Varonis Windows Evaluation Requirements

Pre-Evaluation Instructions:

Install Windows Server with all critical updates (physical or virtual)

Copy SQL Server installation media to local disk or mount SQL ISO on virtual machine
Create a Varonis service account and add the account to the Domain Users security group
Add the Varonis service account to the Local Administrator group on the Varonis server
Provision access per the Installation Requirements section(s) below
The Varonis Systems Engineer will configure the Server, install SQL, and install the Varonis software

Evaluation System Requirements:

Virtual or Physical machine (64 bit preferred)

Dual processor 2.3 GHz or better CPU
4-8 GB Ram minimum (8GB Preferred)
80 GB dedicated data drive for SQL
Windows Server 2003 (or R2) w/SP 1 or 2, Server 2008 up to SP2, Server 2008 R2 up to SP1 or Server 2012,
Server 2012 R2
Installation media for Standard/Enterprise Microsoft SQL Server 2005 SP4, SQL 2008 SP1 or SP2, or SQL 2008 R2
(64 bit preferred) up to SP2, SQL 2012 (64 bit preferred) up to SP2, SQL 2014 Evaluation or Licensed

Windows Requirements:
Installation Requirements:
For installation of Varonis agent(s), an account with Local Administrator privileges is required
NOTE: A separate account can be used for agent installation.
Verification of server readiness for auditing (See the Configuring Windows File Servers for Auditing section for
details)
Permanent Security Requirements:
Directory Crawling:
o CIFS - User with permissions to view all file system directories and their permissions (Administrator or
Backup Operators and Power Users)
o Varonis Protocol - Varonis FileWalk Agent should be installed
Supported Versions:
Windows 2000, 2003, 2003 R2 or 2008 (x86, x64), 2008 R2 x64, 2012, 2012 R2
Notes:
DatAdvantage cannot monitor Exchange 2003 or Windows 2003 file servers if the IDU or Probe is installed on
Windows 2012 R2.

Data Governance Suite

Active Directory Requirements

Installation Requirements

To enable GPO auditing, a user with domain admin credentials (or enterprise admin, for forests) is required
To collect auditing events, a domain user defined in the Manage auditing and security log policy is required
o Any domain user account can be assigned to this role. Please note, additional steps will be required to
assign the necessary permissions

Supported Versions

Active Directory on Windows 2003

Active Directory on Windows 2003 R2
Active Directory on Windows 2008
Active Directory on Windows 2008 R2
Active Directory on Windows 2012
Active Directory on Windows 2012 R2

Configuring Windows File Servers for Auditing:

In order for the IDU Suite to monitor a Windows File Server, a file system filter must be installed on the file server. This
installation of the filter occurs when the file server is added using the Enterprise Installer. Other products, including virus
scanning software, replication software, etc., use file system filters as well. Multiple file system filters can be installed on
the same server; however, Windows File Servers are configured by default with a finite amount of resources available
for these filters. The IRP stack size is the parameter which governs the resources available to these filters.
The default value for the IRPStack size is 15, and the maximum is 50.

Problem Description
If the server exceeds the amount of resources available to the stack, the server will freeze, reboot, or switch to the
offline server (if the server is part of a cluster). According to the Microsoft knowledge base
(http://support.microsoft.com/kb/285089 & http://support.microsoft.com/?scid=kb;en-us;177078), this is caused by
too many products (i.e., virus scanning software) competing for server resources.

Determining the Number of Loaded Filters

The fltmc command can be used on file servers to determine the number of file system filters that are installed.

Required Actions
1. Mandatory - Any server that is part of a cluster must have the IRP Stack registry setting increased to a minimum of 30.
2. The IRP stack size must be increased to at least 30 on any server with more than three file system filters.

Data Governance Suite

Increasing the IRP Stack Size

The IRP stack size can be increased by editing the following registry key. A reboot is required after this parameter is
changed.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
It is a 32 bit DWORD and can be added using regedit or the following command:
Reg add HKLM\System\CurrentControlSet\Services\lanmanserver\parameters /v IRPStackSize /t REG_DWORD /d 0x1e

