of those options on the Policy Source screen.9. Click Install to continue the installation using the path you specified.10. When prompted, click Finish to complete the installation.Verifying Policy Editor InstallationTo verify that the Policy Editor was successfully installed, do the following:1.2.Click Start Control Panel Administrative Tools Group Policy Management to open GPMC if using groupPolicy.If using Central Policy, launch the BeyondTrust Policy Editor from the Start Menu. See the ePO guide if usingePO for policy distribution.Right-click a GPO and select Edit.Note that the items are added to the Group Policy Management Editor and are displayed under the followingnodes:–Computer Configuration Policies BeyondTrust PowerBroker for Windows–User Configuration Policies BeyondTrust PowerBroker for WindowsInstallation Guide8 2018. BeyondTrust Software, Inc.
Installing for Group Policy or BeyondInsight PolicyConfiguring the Passcode GeneratorA default key pair that includes a public key and a private key is installed along with the PowerBroker for WindowsClient software and Policy Editor software. It is required that you generate a new key pair before deploying to aproduction environment. For more information about the Passcode Generator, see the PowerBroker for WindowsUser Guide.The private pass is based off of a certificate and registration key. Both are generated and exported when the key iscreated. In order to use the passcode generator on a different machine to generate keys, both the registry key andcertificate must be imported onto the new machine.The default locations for the keys that need to be transferred are :c:\Program Files\BeyondTrust\PowerBroker for Windows\privatepass.regc:\Program Files\BeyondTrust\PowerBroker for Windows\privatepass.pfxThe registry key must be imported for EACH admin that is generating keys. The pfx file must be imported to theLocal Computer certificate store.To replace the key pair used to generate passcodes, do the following:1.2.Edit a Group Policy Object (GPO) or if using Central Policy, open the BeyondTrust policy editor. For detailedinstructions, See "Verifying Policy Editor Installation"Open the Passcode Generator by using one of the following methods:– On the BeyondTrust dashboard, click Generate a Passcode.–3.4.5.In the console tree of the Group Policy Management Editor, expand the PowerBroker for Windows node,right-click Privileged Identity node and select Passcode Generator.Select the Setti
PowerBroker for Windows Client (32 Bit) 7.8.0.msi /qn ADDLOCAL 6,IEIntegration_ x86,CPIntegration,RetinaDiscovery_x86 SERVER [SERVERNAME] CERTIFICATE eEyeEmsClient WORKGROUP "BeyondTrust Workgroup" Power