Manually Configuring Domain Controllers for Directory Service Probing

To activate auditing on Active Directory events in the Event Viewer, make the following changes to group policy objects
(GPO) on the domain controller:
This procedure provides instructions for manually enabling GPO auditing in a domain.
1. To enable auditing in the domain for all Windows versions, go to the Security tab in Domain Properties and
enable Audit on all write-events:
a. Select Start > Administrative Tools > Active Directory Users and Computers .
b. Right-click the domain's root and select Properties. The Properties dialog box is displayed.
c. On the Security tab, click Advanced. The Advanced Security Settings dialog box is displayed.
i. If you do not see a Security tab, click View, then select Advanced Features. Then repeat step b.
d. Select the Auditing tab.
e. Select the Everyone auditing entry and click Edit. The Auditing Entry dialog box is displayed.
Note: If there is no such entry, you must add it.
f. Add or edit the permissions on the Object tab to give the Everyone group the Full Control permission on
all objects (Select this object and all descendant objects).
Important: This does not grant the Everyone group any permissions. Rather, it adds actions made by
all users to the Windows audit log, thus enabling DatAdvantage to read from the log.
g. Remove the List contents, Read all properties and Read permissions to reduce the number of events
recorded in the event log.
h. On the Properties tab, give the Everyone group Write all properties permission on the entire Active
Directory (Select this object and all descendant objects).
i. On both the Object and the Properties tab, clear the Apply these auditing entries... checkboxes.
2. To enable the Audit Policy for all Windows versions:
a. At the command prompt, execute gpmc.msc.
Note: For Windows 2003, download gpmc.msc from here.
b. Alternatively, select Start > Administrative Tools > Group Policy Management .
c. Expand the navigation tree: Forest > Domains > (Domain Name) > Group Policy Objects > Edit Default
Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings
> Local Policies > Audit Policies . The audit policies are displayed in the right pane.
d. Set the following policies to Success:

Data Governance Suite

i. Audit account management

ii. Audit account logon events
iii. Audit logon events
3. To enable DS Access for Windows 2008 R2:
a. Enable auditing in the domain (see above).
b. At the command prompt, execute the following to enable the Directory service changes audit events
(5136, 5137, 5139, 5141):
auditpol /set /subcategory:"directory service changes" /success:enable
These events also contain CorrelationID, which indicates whether a set of operations was performed in a
single call. This can ease the pattern resolution for events built from more than one message.
c. At the command prompt for all domain controllers, execute gpupdate /force.
To enable a user other than a Domain Administrator to read the event logs
The "Manage auditing and security log" setting typically has some default values. Occasionally, when defining this
setting, the default values can unintentionally be overwritten. Follow the steps below to assure that you are not
overwriting any current settings when granting the Varonis service account the appropriate rights to the event log.
1. Check the current settings (using RSOP)
Open RSOP (Windows 2003 Server) if you are on Windows 2008 or 2008 R2 - create a new MMC and add the
Resultant Set of Policy add-in.

Data Governance Suite

Then Generate RSoP Data using the Logging mode to see the actual configuration of the Domain Controller.

Go to Computer Configuration -> Windows Settings -> Local Policies -> User Rights Assignment, and open the
"Manage auditing and security log" setting. You will see the list of the permitted user/groups.
Please be aware that all the users/groups which are currently defined, must also be defined in the GPO you will set.
(Explanation: For each setting, only the strongest GPO defining that setting is taken into consideration. It will
overwrite, default/other GPOs values for that settings).
For ex: In the below screenshot, we can see that the Administrators and Exchange Servers are defined as permitted.
The GPO defining them (Source GPO column) is the Default Domain Controllers Policy. We will want to make sure
that these users/groups are present in any GPO we create or edit in addition to the Varonis service account.

Data Governance Suite

2. Adding Varonis service account

If the Varonis service account is already in the above list (or member of a group in the list), then we already have
access to the security log which means there is no need to change the setting.
Otherwise, the Varonis service account will have to be added. It can be done by either:
a. Adding the Varonis service account to the GPO which already defines the setting (see Source GPO column in
RSOP usually the Source GPO is the Default Domain Controllers Policy).
b. Adding the Varonis service account to another GPO(i.e. VaronisProbing GPO). In this case, you'll have to
make sure the GPO you're defining will be applied (isn't overwritten by another GPO, etc.)
i. In order to make sure that the Varonis GPO applies, you have to put it on the highest level in the
GPOs order.

Data Governance Suite

ii. Dont forget to add all the users/groups that you saw listed in RSOP(Section 1) in addition to the
Varonis service account as in the screenshot below :

c. Verify that other GPOs are not enforced, otherwise your new GPO will not apply.
See below that the Default Doman Controllers Policy is enforced:

For ex: In the

screenshot below, I define the "Manage auditing and security log" setting in the Default Domain Controllers Policy
GPO. Note that in addition to the Varonis service account, I also add the previously defined users/groups
(otherwise, they will be overwritten!)

Data Governance Suite

Data Governance Suite

3. Re- Check the setting's (using RSOP)

As in the first bullet, check the setting's value to make sure that none of the previously defined users/groups were
overwritten. You should see the users/groups that were present before and the Varonis service account that was
added.

4. Apply the setting on all GCs

Execute the gpupdate /force command on all the domain's GCs(Domain Controllers that host the Global Catalogs)

Data Governance Suite